From f2514b36b8c9f519452106fbc84ca69f1955ada1 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 26 Nov 2020 01:19:45 +0100 Subject: Use upstream certificate chain instead of an hardcoded one. This is a breaking change. The certificate indicated by 'CAfile' is no longer used as is in 'certificate-chain' (along with the leaf cert). The chain returned by the ACME v2 endpoint is used instead. This allows for more flexbility with respect to key/CA rotation, cf. https://letsencrypt.org/2020/11/06/own-two-feet.html and https://community.letsencrypt.org/t/beginning-issuance-from-r3/139018 Moreover 'CAfile' now defaults to @@datadir@@/lacme/ca-certificates.crt which is a concatenation of all known active CA certificates (which includes the previous default). --- debian/changelog | 23 + debian/lacme.install | 3 +- ...m-certicate-chain-instead-of-an-hardcoded.patch | 479 +++++++++++++++++++++ debian/patches/series | 1 + 4 files changed, 505 insertions(+), 1 deletion(-) create mode 100644 debian/patches/0003-Use-upstream-certicate-chain-instead-of-an-hardcoded.patch diff --git a/debian/changelog b/debian/changelog index 3366d21..a643159 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,26 @@ +lacme (0.5-1+deb10u2) buster; urgency=medium + + * Use upstream certificate chain instead of an hardcoded one. + This is a breaking change. The certificate indicated by 'CAfile' is no + longer used as is in 'certificate-chain' (along with the leaf cert). + The chain returned by the ACME v2 endpoint is used instead. This allows + for more flexbility with respect to key/CA rotation, cf. + https://letsencrypt.org/2020/11/06/own-two-feet.html and + https://community.letsencrypt.org/t/beginning-issuance-from-r3/139018 + * Additional current/planned CA certificates can be found under + /usr/local/share/lacme: + - lets-encrypt-e[12].pem + - lets-encrypt-r[34]-cross-signed.pem + - lets-encrypt-r[34].pem + - letsencryptauthorityx[34].pem + See https://letsencrypt.org/certificates/ + * Moreover 'CAfile' now defaults to /usr/share/lacme/ca-certificates.crt + which is a concatenation of all known active CA certificates (which + includes the previous default). + Closes: #975862. + + -- Guilhem Moulin Thu, 26 Nov 2020 01:14:50 +0100 + lacme (0.5-1+deb10u1) buster; urgency=medium * Link to RFC 8555 instead of the diff --git a/debian/lacme.install b/debian/lacme.install index 303c121..220097d 100644 --- a/debian/lacme.install +++ b/debian/lacme.install @@ -1,4 +1,5 @@ -certs/lets-encrypt-x[1-4]-cross-signed.pem /usr/share/lacme +certs/*.pem /usr/share/lacme +/usr/share/lacme/ca-certificates.crt client webserver /usr/lib/lacme config/lacme-certs.conf config/lacme.conf /etc/lacme lacme /usr/sbin diff --git a/debian/patches/0003-Use-upstream-certicate-chain-instead-of-an-hardcoded.patch b/debian/patches/0003-Use-upstream-certicate-chain-instead-of-an-hardcoded.patch new file mode 100644 index 0000000..1032af2 --- /dev/null +++ b/debian/patches/0003-Use-upstream-certicate-chain-instead-of-an-hardcoded.patch @@ -0,0 +1,479 @@ +From d3c9435c4f43167b9d5c9315044f50b8878a2881 Mon Sep 17 00:00:00 2001 +From: Guilhem Moulin +Date: Thu, 26 Nov 2020 01:10:38 +0100 +Subject: Use upstream certificate chain instead of an hardcoded one. + +This is a breaking change. The certificate indicated by 'CAfile' is no +longer used as is in 'certificate-chain' (along with the leaf cert). +The chain returned by the ACME v2 endpoint is used instead. This allows +for more flexbility with respect to key/CA rotation, cf. +https://letsencrypt.org/2020/11/06/own-two-feet.html and +https://community.letsencrypt.org/t/beginning-issuance-from-r3/139018 + +Moreover 'CAfile' now defaults to @@datadir@@/lacme/ca-certificates.crt +which is a concatenation of all known active CA certificates (which +includes the previous default). +--- + Makefile | 9 ++++++- + certs/lets-encrypt-e1.pem | 17 +++++++++++++ + certs/lets-encrypt-e2.pem | 17 +++++++++++++ + certs/lets-encrypt-r3-cross-signed.pem | 26 +++++++++++++++++++ + certs/lets-encrypt-r3.pem | 30 ++++++++++++++++++++++ + certs/lets-encrypt-r4-cross-signed.pem | 26 +++++++++++++++++++ + certs/lets-encrypt-r4.pem | 30 ++++++++++++++++++++++ + certs/letsencryptauthorityx3.pem | 32 +++++++++++++++++++++++ + certs/letsencryptauthorityx4.pem | 32 +++++++++++++++++++++++ + client | 15 +---------- + config/lacme-certs.conf | 11 ++++---- + lacme | 35 ++++++++++++++++---------- + lacme.md | 13 ++++------ + 13 files changed, 251 insertions(+), 42 deletions(-) + create mode 100644 certs/lets-encrypt-e1.pem + create mode 100644 certs/lets-encrypt-e2.pem + create mode 100644 certs/lets-encrypt-r3-cross-signed.pem + create mode 100644 certs/lets-encrypt-r3.pem + create mode 100644 certs/lets-encrypt-r4-cross-signed.pem + create mode 100644 certs/lets-encrypt-r4.pem + create mode 100644 certs/letsencryptauthorityx3.pem + create mode 100644 certs/letsencryptauthorityx4.pem + +diff --git a/Makefile b/Makefile +index 5d421bf..99ce749 100644 +--- a/Makefile ++++ b/Makefile +@@ -37,7 +37,14 @@ install: ${MANPAGES} + install -m0644 -t $(DESTDIR)/etc/lacme config/*.conf + install -m0644 -t $(DESTDIR)/etc/lacme snippets/*.conf + install -d $(DESTDIR)/usr/share/lacme +- install -m0644 -t $(DESTDIR)/usr/share/lacme certs/lets-encrypt-x[1-4]-cross-signed.pem ++ install -m0644 -t $(DESTDIR)/usr/share/lacme certs/* ++ # used for validation, see https://letsencrypt.org/certificates/ ++ cat certs/letsencryptauthorityx[34].pem \ ++ certs/lets-encrypt-x[34]-cross-signed.pem \ ++ certs/lets-encrypt-r[34].pem \ ++ certs/lets-encrypt-r[34]-cross-signed.pem \ ++ certs/lets-encrypt-e[12].pem \ ++ >$(DESTDIR)/usr/share/lacme/ca-certificates.crt + install -d $(DESTDIR)/usr/lib/lacme + install -m0755 -t $(DESTDIR)/usr/lib/lacme client webserver + install -d $(DESTDIR)/usr/share/man/man1 +diff --git a/certs/lets-encrypt-e1.pem b/certs/lets-encrypt-e1.pem +new file mode 100644 +index 0000000..2a19d41 +--- /dev/null ++++ b/certs/lets-encrypt-e1.pem +@@ -0,0 +1,17 @@ ++-----BEGIN CERTIFICATE----- ++MIICxjCCAk2gAwIBAgIRALO93/inhFu86QOgQTWzSkUwCgYIKoZIzj0EAwMwTzEL ++MAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2VhcmNo ++IEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDIwHhcNMjAwOTA0MDAwMDAwWhcN ++MjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3MgRW5j ++cnlwdDELMAkGA1UEAxMCRTEwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQkXC2iKv0c ++S6Zdl3MnMayyoGli72XoprDwrEuf/xwLcA/TmC9N/A8AmzfwdAVXMpcuBe8qQyWj +++240JxP2T35p0wKZXuskR5LBJJvmsSGPwSSB/GjMH2m6WPUZIvd0xhajggEIMIIB ++BDAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMB ++MBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFFrz7Sv8NsI3eblSMOpUb89V ++yy6sMB8GA1UdIwQYMBaAFHxClq7eS0g7+pL4nozPbYupcjeVMDIGCCsGAQUFBwEB ++BCYwJDAiBggrBgEFBQcwAoYWaHR0cDovL3gyLmkubGVuY3Iub3JnLzAnBgNVHR8E ++IDAeMBygGqAYhhZodHRwOi8veDIuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYG ++Z4EMAQIBMA0GCysGAQQBgt8TAQEBMAoGCCqGSM49BAMDA2cAMGQCMHt01VITjWH+ ++Dbo/AwCd89eYhNlXLr3pD5xcSAQh8suzYHKOl9YST8pE9kLJ03uGqQIwWrGxtO3q ++YJkgsTgDyj2gJrjubi1K9sZmHzOa25JK1fUpE8ZwYii6I4zPPS/Lgul/ ++-----END CERTIFICATE----- +diff --git a/certs/lets-encrypt-e2.pem b/certs/lets-encrypt-e2.pem +new file mode 100644 +index 0000000..0fd9f40 +--- /dev/null ++++ b/certs/lets-encrypt-e2.pem +@@ -0,0 +1,17 @@ ++-----BEGIN CERTIFICATE----- ++MIICxjCCAkygAwIBAgIQTtI99q9+x/mwxHJv+VEqdzAKBggqhkjOPQQDAzBPMQsw ++CQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFyY2gg ++R3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMjAeFw0yMDA5MDQwMDAwMDBaFw0y ++NTA5MTUxNjAwMDBaMDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNy ++eXB0MQswCQYDVQQDEwJFMjB2MBAGByqGSM49AgEGBSuBBAAiA2IABCOaLO3lixmN ++YVWex+ZVYOiTLgi0SgNWtU4hufk50VU4Zp/LbBVDxCsnsI7vuf4xp4Cu+ETNggGE ++yBqJ3j8iUwe5Yt/qfSrRf1/D5R58duaJ+IvLRXeASRqEL+VkDXrW3qOCAQgwggEE ++MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEw ++EgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUbZkq9U0C6+MRwWC6km+NPS7x ++6kQwHwYDVR0jBBgwFoAUfEKWrt5LSDv6kviejM9ti6lyN5UwMgYIKwYBBQUHAQEE ++JjAkMCIGCCsGAQUFBzAChhZodHRwOi8veDIuaS5sZW5jci5vcmcvMCcGA1UdHwQg ++MB4wHKAaoBiGFmh0dHA6Ly94Mi5jLmxlbmNyLm9yZy8wIgYDVR0gBBswGTAIBgZn ++gQwBAgEwDQYLKwYBBAGC3xMBAQEwCgYIKoZIzj0EAwMDaAAwZQIxAPJCN9qpyDmZ ++tX8K3m8UYQvK51BrXclM6WfrdeZlUBKyhTXUmFAtJw4X6A0x9mQFPAIwJa/No+KQ ++UAM1u34E36neL/Zba7ombkIOchSgx1iVxzqtFWGddgoG+tppRPWhuhhn ++-----END CERTIFICATE----- +diff --git a/certs/lets-encrypt-r3-cross-signed.pem b/certs/lets-encrypt-r3-cross-signed.pem +new file mode 100644 +index 0000000..1d82449 +--- /dev/null ++++ b/certs/lets-encrypt-r3-cross-signed.pem +@@ -0,0 +1,26 @@ ++-----BEGIN CERTIFICATE----- ++MIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA/ ++MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT ++DkRTVCBSb290IENBIFgzMB4XDTIwMTAwNzE5MjE0MFoXDTIxMDkyOTE5MjE0MFow ++MjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxCzAJBgNVBAMT ++AlIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuwIVKMz2oJTTDxLs ++jVWSw/iC8ZmmekKIp10mqrUrucVMsa+Oa/l1yKPXD0eUFFU1V4yeqKI5GfWCPEKp ++Tm71O8Mu243AsFzzWTjn7c9p8FoLG77AlCQlh/o3cbMT5xys4Zvv2+Q7RVJFlqnB ++U840yFLuta7tj95gcOKlVKu2bQ6XpUA0ayvTvGbrZjR8+muLj1cpmfgwF126cm/7 ++gcWt0oZYPRfH5wm78Sv3htzB2nFd1EbjzK0lwYi8YGd1ZrPxGPeiXOZT/zqItkel ++/xMY6pgJdz+dU/nPAeX1pnAXFK9jpP+Zs5Od3FOnBv5IhR2haa4ldbsTzFID9e1R ++oYvbFQIDAQABo4IBaDCCAWQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E ++BAMCAYYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5p ++ZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTE ++p7Gkeyxx+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEE ++AYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2Vu ++Y3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0 ++LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYf ++r52LFMLGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B ++AQsFAAOCAQEA2UzgyfWEiDcx27sT4rP8i2tiEmxYt0l+PAK3qB8oYevO4C5z70kH ++ejWEHx2taPDY/laBL21/WKZuNTYQHHPD5b1tXgHXbnL7KqC401dk5VvCadTQsvd8 ++S8MXjohyc9z9/G2948kLjmE6Flh9dDYrVYA9x2O+hEPGOaEOa1eePynBgPayvUfL ++qjBstzLhWVQLGAkXXmNs+5ZnPBxzDJOLxhF2JIbeQAcH5H0tZrUlo5ZYyOqA7s9p ++O5b85o3AM/OJ+CktFBQtfvBhcJVd9wvlwPsk+uyOy2HI7mNxKKgsBTt375teA2Tw ++UdHkhVNcsAKX1H7GNNLOEADksd86wuoXvg== ++-----END CERTIFICATE----- +diff --git a/certs/lets-encrypt-r3.pem b/certs/lets-encrypt-r3.pem +new file mode 100644 +index 0000000..43b222a +--- /dev/null ++++ b/certs/lets-encrypt-r3.pem +@@ -0,0 +1,30 @@ ++-----BEGIN CERTIFICATE----- ++MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw ++TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh ++cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw ++WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg ++RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK ++AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP ++R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx ++sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm ++NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg ++Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG ++/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC ++AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB ++Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA ++FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw ++AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw ++Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB ++gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W ++PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl ++ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz ++CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm ++lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4 ++avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2 ++yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O ++yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids ++hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+ ++HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv ++MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX ++nLRbwHOoq7hHwg== ++-----END CERTIFICATE----- +diff --git a/certs/lets-encrypt-r4-cross-signed.pem b/certs/lets-encrypt-r4-cross-signed.pem +new file mode 100644 +index 0000000..f0ed3cd +--- /dev/null ++++ b/certs/lets-encrypt-r4-cross-signed.pem +@@ -0,0 +1,26 @@ ++-----BEGIN CERTIFICATE----- ++MIIEZTCCA02gAwIBAgIQQAF1BIMlO+Rkt3exI9CKgjANBgkqhkiG9w0BAQsFADA/ ++MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT ++DkRTVCBSb290IENBIFgzMB4XDTIwMTAwNzE5MjE0NVoXDTIxMDkyOTE5MjE0NVow ++MjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxCzAJBgNVBAMT ++AlI0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsyjcdynT55G+87cK ++AMf78lULJSJjUzav6Qgg3w2vKD7NxqtXtp2kJRml0jJtSaYIuccvoZuTxSBAa4Qx ++IKKOMGAlYO/ZGok/H2lxstrqP3NBxJBvZv19nljYd8/NWXVEyaEKe58/Gw46Zm+2 ++dc+Ly6+dwHDF/9KCCq9dzeLonIWUpOYANeh+TjmBxyGJYHfqHZbyi4N7R8RtMsBS ++fiMeRbVx7qPvF8IDqZOJ3fWf27rx2uB+l4dxgR4aglbkPnwYogjlFl+o+qjgSFFN ++GBSgDKPltsqztVUSa3LHWn87jPnn2dGOEk0zMwMq8RPhQjzCLllgLm3gB0czZd/S ++Z8pNhQIDAQABo4IBaDCCAWQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E ++BAMCAYYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5p ++ZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTE ++p7Gkeyxx+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEE ++AYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2Vu ++Y3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0 ++LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFDadPuCxQPYnLHy/jZ0x ++ivZUpkYmMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B ++AQsFAAOCAQEAN4CpgPmK2C5pq/RdV9gEdWcvPnPfT9ToucrAMTcn//wyWBWF2wG4 ++hvPBQxxuqPECZsi4nLQ45VJpyC1NDd0GqGQIMqNdC4N4TLDtd7Yhy8v5JsfEMUbb ++6xW4sKeeeKy3afOkel60Xg1/7ndSmppiHqdh+TdJML1hptRgdxGiB8LMpHuW/oM8 ++akfyt4TkBhA8+Wu8MM6dlJyJ7nHBVnEUFQ4Ni+GzNC/pQSL2+Y9Mq4HHIk2ZFy0W ++B8KsVwdeNrERPL+LjhhLde1Et0aL9nlv4CqwXHML2LPgk38j/WllbQ/8HRd2VpB+ ++JW6Z8JNhcnuBwATHMCeJVCFapoZsPfQQ6Q== ++-----END CERTIFICATE----- +diff --git a/certs/lets-encrypt-r4.pem b/certs/lets-encrypt-r4.pem +new file mode 100644 +index 0000000..578b3bd +--- /dev/null ++++ b/certs/lets-encrypt-r4.pem +@@ -0,0 +1,30 @@ ++-----BEGIN CERTIFICATE----- ++MIIFFjCCAv6gAwIBAgIRAIp5IlCr5SxSbO7Pf8lC3WIwDQYJKoZIhvcNAQELBQAw ++TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh ++cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw ++WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg ++RW5jcnlwdDELMAkGA1UEAxMCUjQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK ++AoIBAQCzKNx3KdPnkb7ztwoAx/vyVQslImNTNq/pCCDfDa8oPs3Gq1e2naQlGaXS ++Mm1Jpgi5xy+hm5PFIEBrhDEgoo4wYCVg79kaiT8faXGy2uo/c0HEkG9m/X2eWNh3 ++z81ZdUTJoQp7nz8bDjpmb7Z1z4vLr53AcMX/0oIKr13N4uichZSk5gA16H5OOYHH ++IYlgd+odlvKLg3tHxG0ywFJ+Ix5FtXHuo+8XwgOpk4nd9Z/buvHa4H6Xh3GBHhqC ++VuQ+fBiiCOUWX6j6qOBIUU0YFKAMo+W2yrO1VRJrcsdafzuM+efZ0Y4STTMzAyrx ++E+FCPMIuWWAubeAHRzNl39Jnyk2FAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC ++AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB ++Af8CAQAwHQYDVR0OBBYEFDadPuCxQPYnLHy/jZ0xivZUpkYmMB8GA1UdIwQYMBaA ++FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw ++AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw ++Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB ++gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCJbu5CalWO+H+Az0lmIG14DXmlYHQE ++k26umjuCyioWs2icOlZznPTcZvbfq02YPHGTCu3ctggVDULJ+fwOxKekzIqeyLNk ++p8dyFwSAr23DYBIVeXDpxHhShvv0MLJzqqDFBTHYe1X5X2Y7oogy+UDJxV2N24/g ++Z8lxG4Vr2/VEfUOrw4Tosl5Z+1uzOdvTyBcxD/E5rGgTLczmulctHy3IMTmdTFr0 ++FnU0/HMQoquWQuODhFqzMqNcsdbjANUBwOEQrKI8Sy6+b84kHP7PtO+S4Ik8R2k7 ++ZeMlE1JmxBi/PZU860YlwT8/qOYToCHVyDjhv8qutbf2QnUl3SV86th2I1QQE14s ++0y7CdAHcHkw3sAEeYGkwCA74MO+VFtnYbf9B2JBOhyyWb5087rGzitu5MTAW41X9 ++DwTeXEg+a24tAeht+Y1MionHUwa4j7FB/trN3Fnb/r90+4P66ZETVIEcjseUSMHO ++w6yqv10/H/dw/8r2EDUincBBX3o9DL3SadqragkKy96HtMiLcqMMGAPm0gti1b6f ++bnvOdr0mrIVIKX5nzOeGZORaYLoSD4C8qvFT7U+Um6DMo36cVDNsPmkF575/s3C2 ++CxGiCPQqVxPgfNSh+2CPd2Xv04lNeuw6gG89DlOhHuoFKRlmPnom+gwqhz3ZXMfz ++TfmvjrBokzCICA== ++-----END CERTIFICATE----- +diff --git a/certs/letsencryptauthorityx3.pem b/certs/letsencryptauthorityx3.pem +new file mode 100644 +index 0000000..4e82cb5 +--- /dev/null ++++ b/certs/letsencryptauthorityx3.pem +@@ -0,0 +1,32 @@ ++-----BEGIN CERTIFICATE----- ++MIIFjTCCA3WgAwIBAgIRANOxciY0IzLc9AUoUSrsnGowDQYJKoZIhvcNAQELBQAw ++TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh ++cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTYxMDA2MTU0MzU1 ++WhcNMjExMDA2MTU0MzU1WjBKMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg ++RW5jcnlwdDEjMCEGA1UEAxMaTGV0J3MgRW5jcnlwdCBBdXRob3JpdHkgWDMwggEi ++MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCc0wzwWuUuR7dyXTeDs2hjMOrX ++NSYZJeG9vjXxcJIvt7hLQQWrqZ41CFjssSrEaIcLo+N15Obzp2JxunmBYB/XkZqf ++89B4Z3HIaQ6Vkc/+5pnpYDxIzH7KTXcSJJ1HG1rrueweNwAcnKx7pwXqzkrrvUHl ++Npi5y/1tPJZo3yMqQpAMhnRnyH+lmrhSYRQTP2XpgofL2/oOVvaGifOFP5eGr7Dc ++Gu9rDZUWfcQroGWymQQ2dYBrrErzG5BJeC+ilk8qICUpBMZ0wNAxzY8xOJUWuqgz ++uEPxsR/DMH+ieTETPS02+OP88jNquTkxxa/EjQ0dZBYzqvqEKbbUC8DYfcOTAgMB ++AAGjggFnMIIBYzAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADBU ++BgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsGAQUFBwIB ++FiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMB0GA1UdDgQWBBSo ++SmpjBH3duubRObemRWXv86jsoTAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3Js ++LnJvb3QteDEubGV0c2VuY3J5cHQub3JnMHIGCCsGAQUFBwEBBGYwZDAwBggrBgEF ++BQcwAYYkaHR0cDovL29jc3Aucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcvMDAGCCsG ++AQUFBzAChiRodHRwOi8vY2VydC5yb290LXgxLmxldHNlbmNyeXB0Lm9yZy8wHwYD ++VR0jBBgwFoAUebRZ5nu25eQBc4AIiMgaWPbpm24wDQYJKoZIhvcNAQELBQADggIB ++ABnPdSA0LTqmRf/Q1eaM2jLonG4bQdEnqOJQ8nCqxOeTRrToEKtwT++36gTSlBGx ++A/5dut82jJQ2jxN8RI8L9QFXrWi4xXnA2EqA10yjHiR6H9cj6MFiOnb5In1eWsRM ++UM2v3e9tNsCAgBukPHAg1lQh07rvFKm/Bz9BCjaxorALINUfZ9DD64j2igLIxle2 ++DPxW8dI/F2loHMjXZjqG8RkqZUdoxtID5+90FgsGIfkMpqgRS05f4zPbCEHqCXl1 ++eO5HyELTgcVlLXXQDgAWnRzut1hFJeczY1tjQQno6f6s+nMydLN26WuU4s3UYvOu ++OsUxRlJu7TSRHqDC3lSE5XggVkzdaPkuKGQbGpny+01/47hfXXNB7HntWNZ6N2Vw ++p7G6OfY+YQrZwIaQmhrIqJZuigsrbe3W+gdn5ykE9+Ky0VgVUsfxo52mwFYs1JKY ++2PGDuWx8M6DlS6qQkvHaRUo0FMd8TsSlbF0/v965qGFKhSDeQoMpYnwcmQilRh/0 ++ayLThlHLN81gSkJjVrPI0Y8xCVPB4twb1PFUd2fPM3sA1tJ83sZ5v8vgFv2yofKR ++PB0t6JzUA81mSqM3kxl5e+IZwhYAyO0OTg3/fs8HqGTNKd9BqoUwSRBzp06JMg5b ++rUCGwbCUDI0mxadJ3Bz4WxR6fyNpBK2yAinWEsikxqEt ++-----END CERTIFICATE----- +diff --git a/certs/letsencryptauthorityx4.pem b/certs/letsencryptauthorityx4.pem +new file mode 100644 +index 0000000..34064da +--- /dev/null ++++ b/certs/letsencryptauthorityx4.pem +@@ -0,0 +1,32 @@ ++-----BEGIN CERTIFICATE----- ++MIIFjTCCA3WgAwIBAgIRAJObmZ6kjhYNW0JZtD0gE9owDQYJKoZIhvcNAQELBQAw ++TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh ++cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTYxMDA2MTU0NDM0 ++WhcNMjExMDA2MTU0NDM0WjBKMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg ++RW5jcnlwdDEjMCEGA1UEAxMaTGV0J3MgRW5jcnlwdCBBdXRob3JpdHkgWDQwggEi ++MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDhJHRCe7eRMdlz/ziq2M5EXLc5 ++CtxErg29RbmXN2evvVBPX9MQVGv3QdqOY+ZtW8DoQKmMQfzRA4n/YmEJYNYHBXia ++kL0aZD5P3M93L4lry2evQU3FjQDAa/6NhNy18pUxqOj2kKBDSpN0XLM+Q2lLiSJH ++dFE+mWTDzSQB+YQvKHcXIqfdw2wITGYvN3TFb5OOsEY3FmHRUJjIsA9PWFN8rPba ++LZZhUK1D3AqmT561Urmcju9O30azMdwg/GnCoyB1Puw4GzZOZmbS3/VmpJMve6YO ++lD5gPUpLHG+6tE0cPJFYbi9NxNpw2+0BOXbASefpNbUUBpDB5ZLiEP1rubSFAgMB ++AAGjggFnMIIBYzAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADBU ++BgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsGAQUFBwIB ++FiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMB0GA1UdDgQWBBTF ++satOTLHNZDCTfsGEmQWr5gPiJTAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3Js ++LnJvb3QteDEubGV0c2VuY3J5cHQub3JnMHIGCCsGAQUFBwEBBGYwZDAwBggrBgEF ++BQcwAYYkaHR0cDovL29jc3Aucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcvMDAGCCsG ++AQUFBzAChiRodHRwOi8vY2VydC5yb290LXgxLmxldHNlbmNyeXB0Lm9yZy8wHwYD ++VR0jBBgwFoAUebRZ5nu25eQBc4AIiMgaWPbpm24wDQYJKoZIhvcNAQELBQADggIB ++AF4tI1yGjZgld9lP01+zftU3aSV0un0d2GKUMO7GxvwTLWAKQz/eT+u3J4+GvpD+ ++BMfopIxkJcDCzMChjjZtZZwJpIY7BatVrO6OkEmaRNITtbZ/hCwNkUnbk3C7EG3O ++GJZlo9b2wzA8v9WBsPzHpTvLfOr+dS57LLPZBhp3ArHaLbdk33lIONRPt9sseDEk ++mdHnVmGmBRf4+J0Wy67mddOvz5rHH8uzY94raOayf20gzzcmqmot4hPXtDG4Y49M ++oFMMT2kcWck3EOTAH6QiGWkGJ7cxMfSL3S0niA6wgFJtfETETOZu8AVDgENgCJ3D ++S0bz/dhVKvs3WRkaKuuR/W0nnC2VDdaFj4+CRF8LGtn/8ERaH48TktH5BDyDVcF9 ++zfJ75Scxcy23jAL2N6w3n/t3nnqoXt9Im4FprDr+mP1g2Z6Lf2YA0jE3kZalgZ6l ++NHu4CmvJYoOTSJw9X2qlGl1K+B4U327rG1tRxgjM76pN6lIS02PMECoyKJigpOSB ++u4V8+LVaUMezCJH9Qf4EKeZTHddQ1t96zvNd2s9ewSKx/DblXbKsBDzIdHJ+qi6+ ++F9DIVM5/ICdtDdulOO+dr/BXB+pBZ3uVxjRANvJKKpdxkePyluITSNZHbanWRN07 ++gMvwBWOL060i4VrL9er1sBQrRjU9iNpZQGTnLVAxQVFu ++-----END CERTIFICATE----- +diff --git a/client b/client +index 838b184..52aab3d 100755 +--- a/client ++++ b/client +@@ -338,20 +338,7 @@ elsif ($COMMAND eq 'newOrder') { + die "Timeout exceeded while waiting for certificate\n" if $timeout > 0 and $i >= $timeout; + sleep $retry_after; + } +- +- # keep only the leaf certificate +- pipe my $rd, my $wd or die "Can't pipe: $!"; +- my $pid = fork // die "Can't fork: $!"; +- unless ($pid) { +- open STDIN, '<&', $rd or die "Can't dup: $!"; +- exec qw/openssl x509 -outform PEM/ or die; +- } +- $rd->close() or die "Can't close: $!"; +- $wd->print( $r->decoded_content() ); +- $wd->close() or die "Can't close: $!"; +- +- waitpid $pid => 0; +- die $? if $? > 0; ++ print $r->decoded_content(); + } + + +diff --git a/config/lacme-certs.conf b/config/lacme-certs.conf +index 97d588a..7a9ba29 100644 +--- a/config/lacme-certs.conf ++++ b/config/lacme-certs.conf +@@ -20,8 +20,8 @@ + # + #certificate = /etc/nginx/ssl/srv.pem + +-# Where to store the issued certificate, concatenated with the content +-# of the file specified specified with the CAfile option (in PEM format). ++# Where to store the issued certificate along with its chain of trust ++# (in PEM format). + # + #certificate-chain = /etc/nginx/ssl/srv.chain.pem + +@@ -30,11 +30,10 @@ + # + #min-days = 21 + +-# Path to the issuer's certificate. This is used for certificate-chain +-# and to verify the validity of each issued certificate. Specifying an +-# empty value skip certificate validation. ++# Path to trusted issuer certificates, used for validating each issued ++# certificate. Specifying an empty value skips certificate validation. + # +-#CAfile = /usr/share/lacme/lets-encrypt-x3-cross-signed.pem ++#CAfile = /usr/share/lacme/ca-certificates.crt + + # Subject field of the Certificate Signing Request. This option is + # required. +diff --git a/lacme b/lacme +index 3e5347d..8f03d38 100755 +--- a/lacme ++++ b/lacme +@@ -609,12 +609,10 @@ sub spawn($@) { + + + ############################################################################# +-# Install the certificate ++# Install the certificate (optionally excluding the chain of trust) + # + sub install_cert($$;$) { +- my $filename = shift; +- my $x509 = shift; +- my @chain = grep !/\A\s*\z/, @_; # ignore empty CAfile ++ my ($filename, $chain, $leafonly) = @_; + + my ($dirname, $basename) = + $filename =~ /\A(.*)\/([^\/]+)\z/ ? ($1, $2) : ('.', $filename); +@@ -624,12 +622,23 @@ sub install_cert($$;$) { + eval { + my $umask = umask() // die "umask: $!"; + chmod(0644 &~ $umask, $fh) or die "chmod: $!"; +- $fh->print($x509) or die "Can't print: $!"; +- foreach (@chain) { # append the chain +- open my $fh2, '<', $_ or die "Can't open $_: $!"; +- my $ca = do { local $/ = undef; $fh2->getline() }; +- $fh2->close() or die "Can't close: $!"; +- $fh->print($ca) or die "Can't print: $!"; ++ if ($leafonly) { ++ # keep only the leaf certificate ++ pipe my $rd, my $wd or die "Can't pipe: $!"; ++ my $pid = fork // die "Can't fork: $!"; ++ unless ($pid) { ++ open STDIN, '<&', $rd or die "Can't dup: $!"; ++ open STDOUT, '>&', $fh or die "Can't dup: $!"; ++ exec qw/openssl x509 -outform PEM/ or die; ++ } ++ $rd->close() or die "Can't close: $!"; ++ $wd->print($chain); ++ $wd->close() or die "Can't close: $!"; ++ ++ waitpid $pid => 0; ++ die $? if $? > 0; ++ } else { ++ $fh->print($chain) or die "Can't print: $!"; + } + $fh->close() or die "Can't close: $!"; + }; +@@ -767,7 +776,7 @@ elsif ($COMMAND eq 'newOrder' or $COMMAND eq 'new-cert') { + }; + + # verify certificate validity against the CA +- $conf->{CAfile} //= '/usr/share/lacme/lets-encrypt-x3-cross-signed.pem'; ++ $conf->{CAfile} //= '/usr/share/lacme/ca-certificates.crt'; + if ($conf->{CAfile} ne '' and spawn({in => $x509}, 'openssl', 'verify', '-CAfile', $conf->{CAfile}, + qw/-purpose sslserver -x509_strict/)) { + print STDERR "[$s] Error: Received invalid X.509 certificate from ACME server!\n"; +@@ -778,11 +787,11 @@ elsif ($COMMAND eq 'newOrder' or $COMMAND eq 'new-cert') { + # install certificate + if (defined $conf->{'certificate'}) { + print STDERR "Installing X.509 certificate $conf->{'certificate'}\n"; +- install_cert($conf->{'certificate'}, $x509); ++ install_cert($conf->{'certificate'}, $x509, 1); + } + if (defined $conf->{'certificate-chain'}) { + print STDERR "Installing X.509 certificate chain $conf->{'certificate-chain'}\n"; +- install_cert($conf->{'certificate-chain'}, $x509, $conf->{CAfile}); ++ install_cert($conf->{'certificate-chain'}, $x509); + } + + if (defined $conf->{chown}) { +diff --git a/lacme.md b/lacme.md +index 2d70c49..28d1a53 100644 +--- a/lacme.md ++++ b/lacme.md +@@ -327,9 +327,8 @@ Valid options are: + + *certificate-chain* + +-: Where to store the issued certificate, concatenated with the content +- of the file specified specified with the *CAfile* option (in PEM +- format). ++: Where to store the issued certificate along with its chain of trust ++ (in PEM format). + At least one of *certificate* or *certificate-chain* is required. + + *certificate-key* +@@ -351,11 +350,9 @@ Valid options are: + + *CAfile* + +-: Path to the issuer's certificate. This is used for +- *certificate-chain* and to verify the validity of each issued +- certificate. +- Specifying an empty value skip certificate validation. +- Default: `/usr/share/lacme/lets-encrypt-x3-cross-signed.pem`. ++: Path to trusted issuer certificates, used for validating each issued ++ certificate. Specifying an empty values skips certificate validation. ++ Default: `/usr/share/lacme/ca-certificates.crt`. + + *hash* + +-- +2.29.2 + diff --git a/debian/patches/series b/debian/patches/series index ddf7cce..fcf1c3f 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,3 @@ 0001-Mention-the-Debian-BTS-in-the-manpages.patch 0002-Issue-GET-and-POST-as-GET-requests.patch +0003-Use-upstream-certicate-chain-instead-of-an-hardcoded.patch -- cgit v1.2.3