From fbcd17c52091cb51a86f0ab2acb5348a12b613e0 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Mon, 22 Feb 2021 12:06:09 +0100 Subject: In lacme's the [accountd] config, let lacme-accountd(1) do the %-expansion for 'config'. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This matches the arguably expected behavior that ‘config = %h/foo’ is passed as ‘--config=%h/foo’ and resolved by lacme-accountd(1) (possibly remote and with another passwd database). --- Changelog | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 9f12237..3765bf9 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,10 @@ +lacme (0.8.1) upstream; + + - lacme: in the [accountd] config, let lacme-accountd(1) do the + %-expansion for 'config', not lacme(8) when building the command. + + -- Guilhem Moulin Mon, 22 Feb 2021 12:04:28 +0100 + lacme (0.8.0) upstream; * Breaking change: 'challenge-directory' now needs to be set to an -- cgit v1.2.3 From 87fa9468a26c1902423839473049cd3325098c1a Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Mon, 22 Feb 2021 14:49:00 +0100 Subject: lacme-account: Improve log messages. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Again… --- Changelog | 1 + 1 file changed, 1 insertion(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 3765bf9..faf32a8 100644 --- a/Changelog +++ b/Changelog @@ -1,5 +1,6 @@ lacme (0.8.1) upstream; + + lacme-accountd: improve log messages. - lacme: in the [accountd] config, let lacme-accountd(1) do the %-expansion for 'config', not lacme(8) when building the command. -- cgit v1.2.3 From 045d169339c5b973f0924269e6ca485e48de3668 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Mon, 22 Feb 2021 20:32:33 +0100 Subject: lacme-accountd: Refuse to sign JWS with an invalid Protected Header. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit “The JWS Protected Header is a JSON object” — RFC 7515 sec. 2. “The JWS Protected Header MUST include the following fields: - "alg" - "nonce" - "url" - either "jwk" or "kid"” — RFC 8555 sec. 6.2. --- Changelog | 1 + 1 file changed, 1 insertion(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index faf32a8..da34ddc 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,7 @@ lacme (0.8.1) upstream; + lacme-accountd: improve log messages. + + lacme-accountd: refuse to sign JWS with an invalid Protected Header. - lacme: in the [accountd] config, let lacme-accountd(1) do the %-expansion for 'config', not lacme(8) when building the command. -- cgit v1.2.3 From 2d08a72c2f6b2afb04fb5382a5f592075a0004a8 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Tue, 23 Feb 2021 00:28:56 +0100 Subject: lacme-accountd: don't log debug messages unless --debug is set. --- Changelog | 1 + 1 file changed, 1 insertion(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index da34ddc..c4dd0fc 100644 --- a/Changelog +++ b/Changelog @@ -4,6 +4,7 @@ lacme (0.8.1) upstream; + lacme-accountd: refuse to sign JWS with an invalid Protected Header. - lacme: in the [accountd] config, let lacme-accountd(1) do the %-expansion for 'config', not lacme(8) when building the command. + - lacme-accountd: don't log debug messages unless --debug is set. -- Guilhem Moulin Mon, 22 Feb 2021 12:04:28 +0100 -- cgit v1.2.3 From 3a527c2159cdd23f489970f935edbccc37da1901 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Tue, 23 Feb 2021 00:58:46 +0100 Subject: lacme-accountd: Refactor logging logic. --- Changelog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'Changelog') diff --git a/Changelog b/Changelog index c4dd0fc..b7459fd 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,6 @@ lacme (0.8.1) upstream; - + lacme-accountd: improve log messages. + + lacme-accountd: improve log messages and refactor logging logic. + lacme-accountd: refuse to sign JWS with an invalid Protected Header. - lacme: in the [accountd] config, let lacme-accountd(1) do the %-expansion for 'config', not lacme(8) when building the command. -- cgit v1.2.3 From 016c9611970c0667ad02cb1cf31834f2325b1575 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 24 Feb 2021 12:56:28 +0100 Subject: lacme: When getpwnam()/getgrnam()'s errno is 0, exclude it from error messages. --- Changelog | 2 ++ 1 file changed, 2 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index b7459fd..8b90177 100644 --- a/Changelog +++ b/Changelog @@ -5,6 +5,8 @@ lacme (0.8.1) upstream; - lacme: in the [accountd] config, let lacme-accountd(1) do the %-expansion for 'config', not lacme(8) when building the command. - lacme-accountd: don't log debug messages unless --debug is set. + - lacme: when getpwnam()/getgrnam()'s errno is 0, exclude it from error + messages. -- Guilhem Moulin Mon, 22 Feb 2021 12:04:28 +0100 -- cgit v1.2.3 From 83bcf394a15c4c2797353c040f1814c6b03b5db3 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 24 Feb 2021 13:00:32 +0100 Subject: tests/drop-privileges: Ensure failure to drop privileges yields an error. And doesn't retain root privileges. --- Changelog | 2 ++ 1 file changed, 2 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 8b90177..ae42df7 100644 --- a/Changelog +++ b/Changelog @@ -7,6 +7,8 @@ lacme (0.8.1) upstream; - lacme-accountd: don't log debug messages unless --debug is set. - lacme: when getpwnam()/getgrnam()'s errno is 0, exclude it from error messages. + - tests/drop-privileges: ensure failure to drop privileges yields an + error instead of retaining root priviliges. -- Guilhem Moulin Mon, 22 Feb 2021 12:04:28 +0100 -- cgit v1.2.3 From 539e3a8b8a2baf6746716125e99231da14a153a9 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 24 Feb 2021 13:19:21 +0100 Subject: tests/cert-install: Include tests for failing chown(2). Due to unknown user/group name. --- Changelog | 2 ++ 1 file changed, 2 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index ae42df7..ee90be3 100644 --- a/Changelog +++ b/Changelog @@ -9,6 +9,8 @@ lacme (0.8.1) upstream; messages. - tests/drop-privileges: ensure failure to drop privileges yields an error instead of retaining root priviliges. + - tests/cert-install: include tests for failing chown(2) due to unknown + user/group name. -- Guilhem Moulin Mon, 22 Feb 2021 12:04:28 +0100 -- cgit v1.2.3 From d1a862d9cb98a54e12c9fdbc405b896f3f0efcfe Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 24 Feb 2021 13:25:38 +0100 Subject: lacme: Ignore empty values in 'chown'/'chmod'/'certificate'/'certificate-chain'. --- Changelog | 2 ++ 1 file changed, 2 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index ee90be3..1682847 100644 --- a/Changelog +++ b/Changelog @@ -11,6 +11,8 @@ lacme (0.8.1) upstream; error instead of retaining root priviliges. - tests/cert-install: include tests for failing chown(2) due to unknown user/group name. + - lacme: ignore empty values in settings 'chown', 'chmod', 'certificate' + and 'certificate-chain'. -- Guilhem Moulin Mon, 22 Feb 2021 12:04:28 +0100 -- cgit v1.2.3 From faab30461b0f2b920e3dd19489ce458c0b38e6d9 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 24 Feb 2021 21:06:48 +0100 Subject: If restricting access via umask() fails, don't include errno in the error message. errno is not set on umask failure, see https://perldoc.perl.org/functions/umask. --- Changelog | 2 ++ 1 file changed, 2 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 1682847..e047ac5 100644 --- a/Changelog +++ b/Changelog @@ -236,6 +236,8 @@ lacme (0.2) upstream; directories. New default "lacme-certs.conf lacme-certs.conf.d/". - Minor manpage fixes - More useful message upon Validation Challenge failure. + - If restricting access via umask() fails, don't include errno in the + error message as it's not set on failure. -- Guilhem Moulin Sat, 03 Dec 2016 16:40:56 +0100 -- cgit v1.2.3 From cdd025133a306cd8d3e81aa832ac056119d65f3a Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 24 Feb 2021 20:03:44 +0100 Subject: lacme: Don't write certificate(-chain) file on chown/chmod failure. Otherwise we end up with files with mode 0644 owned by root:root, and subsequent lacme(8) invocations will likely not renew them for a while. This change also saves a chown(2) call. And the new logic (chown resp. chmod from root:root resp. 0600) is safe if we ever include private key material in there too. --- Changelog | 1 + 1 file changed, 1 insertion(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index e047ac5..2a027f1 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,7 @@ lacme (0.8.1) upstream; + lacme-accountd: improve log messages and refactor logging logic. + lacme-accountd: refuse to sign JWS with an invalid Protected Header. + + lacme: don't write certificate(-chain) file on chown/chmod failure. - lacme: in the [accountd] config, let lacme-accountd(1) do the %-expansion for 'config', not lacme(8) when building the command. - lacme-accountd: don't log debug messages unless --debug is set. -- cgit v1.2.3 From c612a7ff44995f4f9c39fa0fb68470d90c88decf Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 24 Feb 2021 21:01:12 +0100 Subject: lacme: Default mode for certificate(-chain) creation is 0644 minus umask restrictions. Also, always spawn the client with umask 0022 so a starting lacme(8) with a restrictive umask doesn't impede serving challenge response files. --- Changelog | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 2a027f1..f7f11f6 100644 --- a/Changelog +++ b/Changelog @@ -3,6 +3,10 @@ lacme (0.8.1) upstream; + lacme-accountd: improve log messages and refactor logging logic. + lacme-accountd: refuse to sign JWS with an invalid Protected Header. + lacme: don't write certificate(-chain) file on chown/chmod failure. + + lacme: default mode for certificate(-chain) creation is 0644 minus + umask restrictions. Also, always spawn the client with umask 0022 so + a starting lacme(8) with a restrictive umask doesn't impede serving + challenge files. - lacme: in the [accountd] config, let lacme-accountd(1) do the %-expansion for 'config', not lacme(8) when building the command. - lacme-accountd: don't log debug messages unless --debug is set. -- cgit v1.2.3 From c6a4aaa6128d55ba5f7f3cd2bd75f789f69ae407 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 24 Feb 2021 21:24:13 +0100 Subject: lacme: Add 'owner' resp. 'mode' as (prefered) alias for 'chown' resp. 'chmod'. --- Changelog | 2 ++ 1 file changed, 2 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index f7f11f6..14add81 100644 --- a/Changelog +++ b/Changelog @@ -7,6 +7,8 @@ lacme (0.8.1) upstream; umask restrictions. Also, always spawn the client with umask 0022 so a starting lacme(8) with a restrictive umask doesn't impede serving challenge files. + + lacme: add 'owner' resp. 'mode' as (prefered) alias for 'chown' resp. + 'chmod'. - lacme: in the [accountd] config, let lacme-accountd(1) do the %-expansion for 'config', not lacme(8) when building the command. - lacme-accountd: don't log debug messages unless --debug is set. -- cgit v1.2.3 From ea5a51ecaa72c8277b4f878cf3635025d757fa37 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 24 Feb 2021 21:28:31 +0100 Subject: lacme: Return an error when the 'mode'/'chown' isn't a number. oct("foobar") is 0, definitely not what we want. --- Changelog | 1 + 1 file changed, 1 insertion(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 14add81..92b8a4d 100644 --- a/Changelog +++ b/Changelog @@ -20,6 +20,7 @@ lacme (0.8.1) upstream; user/group name. - lacme: ignore empty values in settings 'chown', 'chmod', 'certificate' and 'certificate-chain'. + - lacme: return an error when the 'mode'/'chown' isn't a number. -- Guilhem Moulin Mon, 22 Feb 2021 12:04:28 +0100 -- cgit v1.2.3 From f09c95ea97c9bdee92f7c7622689aed540373a73 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 25 Feb 2021 00:30:37 +0100 Subject: lacme: split certificates using Net::SSLeay::PEM_* instead of calling openssl. --- Changelog | 2 ++ 1 file changed, 2 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 92b8a4d..d63c754 100644 --- a/Changelog +++ b/Changelog @@ -9,6 +9,8 @@ lacme (0.8.1) upstream; challenge files. + lacme: add 'owner' resp. 'mode' as (prefered) alias for 'chown' resp. 'chmod'. + + lacme: split certificates using Net::SSLeay::PEM_* instead of calling + openssl. - lacme: in the [accountd] config, let lacme-accountd(1) do the %-expansion for 'config', not lacme(8) when building the command. - lacme-accountd: don't log debug messages unless --debug is set. -- cgit v1.2.3 From 9a8f705eddd18ccc9a24fe0e7efe6b5a87b2be09 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 25 Feb 2021 01:41:59 +0100 Subject: lacme: pass a temporary JSON file with the client configuration to the internal client. So it doesn't have to parse the INI file again. Also, while lacme.conf is world-readable by default, one might restrict permissions and add private information in there, not realizing that everything, including comments, will be readable by the client. --- Changelog | 2 ++ 1 file changed, 2 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index d63c754..8bf0721 100644 --- a/Changelog +++ b/Changelog @@ -11,6 +11,8 @@ lacme (0.8.1) upstream; 'chmod'. + lacme: split certificates using Net::SSLeay::PEM_* instead of calling openssl. + + lacme: pass a temporary JSON file with the client configuration to + the internal client, so it doesn't have to parse the INI file again. - lacme: in the [accountd] config, let lacme-accountd(1) do the %-expansion for 'config', not lacme(8) when building the command. - lacme-accountd: don't log debug messages unless --debug is set. -- cgit v1.2.3 From 40a4c9b9be51f9c41edd8b421dd629e001659fb4 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 25 Jan 2023 03:11:22 +0100 Subject: Replace '$(dir $@)' with '$(@D)' in Makefile. --- Changelog | 1 + 1 file changed, 1 insertion(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 8bf0721..d37d964 100644 --- a/Changelog +++ b/Changelog @@ -25,6 +25,7 @@ lacme (0.8.1) upstream; - lacme: ignore empty values in settings 'chown', 'chmod', 'certificate' and 'certificate-chain'. - lacme: return an error when the 'mode'/'chown' isn't a number. + - Makefile: replace '$(dir $@)' with '$(@D)'. -- Guilhem Moulin Mon, 22 Feb 2021 12:04:28 +0100 -- cgit v1.2.3 From cb0b301e7a62a71d9e4454f9f7af5358c857c48c Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 25 Jan 2023 03:12:13 +0100 Subject: Adjust test suite against current Let's Encrypt staging environment. --- Changelog | 1 + 1 file changed, 1 insertion(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index d37d964..4aa9f4f 100644 --- a/Changelog +++ b/Changelog @@ -26,6 +26,7 @@ lacme (0.8.1) upstream; and 'certificate-chain'. - lacme: return an error when the 'mode'/'chown' isn't a number. - Makefile: replace '$(dir $@)' with '$(@D)'. + - Test suite: Adjust against current Let's Encrypt staging environment. -- Guilhem Moulin Mon, 22 Feb 2021 12:04:28 +0100 -- cgit v1.2.3 From b3af3526b293f396da02a6276ea86ca17dcd2d03 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 25 Jan 2023 03:23:51 +0100 Subject: Prepare new release v0.8.1. --- Changelog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 4aa9f4f..fc658bf 100644 --- a/Changelog +++ b/Changelog @@ -28,7 +28,7 @@ lacme (0.8.1) upstream; - Makefile: replace '$(dir $@)' with '$(@D)'. - Test suite: Adjust against current Let's Encrypt staging environment. - -- Guilhem Moulin Mon, 22 Feb 2021 12:04:28 +0100 + -- Guilhem Moulin Wed, 25 Jan 2023 03:23:51 +0100 lacme (0.8.0) upstream; -- cgit v1.2.3