From 7f674213fb08129bd379d2f87e401a42899a60b8 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Fri, 30 Jun 2017 09:26:41 +0200 Subject: wibble --- config/apache2.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/apache2.conf b/config/apache2.conf index 20927fa..471791c 100644 --- a/config/apache2.conf +++ b/config/apache2.conf @@ -5,7 +5,7 @@ # non-ssl one) of each virtual host requiring authorization. - ProxyPass unix:///var/run/lacme.socket|http://127.0.0.1/.well-known/acme-challenge/ + ProxyPass unix:///var/run/lacme.socket|http://localhost/.well-known/acme-challenge/ Order allow,deny Allow from all -- cgit v1.2.3 From 7a4e51344423ee3309c258087a69dac29bf30b51 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sat, 1 Jul 2017 19:36:46 +0200 Subject: Ensure fdopen is called with an integer. --- Changelog | 3 +++ client | 4 ++-- lacme-accountd | 2 +- webserver | 2 +- 4 files changed, 7 insertions(+), 4 deletions(-) diff --git a/Changelog b/Changelog index 0674c4a..27e1dfd 100644 --- a/Changelog +++ b/Changelog @@ -30,6 +30,9 @@ lacme (0.3) upstream; --version. - client: remove potential race when creating ACME challenge response files. + - When using open with mode "<&=" or ">&=", ensure the expression + (fileno) is interpreted as an integer. (This failed in Perl v5.14.2 + from Debian Jessie.) -- Guilhem Moulin Sun, 19 Feb 2017 13:08:41 +0100 diff --git a/client b/client index 333ae3b..f0778d5 100755 --- a/client +++ b/client @@ -62,9 +62,9 @@ my $COMMAND = shift @ARGV // die; # Untaint and fdopen(3) the configuration file and listening socket (shift @ARGV // die) =~ /\A(\d+)\z/ or die; -open my $CONFFILE, '<&=', $1 or die "fdopen $1: $!"; +open (my $CONFFILE, '<&=', $1+0) or die "fdopen $1: $!"; (shift @ARGV // die) =~ /\A(\d+)\z/ or die; -open my $S, '+<&=', $1 or die "fdopen $1: $!"; +open (my $S, '+<&=', $1+0) or die "fdopen $1: $!"; ############################################################################# diff --git a/lacme-accountd b/lacme-accountd index 547af59..f0d7d51 100755 --- a/lacme-accountd +++ b/lacme-accountd @@ -140,7 +140,7 @@ $JWK = JSON::->new->encode($JWK); if (defined $OPTS{'conn-fd'}) { die "Invalid file descriptor" unless $OPTS{'conn-fd'} =~ /\A(\d+)\z/; # untaint and fdopen(3) our end of the socket pair - open $S, '+<&=', $1 or die "fdopen $1: $!"; + open ($S, '+<&=', $1+0) or die "fdopen $1: $!"; } else { my $sockname = $OPTS{socket} // (defined $ENV{XDG_RUNTIME_DIR} ? "$ENV{XDG_RUNTIME_DIR}/S.lacme" : undef); die "Missing socket option\n" unless defined $sockname; diff --git a/webserver b/webserver index 90be70c..dad3d9d 100755 --- a/webserver +++ b/webserver @@ -43,7 +43,7 @@ use Socket qw/AF_UNIX AF_INET AF_INET6/; # Untaint and fdopen(3) the listening socket (shift @ARGV // die) =~ /\A(\d+)\z/ or die; -open my $S, '+<&=', $1 or die "fdopen $1: $!"; +open (my $S, '+<&=', $1+0) or die "fdopen $1: $!"; my $ROOT = '/.well-known/acme-challenge'; close STDIN or die "close: $!"; -- cgit v1.2.3 From 09d4e6f58254cc18803e9746b84e521924c55aee Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sat, 1 Jul 2017 19:59:23 +0200 Subject: Avoid hash slices. That's mostly what prevents us from supporting Perl older than 5.20. --- lacme | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lacme b/lacme index 1065e67..478f2e4 100755 --- a/lacme +++ b/lacme @@ -532,7 +532,7 @@ sub acme_client($@) { # child doesn't have access to the parent's memory my @fileno = map { fileno($_) =~ /^(\d+)$/ ? $1 : die } ($CONFFILE, $client); # untaint fileno set_FD_CLOEXEC($client, 1); - my $rv = spawn({%$args{qw/in out/}, child => sub() { + my $rv = spawn({in => $args->{in}, out => $args->{out}, child => sub() { drop_privileges($conf->{user}, $conf->{group}, $args->{chdir} // '/'); set_FD_CLOEXEC($_, 0) foreach ($CONFFILE, $client); seek($CONFFILE, SEEK_SET, 0) or die "Can't seek: $!"; @@ -723,7 +723,7 @@ elsif ($COMMAND eq 'new-cert') { } # generate the CSR - my $csr = gen_csr(%$conf{qw/certificate-key subject subjectAltName keyUsage hash/}) // do { + my $csr = gen_csr(map {$_ => $conf->{$_}} qw/certificate-key subject subjectAltName keyUsage hash/) // do { print STDERR "[$s] Warning: Couldn't generate CSR, skipping\n"; $rv = 1; next; -- cgit v1.2.3 From abb09fac8787c3444f45cf8cc06386dd75719a01 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sat, 1 Jul 2017 19:55:55 +0200 Subject: Specify minimum required Perl versions. --- Changelog | 3 +++ client | 1 + lacme | 1 + lacme-accountd | 1 + webserver | 1 + 5 files changed, 7 insertions(+) diff --git a/Changelog b/Changelog index 27e1dfd..ace112d 100644 --- a/Changelog +++ b/Changelog @@ -33,6 +33,9 @@ lacme (0.3) upstream; - When using open with mode "<&=" or ">&=", ensure the expression (fileno) is interpreted as an integer. (This failed in Perl v5.14.2 from Debian Jessie.) + - Specify minimum required Perl version: v5.14.2 for webserver, client + and lacme-accountd, and v5.16.2 for lacme (IPV6_V6ONLY was added to + Socket version 1.95). -- Guilhem Moulin Sun, 19 Feb 2017 13:08:41 +0100 diff --git a/client b/client index f0778d5..a0b5dfa 100755 --- a/client +++ b/client @@ -18,6 +18,7 @@ # along with this program. If not, see . #---------------------------------------------------------------------- +use v5.14.2; use strict; use warnings; diff --git a/lacme b/lacme index 478f2e4..270828b 100755 --- a/lacme +++ b/lacme @@ -18,6 +18,7 @@ # along with this program. If not, see . #---------------------------------------------------------------------- +use v5.16.2; use strict; use warnings; diff --git a/lacme-accountd b/lacme-accountd index f0d7d51..80ede29 100755 --- a/lacme-accountd +++ b/lacme-accountd @@ -19,6 +19,7 @@ # along with this program. If not, see . #---------------------------------------------------------------------- +use v5.14.2; use strict; use warnings; diff --git a/webserver b/webserver index dad3d9d..5371163 100755 --- a/webserver +++ b/webserver @@ -19,6 +19,7 @@ # along with this program. If not, see . #---------------------------------------------------------------------- +use v5.14.2; use strict; use warnings; -- cgit v1.2.3 From 13a0c9cf64543214282c6809cbbc43ef225df935 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sat, 1 Jul 2017 20:23:28 +0200 Subject: lacme: Specify minimum required Socket version 1.95. --- Changelog | 5 ++--- lacme | 8 ++++---- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/Changelog b/Changelog index ace112d..e0ce8c0 100644 --- a/Changelog +++ b/Changelog @@ -33,9 +33,8 @@ lacme (0.3) upstream; - When using open with mode "<&=" or ">&=", ensure the expression (fileno) is interpreted as an integer. (This failed in Perl v5.14.2 from Debian Jessie.) - - Specify minimum required Perl version: v5.14.2 for webserver, client - and lacme-accountd, and v5.16.2 for lacme (IPV6_V6ONLY was added to - Socket version 1.95). + - Specify minimum required Perl version (v5.14.2). Moreover lacme(1) + requires Socket 1.95 or later (for instance for IPPROTO_IPV6). -- Guilhem Moulin Sun, 19 Feb 2017 13:08:41 +0100 diff --git a/lacme b/lacme index 270828b..01c683e 100755 --- a/lacme +++ b/lacme @@ -18,7 +18,7 @@ # along with this program. If not, see . #---------------------------------------------------------------------- -use v5.16.2; +use v5.14.2; use strict; use warnings; @@ -31,9 +31,9 @@ use File::Temp (); use Getopt::Long qw/:config posix_default no_ignore_case gnu_getopt auto_version/; use List::Util 'first'; use POSIX (); -use Socket qw/AF_UNIX AF_INET AF_INET6 PF_UNIX PF_INET PF_INET6 PF_UNSPEC - INADDR_ANY IN6ADDR_ANY IPPROTO_IPV6 - SOCK_STREAM SOL_SOCKET SO_REUSEADDR SHUT_RDWR/; +use Socket 1.95 qw/AF_UNIX AF_INET AF_INET6 PF_UNIX PF_INET PF_INET6 PF_UNSPEC + INADDR_ANY IN6ADDR_ANY IPPROTO_IPV6 + SOCK_STREAM SOL_SOCKET SO_REUSEADDR SHUT_RDWR/; use Config::Tiny (); use Net::SSLeay (); -- cgit v1.2.3 From 8349b801a5f7e5f11b0a758d7ab28d8b79eb08ea Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sat, 8 Jul 2017 20:59:11 +0200 Subject: mv config/{apache2.conf,nginx.conf} snippets/ --- config/apache2.conf | 12 ------------ config/nginx.conf | 18 ------------------ snippets/apache2.conf | 12 ++++++++++++ snippets/nginx.conf | 18 ++++++++++++++++++ 4 files changed, 30 insertions(+), 30 deletions(-) delete mode 100644 config/apache2.conf delete mode 100644 config/nginx.conf create mode 100644 snippets/apache2.conf create mode 100644 snippets/nginx.conf diff --git a/config/apache2.conf b/config/apache2.conf deleted file mode 100644 index 471791c..0000000 --- a/config/apache2.conf +++ /dev/null @@ -1,12 +0,0 @@ -# Use Apache2 to serve ACME requests by passing them over to a -# locally-bound lacme webserver component. -# -# This file needs to be sourced to the server directives (at least the -# non-ssl one) of each virtual host requiring authorization. - - - ProxyPass unix:///var/run/lacme.socket|http://localhost/.well-known/acme-challenge/ - Order allow,deny - Allow from all - - diff --git a/config/nginx.conf b/config/nginx.conf deleted file mode 100644 index 6753ff9..0000000 --- a/config/nginx.conf +++ /dev/null @@ -1,18 +0,0 @@ -# Use Nginx to serve ACME requests; either directly, or by passing them -# over to a locally-bound lacme webserver component. -# -# This file needs to be sourced to the server directives (at least the -# non-ssl one) of each virtual host requiring authorization. - -location ^~ /.well-known/acme-challenge/ { - # Pass ACME requests to lacme's webserver component - proxy_pass http://unix:/var/run/lacme.socket; - - ## Alternatively, you can let nginx serve the requests by - ## setting 'challenge-directory' to '/var/www/acme-challenge' in - ## lacme's configuration file - # alias /var/www/acme-challenge/; - # default_type application/jose+json; - # disable_symlinks on from=$document_root; - # autoindex off; -} diff --git a/snippets/apache2.conf b/snippets/apache2.conf new file mode 100644 index 0000000..471791c --- /dev/null +++ b/snippets/apache2.conf @@ -0,0 +1,12 @@ +# Use Apache2 to serve ACME requests by passing them over to a +# locally-bound lacme webserver component. +# +# This file needs to be sourced to the server directives (at least the +# non-ssl one) of each virtual host requiring authorization. + + + ProxyPass unix:///var/run/lacme.socket|http://localhost/.well-known/acme-challenge/ + Order allow,deny + Allow from all + + diff --git a/snippets/nginx.conf b/snippets/nginx.conf new file mode 100644 index 0000000..6753ff9 --- /dev/null +++ b/snippets/nginx.conf @@ -0,0 +1,18 @@ +# Use Nginx to serve ACME requests; either directly, or by passing them +# over to a locally-bound lacme webserver component. +# +# This file needs to be sourced to the server directives (at least the +# non-ssl one) of each virtual host requiring authorization. + +location ^~ /.well-known/acme-challenge/ { + # Pass ACME requests to lacme's webserver component + proxy_pass http://unix:/var/run/lacme.socket; + + ## Alternatively, you can let nginx serve the requests by + ## setting 'challenge-directory' to '/var/www/acme-challenge' in + ## lacme's configuration file + # alias /var/www/acme-challenge/; + # default_type application/jose+json; + # disable_symlinks on from=$document_root; + # autoindex off; +} -- cgit v1.2.3 From 8cdd29841d0dbb89e866aad36173bb26182d0c97 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sat, 8 Jul 2017 21:02:36 +0200 Subject: Bind webserver to /var/run/lacme-www.socket by default. --- Changelog | 2 +- config/lacme.conf | 2 +- lacme | 2 +- lacme.md | 4 ++-- snippets/apache2.conf | 2 +- snippets/nginx.conf | 2 +- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/Changelog b/Changelog index e0ce8c0..070f2e3 100644 --- a/Changelog +++ b/Changelog @@ -5,7 +5,7 @@ lacme (0.3) upstream; + new-cert: create certificate files atomically. + webserver: allow listening to multiple addresses (useful when dual IPv4/IPv6 stack is not supported). Listen to a UNIX-domain - socket by default . + socket by default . + webserver: don't install temporary iptables by default. Hosts without a public HTTP daemon listening on port 80 need to set the 'listen' option to [::] and/or 0.0.0.0, and possibly set the diff --git a/config/lacme.conf b/config/lacme.conf index 874bb1f..3cc1b34 100644 --- a/config/lacme.conf +++ b/config/lacme.conf @@ -62,7 +62,7 @@ # Comma- or space-separated list of addresses to listen on, for instance # "0.0.0.0:80 [::]:80". # -#listen = /var/run/lacme.socket +#listen = /var/run/lacme-www.socket # Non-existent directory under which an external HTTP daemon is # configured to serve GET requests for challenge files under diff --git a/lacme b/lacme index 01c683e..6570891 100755 --- a/lacme +++ b/lacme @@ -97,7 +97,7 @@ do { map {$_ => undef} qw/server timeout SSL_verify SSL_version SSL_cipher_list/ }, webserver => { - listen => '/var/run/lacme.socket', + listen => '/var/run/lacme-www.socket', 'challenge-directory' => undef, user => 'www-data', group => 'www-data', diff --git a/lacme.md b/lacme.md index 0f6f3ee..ba1e5be 100644 --- a/lacme.md +++ b/lacme.md @@ -232,12 +232,12 @@ served during certificate issuance. addresses are of the form `IPV4:PORT`, `[IPV6]:PORT` (where the `:PORT` suffix is optional and defaults to the HTTP port 80), or an absolute path of a UNIX-domain socket (created with mode `0666`). - Default: `/var/run/lacme.socket`. + Default: `/var/run/lacme-www.socket`. **Note**: The default value is only suitable when an external HTTP daemon is publicly reachable and passes all ACME challenge requests to the webserver component through the UNIX-domain socket - `/var/run/lacme.socket` (for instance using the provided + `/var/run/lacme-www.socket` (for instance using the provided `/etc/lacme/apache2.conf` or `/etc/lacme/nginx.conf` configuration snippets for each virtual host requiring authorization). If there is no HTTP daemon bound to port 80 one needs to set *listen* to diff --git a/snippets/apache2.conf b/snippets/apache2.conf index 471791c..20bf2ad 100644 --- a/snippets/apache2.conf +++ b/snippets/apache2.conf @@ -5,7 +5,7 @@ # non-ssl one) of each virtual host requiring authorization. - ProxyPass unix:///var/run/lacme.socket|http://localhost/.well-known/acme-challenge/ + ProxyPass unix:///var/run/lacme-www.socket|http://localhost/.well-known/acme-challenge/ Order allow,deny Allow from all diff --git a/snippets/nginx.conf b/snippets/nginx.conf index 6753ff9..981bdc3 100644 --- a/snippets/nginx.conf +++ b/snippets/nginx.conf @@ -6,7 +6,7 @@ location ^~ /.well-known/acme-challenge/ { # Pass ACME requests to lacme's webserver component - proxy_pass http://unix:/var/run/lacme.socket; + proxy_pass http://unix:/var/run/lacme-www.socket; ## Alternatively, you can let nginx serve the requests by ## setting 'challenge-directory' to '/var/www/acme-challenge' in -- cgit v1.2.3