From fc117d6513dfa1e6287927a9b95ac0558eaea951 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sun, 19 Feb 2017 13:21:38 +0100 Subject: config-cert: import the default section of files already read. --- Changelog | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 6f212b0..0336e5b 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,10 @@ +lacme (0.3) upstream; + + - When parsing config-cert files and directories (default "lacme-certs.conf + lacme-certs.conf.d"), import the default section of files read earlier. + + -- Guilhem Moulin Sun, 19 Feb 2017 13:08:41 +0100 + lacme (0.2) upstream; + Honor Retry-After headers for certificate issuance and challenge -- cgit v1.2.3 From bbbd329e9a1274d0a7bfb7b741894f5417b43538 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sun, 19 Feb 2017 13:23:51 +0100 Subject: Ensure lacme's config file descriptor has the FD_CLOEXEC bit set. --- Changelog | 2 ++ 1 file changed, 2 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 0336e5b..d9aacd0 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,8 @@ lacme (0.3) upstream; - When parsing config-cert files and directories (default "lacme-certs.conf lacme-certs.conf.d"), import the default section of files read earlier. + - Ensure lacme's config file descriptor is not passed to the accountd + or webserver components. -- Guilhem Moulin Sun, 19 Feb 2017 13:08:41 +0100 -- cgit v1.2.3 From de585094c458a36a387277544bda5f4004bbb03c Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sun, 19 Feb 2017 13:24:07 +0100 Subject: new-cert: sort section names if not passed explicitely. --- Changelog | 1 + 1 file changed, 1 insertion(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index d9aacd0..a622a5d 100644 --- a/Changelog +++ b/Changelog @@ -4,6 +4,7 @@ lacme (0.3) upstream; lacme-certs.conf.d"), import the default section of files read earlier. - Ensure lacme's config file descriptor is not passed to the accountd or webserver components. + - new-cert: sort section names if not passed explicitely. -- Guilhem Moulin Sun, 19 Feb 2017 13:08:41 +0100 -- cgit v1.2.3 From 84f6363da57ccc3a58fc72f60cf51ca70cea34f6 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sun, 19 Feb 2017 13:36:11 +0100 Subject: new-cert: new CLI option "min-days" --- Changelog | 2 ++ 1 file changed, 2 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index a622a5d..accd89c 100644 --- a/Changelog +++ b/Changelog @@ -5,6 +5,8 @@ lacme (0.3) upstream; - Ensure lacme's config file descriptor is not passed to the accountd or webserver components. - new-cert: sort section names if not passed explicitely. + - new-cert: new CLI option "min-days" overriding the value found in + the configuration file. -- Guilhem Moulin Sun, 19 Feb 2017 13:08:41 +0100 -- cgit v1.2.3 From 23f051faf049e5020b81e6bf419e35f3d5054da2 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 22 Feb 2017 10:14:31 +0100 Subject: Changelog: prefix bugfixes with '+'. --- Changelog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'Changelog') diff --git a/Changelog b/Changelog index accd89c..035451c 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,6 @@ lacme (0.3) upstream; - - When parsing config-cert files and directories (default "lacme-certs.conf + + When parsing config-cert files and directories (default "lacme-certs.conf lacme-certs.conf.d"), import the default section of files read earlier. - Ensure lacme's config file descriptor is not passed to the accountd or webserver components. -- cgit v1.2.3 From 1426a858ae1c4da30f777110e1253fa36bac2b41 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 22 Feb 2017 10:19:56 +0100 Subject: new-cert: mark basicConstraints and keyUsage x509v3 extensions as critical in the CSR. Boulder's issue #565 "Golang errors on extensions marked critical" was fixed upstream, cf. https://github.com/letsencrypt/boulder/issues/565 . --- Changelog | 3 +++ 1 file changed, 3 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 035451c..451eace 100644 --- a/Changelog +++ b/Changelog @@ -7,6 +7,9 @@ lacme (0.3) upstream; - new-cert: sort section names if not passed explicitely. - new-cert: new CLI option "min-days" overriding the value found in the configuration file. + - new-cert: mark the basicConstraints (CA:FALSE) and keyUsage x509v3 + extensions as critical in the CSR, following upstream fix of + Boulder's issue #565. -- Guilhem Moulin Sun, 19 Feb 2017 13:08:41 +0100 -- cgit v1.2.3 From f4af28d7e526bd56a78225daf84d11cdf96bd611 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 22 Feb 2017 10:51:08 +0100 Subject: new-cert: create certificate files atomically. --- Changelog | 1 + 1 file changed, 1 insertion(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 451eace..b23191f 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,7 @@ lacme (0.3) upstream; + When parsing config-cert files and directories (default "lacme-certs.conf lacme-certs.conf.d"), import the default section of files read earlier. + + new-cert: create certificate files atomically. - Ensure lacme's config file descriptor is not passed to the accountd or webserver components. - new-cert: sort section names if not passed explicitely. -- cgit v1.2.3 From 944407621f313c15f6cfd53267da1ddbdaceec9f Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 28 Jun 2017 17:19:46 +0200 Subject: webserver: allow listening to multiple addresses. (Useful when dual-stack IPv4/IPv6 is not supported.) Also, change the default to listen to a UNIX-domain socket . Moreover temporary iptables rules are no longer installed. Hosts without a public HTTP daemon listening on port 80 need to set the 'listen' option to [::] and/or 0.0.0.0, and possibly set the 'iptables' option to Yes. --- Changelog | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index b23191f..fdb0775 100644 --- a/Changelog +++ b/Changelog @@ -3,6 +3,13 @@ lacme (0.3) upstream; + When parsing config-cert files and directories (default "lacme-certs.conf lacme-certs.conf.d"), import the default section of files read earlier. + new-cert: create certificate files atomically. + + webserver: allow listening to multiple addresses (useful when + dual-stack IPv4/IPv6 is not supported). Listen to a UNIX-domain + socket by default . + + webserver: don't install temporary iptables by default. Hosts + without a public HTTP daemon listening on port 80 need to set the + 'listen' option to [::] and/or 0.0.0.0, and possibly set the + 'iptables' option to Yes. - Ensure lacme's config file descriptor is not passed to the accountd or webserver components. - new-cert: sort section names if not passed explicitely. -- cgit v1.2.3 From 40a54d2ad35630b1c8a7cd88791db032a7983d4d Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 28 Jun 2017 21:33:40 +0200 Subject: Change the default 'min-days' from 10 to 21. This avoids expiration notices from Let's Encrypt when auto-renewal is done by a cronjob: Let's Encrypt sends a notice 19 (then 9) days before expiration. --- Changelog | 2 ++ 1 file changed, 2 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index fdb0775..0619ffd 100644 --- a/Changelog +++ b/Changelog @@ -10,6 +10,8 @@ lacme (0.3) upstream; without a public HTTP daemon listening on port 80 need to set the 'listen' option to [::] and/or 0.0.0.0, and possibly set the 'iptables' option to Yes. + + Change 'min-days' default from 10 to 21, to avoid expiration notices + from Let's Encrypt when auto-renewal is done by a cronjob. - Ensure lacme's config file descriptor is not passed to the accountd or webserver components. - new-cert: sort section names if not passed explicitely. -- cgit v1.2.3 From 99902d8737cd01b2788ec51b06d314a36135be2c Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 28 Jun 2017 22:11:04 +0200 Subject: Provide nginx configuration snippet. --- Changelog | 1 + 1 file changed, 1 insertion(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 0619ffd..59d5153 100644 --- a/Changelog +++ b/Changelog @@ -12,6 +12,7 @@ lacme (0.3) upstream; 'iptables' option to Yes. + Change 'min-days' default from 10 to 21, to avoid expiration notices from Let's Encrypt when auto-renewal is done by a cronjob. + + Provide nginx configuration snippet. - Ensure lacme's config file descriptor is not passed to the accountd or webserver components. - new-cert: sort section names if not passed explicitely. -- cgit v1.2.3