|  | Commit message (Collapse) | Author | Age | Files | 
|---|
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| | versions.
OpenSSL 3.2 from Debian sid spews
    Warning: Reading certificate from stdin since no -in or -new option is given
without an explicit `-in /dev/stdin`. | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | Domain names are case insensitive so it shouldn't matter, but Let's
Encrypt (staging) ACME server fails with
        400 Bad Request (Invalid identifiers requested :: Cannot issue for "YXJCTT7S6K2RQLVO.lacme-test.guilhem.org": Domain name contains an invalid character)
if the sub-domain part of the subjectName is left all-caps. | 
| | |  | 
| | 
| 
| 
| | See https://lists.debian.org/msgid-search/87tty79lwo.fsf@43-1.org . | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | internal client.
So it doesn't have to parse the INI file again.  Also, while lacme.conf
is world-readable by default, one might restrict permissions and add
private information in there, not realizing that everything, including
comments, will be readable by the client. | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| | restrictions.
Also, always spawn the client with umask 0022 so a starting lacme(8)
with a restrictive umask doesn't impede serving challenge response
files. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | Otherwise we end up with files with mode 0644 owned by root:root, and
subsequent lacme(8) invocations will likely not renew them for a while.
This change also saves a chown(2) call.  And the new logic (chown resp.
chmod from root:root resp. 0600) is safe if we ever include private key
material in there too. | 
| | 
| 
| 
| | Due to unknown user/group name. | 
| | |  | 
| | |  | 
| | 
| 
| 
| | And doesn't retain root privileges. | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | “The JWS Protected Header is a JSON object” — RFC 7515 sec. 2.
“The JWS Protected Header MUST include the following fields:
    - "alg"
    - "nonce"
    - "url"
    - either "jwk" or "kid"”
 — RFC 8555 sec. 6.2. | 
| | 
| 
| 
| | Again… | 
| | |  | 
| | 
| 
| 
| | The staging environment wasn't set properly for the Debian packages. | 
| | 
| 
| 
| 
| | This saves a round trip and provides a safeguard against malicious
clients. | 
| | |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| | Prefixed with a timestamp. | 
| | 
| 
| 
| 
| | It's an internal flag, but can be useful for authorized_keys(5)
restrictions. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | lacme(8): for --config=, --socket=, --config-certs= (and ‘socket’/
‘config-certs’/‘challenge-directory’ configuration options *before*
privilege drop; and for the [accountd] section ‘command’/‘config’
configuration options *after* privilege drop).
lacme-accountd(1): for --config=, --socket= and --privkey= (and
‘socket’/‘privkey’ configuration options).
This also changes the default configuration file location.  lacme(8) and
lacme-accountd(1) now respectively use /etc/lacme/lacme.conf resp.
/etc/lacme/lacme-accountd.conf when running as root, and
$XDG_CONFIG_HOME/lacme/lacme.conf resp. $XDG_CONFIG_HOME/lacme/lacme-accountd.conf
when running as a normal user.  There is no fallback to /etc anymore. | 
| | 
| 
| 
| 
| 
| 
| | ../../lacme/apache2.conf.
This is useful for enabling the snippet with `a2enconf lacme`, cf.
https://bugs.debian.org/955859 . | 
| | 
| 
| 
| | And add a test case for this. | 
| | 
| 
| 
| | These tests are not interactive! | 
|  | https://letsencrypt.org/docs/staging-environment/ |