aboutsummaryrefslogtreecommitdiffstats
path: root/tests
Commit message (Collapse)AuthorAgeFiles
* lacme: Default mode for certificate(-chain) creation is 0644 minus umask ↵Guilhem Moulin2021-02-241
| | | | | | | | restrictions. Also, always spawn the client with umask 0022 so a starting lacme(8) with a restrictive umask doesn't impede serving challenge response files.
* lacme: Don't write certificate(-chain) file on chown/chmod failure.Guilhem Moulin2021-02-241
| | | | | | | | | Otherwise we end up with files with mode 0644 owned by root:root, and subsequent lacme(8) invocations will likely not renew them for a while. This change also saves a chown(2) call. And the new logic (chown resp. chmod from root:root resp. 0600) is safe if we ever include private key material in there too.
* tests/cert-install: Include tests for failing chown(2).Guilhem Moulin2021-02-241
| | | | Due to unknown user/group name.
* tab damageGuilhem Moulin2021-02-241
|
* typofixGuilhem Moulin2021-02-241
|
* tests/drop-privileges: Ensure failure to drop privileges yields an error.Guilhem Moulin2021-02-241
| | | | And doesn't retain root privileges.
* Consolidate error messages.Guilhem Moulin2021-02-231
|
* lacme-accountd: Refuse to sign JWS with an invalid Protected Header.Guilhem Moulin2021-02-221
| | | | | | | | | | | “The JWS Protected Header is a JSON object” — RFC 7515 sec. 2. “The JWS Protected Header MUST include the following fields: - "alg" - "nonce" - "url" - either "jwk" or "kid"” — RFC 8555 sec. 6.2.
* lacme-account: Improve log messages.Guilhem Moulin2021-02-223
| | | | Again…
* tests: Check presence of extra greeting data.Guilhem Moulin2021-02-221
|
* Fix `./test --deb`.Guilhem Moulin2021-02-222
| | | | The staging environment wasn't set properly for the Debian packages.
* lacme-accountd(1): new setting 'keyid'.Guilhem Moulin2021-02-221
| | | | | This saves a round trip and provides a safeguard against malicious clients.
* accountd: Improve log message for incoming requests.Guilhem Moulin2021-02-212
|
* Add IPC tests with an old lacme(8) resp. lacme-accountd(1).Guilhem Moulin2021-02-212
|
* wordingGuilhem Moulin2021-02-212
|
* lacme-accountd: new setting 'logfile' to log signature requests.Guilhem Moulin2021-02-213
| | | | Prefixed with a timestamp.
* Document `lacme-accountd --stdio`.Guilhem Moulin2021-02-201
| | | | | It's an internal flag, but can be useful for authorized_keys(5) restrictions.
* Add %-specifiers support.Guilhem Moulin2021-02-202
| | | | | | | | | | | | | | | | lacme(8): for --config=, --socket=, --config-certs= (and ‘socket’/ ‘config-certs’/‘challenge-directory’ configuration options *before* privilege drop; and for the [accountd] section ‘command’/‘config’ configuration options *after* privilege drop). lacme-accountd(1): for --config=, --socket= and --privkey= (and ‘socket’/‘privkey’ configuration options). This also changes the default configuration file location. lacme(8) and lacme-accountd(1) now respectively use /etc/lacme/lacme.conf resp. /etc/lacme/lacme-accountd.conf when running as root, and $XDG_CONFIG_HOME/lacme/lacme.conf resp. $XDG_CONFIG_HOME/lacme/lacme-accountd.conf when running as a normal user. There is no fallback to /etc anymore.
* Symlink $(sysconfdir)/apache2/conf-available/lacme.conf → ↵Guilhem Moulin2021-02-201
| | | | | | | ../../lacme/apache2.conf. This is useful for enabling the snippet with `a2enconf lacme`, cf. https://bugs.debian.org/955859 .
* Document spawning a remote lacme-accountd(1) instance.Guilhem Moulin2021-02-201
| | | | And add a test case for this.
* Add tests for OpenSSL- and GnuPG-encrypted account keys.Guilhem Moulin2021-02-202
| | | | These tests are not interactive!
* Add test suite against Let's Encrypt's staging environment.Guilhem Moulin2021-02-2013
https://letsencrypt.org/docs/staging-environment/