From 647d28bf9b8da2ce47a888aad71ab5264eea6c6d Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 9 Dec 2020 18:28:03 +0100 Subject: lacme: delay webserver socket shutdown. To after the process has terminated. This solves a race condition spewing accept: Invalid argument at /usr/libexec/lacme/webserver line 80. (harmless) errors. Closes: deb#970458 --- Changelog | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 13db236..a565440 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,10 @@ +lacme (0.7.1) upstream; + + - lacme: delay webserver socket shutdown to after the process has + terminated. + + -- Guilhem Moulin Wed, 09 Dec 2020 18:23:22 +0100 + lacme (0.7) upstream; * Breaking change: the certificate indicated by 'CAfile' is no longer -- cgit v1.2.3 From c93443364ce23ced97a80bfda8f8bb35ec19fcdb Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 9 Dec 2020 19:02:44 +0100 Subject: documentation: suggest to generate private key material with genpkey(1ssl). * Also suggest a command to generate an ECDSA key not just RSA. * Hint at which key algorithms are supported. --- Changelog | 3 +++ 1 file changed, 3 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index a565440..39df738 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,9 @@ lacme (0.7.1) upstream; - lacme: delay webserver socket shutdown to after the process has terminated. + - documentation: suggest to generate private key material with + genpkey(1ssl); also suggest a command to generate an ECDSA key not + just RSA; hint at which key algorithms are supported. -- Guilhem Moulin Wed, 09 Dec 2020 18:23:22 +0100 -- cgit v1.2.3 From e8980fb172221cbffd7fa672d65da0a806524e72 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 9 Dec 2020 19:36:06 +0100 Subject: documentation: clarify that "file:/path/to/account.key" can point to a symmetrically-encrypted private key. --- Changelog | 2 ++ 1 file changed, 2 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 39df738..a2cd0bb 100644 --- a/Changelog +++ b/Changelog @@ -5,6 +5,8 @@ lacme (0.7.1) upstream; - documentation: suggest to generate private key material with genpkey(1ssl); also suggest a command to generate an ECDSA key not just RSA; hint at which key algorithms are supported. + - documentation: clarify that "file:/path/to/account.key" can point to + a symmetrically-encrypted private key. -- Guilhem Moulin Wed, 09 Dec 2020 18:23:22 +0100 -- cgit v1.2.3 From 79edb6eea5e009e5b49876728f7477a8524e98ec Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 9 Dec 2020 19:51:56 +0100 Subject: documentation: emphasize default values in the config file. Also, move the most common options ('hash', 'keyUsage', 'CAfile', 'min-days') to the default section. --- Changelog | 3 +++ 1 file changed, 3 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index a2cd0bb..f94e81e 100644 --- a/Changelog +++ b/Changelog @@ -7,6 +7,9 @@ lacme (0.7.1) upstream; just RSA; hint at which key algorithms are supported. - documentation: clarify that "file:/path/to/account.key" can point to a symmetrically-encrypted private key. + - documentation: emphasize default values in the config file, and move + the most common options ('hash', 'keyUsage', 'CAfile', 'min-days') to + the default section. -- Guilhem Moulin Wed, 09 Dec 2020 18:23:22 +0100 -- cgit v1.2.3 From 61e4ad1347f51a84400cbf87633cc99f657f9ad7 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 9 Dec 2020 20:28:46 +0100 Subject: Make unprivileged user/group for the internal client resp. webserver configurable. --- Changelog | 2 ++ 1 file changed, 2 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index f94e81e..a9f137e 100644 --- a/Changelog +++ b/Changelog @@ -1,5 +1,7 @@ lacme (0.7.1) upstream; + * Unprivileged user/group for the internal client resp. webserver are + now configurable at install time. - lacme: delay webserver socket shutdown to after the process has terminated. - documentation: suggest to generate private key material with -- cgit v1.2.3 From 0f574f73182491fe793fcdfce6632372fab4d5c3 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 9 Dec 2020 21:47:54 +0100 Subject: lacme: new flag `--force`. Which aliases to `--min-days=-1`, i.e., forces renewal regardless of the expiration date of existing certificates. --- Changelog | 3 +++ 1 file changed, 3 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index a9f137e..4168e58 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,9 @@ lacme (0.7.1) upstream; * Unprivileged user/group for the internal client resp. webserver are now configurable at install time. + * lacme: new flag `--force`, which aliases to `--min-days=-1`, i.e., + forces renewal regardless of the expiration date of existing + certificates. - lacme: delay webserver socket shutdown to after the process has terminated. - documentation: suggest to generate private key material with -- cgit v1.2.3 From 8c70ba081e9892217510b6b01f0402482161ef84 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Fri, 12 Feb 2021 22:11:01 +0100 Subject: Raise client timeout from 10 to 30s. --- Changelog | 1 + 1 file changed, 1 insertion(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 4168e58..edf1d95 100644 --- a/Changelog +++ b/Changelog @@ -15,6 +15,7 @@ lacme (0.7.1) upstream; - documentation: emphasize default values in the config file, and move the most common options ('hash', 'keyUsage', 'CAfile', 'min-days') to the default section. + - Raise client timeout from 10 to 30s. -- Guilhem Moulin Wed, 09 Dec 2020 18:23:22 +0100 -- cgit v1.2.3 From b54d248515357297d84a01cf45a42a6787c21240 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Fri, 12 Feb 2021 22:06:43 +0100 Subject: Replace Types::Serialiser::true with JSON::true. This removes the dependency on Types::Serialiser. --- Changelog | 1 + 1 file changed, 1 insertion(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index edf1d95..269d246 100644 --- a/Changelog +++ b/Changelog @@ -16,6 +16,7 @@ lacme (0.7.1) upstream; the most common options ('hash', 'keyUsage', 'CAfile', 'min-days') to the default section. - Raise client timeout from 10 to 30s. + - Remove dependency on Types::Serialiser. -- Guilhem Moulin Wed, 09 Dec 2020 18:23:22 +0100 -- cgit v1.2.3 From 49d90dbaf471931f85f9e97bc57ddc0fde1f2fb7 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Fri, 12 Feb 2021 22:26:33 +0100 Subject: client: fail immediately when the accountd is unreachable. --- Changelog | 1 + 1 file changed, 1 insertion(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 269d246..34ace54 100644 --- a/Changelog +++ b/Changelog @@ -17,6 +17,7 @@ lacme (0.7.1) upstream; the default section. - Raise client timeout from 10 to 30s. - Remove dependency on Types::Serialiser. + - client: fail immediately when the accountd is unreachable. -- Guilhem Moulin Wed, 09 Dec 2020 18:23:22 +0100 -- cgit v1.2.3 From a903ea92dd736c560d21fe45063d4914765fa173 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sun, 14 Feb 2021 17:01:17 +0100 Subject: challenge-directory now needs to be set to an *existing* directory. Since lacme(8) spawns a builtin webserver by default the change doesn't affect default configurations. See https://bugs.debian.org/970800 for the rationale. --- Changelog | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 34ace54..39249b4 100644 --- a/Changelog +++ b/Changelog @@ -1,5 +1,12 @@ lacme (0.7.1) upstream; + * Breaking change: 'challenge-directory' now needs to be set to an + *existing* directory (writable by the lacme client user). Since + lacme(8) spawns a builtin webserver by default the change doesn't + affect default configurations. + Thanks to Benjamin Tietz for the idea and initial patch. + * Breaking change: the 'iptables' option is now ignored unless the + builtin webserver is used. * Unprivileged user/group for the internal client resp. webserver are now configurable at install time. * lacme: new flag `--force`, which aliases to `--min-days=-1`, i.e., -- cgit v1.2.3 From 956764d11c9445c835f992a782d90d8de90fe565 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sun, 14 Feb 2021 20:40:29 +0100 Subject: Improve nginx/apache2 snippets for direct serving of challenge files. With the new 'challenge-directory' logic symlinks can be disabled. --- Changelog | 2 ++ 1 file changed, 2 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 39249b4..72e4be6 100644 --- a/Changelog +++ b/Changelog @@ -12,6 +12,8 @@ lacme (0.7.1) upstream; * lacme: new flag `--force`, which aliases to `--min-days=-1`, i.e., forces renewal regardless of the expiration date of existing certificates. + + Improve nginx/apache2 snippets for direct serving of challenge files + (with the new 'challenge-directory' logic symlinks can be disabled). - lacme: delay webserver socket shutdown to after the process has terminated. - documentation: suggest to generate private key material with -- cgit v1.2.3 From 2c1a396728a381685923f7b1c4dea53d225112fc Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sun, 14 Feb 2021 22:59:11 +0100 Subject: Add (self-signed) ISRG Roots to the CA bundle. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This allows us to fully validate provided X.509 chains using that self-contained bundle, regardless of which CAs is marqued as trusted under /etc/ssl/certs. Also, remove cross-signed intermediate CAs from the bundle as they're useless in a self-contained bundle. Also, remove decomissioned intermediate CAs Authority X3 and X4 from the bundle. This change bumps the minimum OpenSSL version to 1.1.0 (for verify(1ssl)'s ‘-trusted’ and ‘-show_chain’ options). --- Changelog | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 72e4be6..7cef63c 100644 --- a/Changelog +++ b/Changelog @@ -12,6 +12,13 @@ lacme (0.7.1) upstream; * lacme: new flag `--force`, which aliases to `--min-days=-1`, i.e., forces renewal regardless of the expiration date of existing certificates. + * Remove decomissioned intermediate CAs Authority X3 and X4 from the + bundle. + * Remove cross-signed intermediate CAs from the bundle and add the + (self-signed) ISRG Root X1 and X2 instead. This allows us to fully + validate provided X.509 chains using that self-contained bundle, + regardless of which CAs is marqued as trusted under /etc/ssl/certs. + This change bumps the minimum OpenSSL version to 1.1.0. + Improve nginx/apache2 snippets for direct serving of challenge files (with the new 'challenge-directory' logic symlinks can be disabled). - lacme: delay webserver socket shutdown to after the process has -- cgit v1.2.3 From f62a66c6ce82d9a1af241dc3952250362e601d45 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sun, 14 Feb 2021 23:46:40 +0100 Subject: Add support for TLS Feature extension from RFC 7633. This is mostly useful for OCSP Must-Staple. --- Changelog | 2 ++ 1 file changed, 2 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 7cef63c..a622803 100644 --- a/Changelog +++ b/Changelog @@ -21,6 +21,8 @@ lacme (0.7.1) upstream; This change bumps the minimum OpenSSL version to 1.1.0. + Improve nginx/apache2 snippets for direct serving of challenge files (with the new 'challenge-directory' logic symlinks can be disabled). + + Add support for TLS Feature extension from RFC 7633; this is mostly + useful for OCSP Must-Staple. - lacme: delay webserver socket shutdown to after the process has terminated. - documentation: suggest to generate private key material with -- cgit v1.2.3 From c75bc6c37840b8fc2c57424d24c06a0bfe399de6 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Tue, 16 Feb 2021 01:06:01 +0100 Subject: client: use "lacme-client/$VERSION" as User-Agent header. --- Changelog | 1 + 1 file changed, 1 insertion(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index a622803..efefb1e 100644 --- a/Changelog +++ b/Changelog @@ -23,6 +23,7 @@ lacme (0.7.1) upstream; (with the new 'challenge-directory' logic symlinks can be disabled). + Add support for TLS Feature extension from RFC 7633; this is mostly useful for OCSP Must-Staple. + + client: use "lacme-client/$VERSION" as User-Agent header. - lacme: delay webserver socket shutdown to after the process has terminated. - documentation: suggest to generate private key material with -- cgit v1.2.3 From 2efd4458f4db7f489ecc81f4039b8e8103edf9d9 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Tue, 16 Feb 2021 17:24:31 +0100 Subject: Don't load configuration files from ./ by default. This is a breaking change: lacme(8) resp. lacme-accountd(1) no longer consider ./lacme.conf resp. ./lacme-accountd.conf as default location for the configuration file. Doing so has security implications when running these program from insecure directories. --- Changelog | 3 +++ 1 file changed, 3 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index efefb1e..2ccb0e1 100644 --- a/Changelog +++ b/Changelog @@ -19,6 +19,9 @@ lacme (0.7.1) upstream; validate provided X.509 chains using that self-contained bundle, regardless of which CAs is marqued as trusted under /etc/ssl/certs. This change bumps the minimum OpenSSL version to 1.1.0. + * Breaking change: lacme(8) resp. lacme-accountd(1) no longer consider + ./lacme.conf resp. ./lacme-accountd.conf as default location for the + configuration file. + Improve nginx/apache2 snippets for direct serving of challenge files (with the new 'challenge-directory' logic symlinks can be disabled). + Add support for TLS Feature extension from RFC 7633; this is mostly -- cgit v1.2.3 From bddbc17b87f3de29657f1dd2b9a065901e955c15 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 17 Feb 2021 11:34:33 +0100 Subject: Makefile: set executable bit for $(bindir)/lacme-accountd and $(sbindir)/lacme. --- Changelog | 2 ++ 1 file changed, 2 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 2ccb0e1..51f9728 100644 --- a/Changelog +++ b/Changelog @@ -40,6 +40,8 @@ lacme (0.7.1) upstream; - Raise client timeout from 10 to 30s. - Remove dependency on Types::Serialiser. - client: fail immediately when the accountd is unreachable. + - Makefile: set executable bit for $(bindir)/lacme-accountd and + $(sbindir)/lacme. -- Guilhem Moulin Wed, 09 Dec 2020 18:23:22 +0100 -- cgit v1.2.3 From 0ca64b6236f8fe767181214a97d8428d473b8e32 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 17 Feb 2021 11:36:49 +0100 Subject: client: avoid "Use of uninitialized value in pattern match (m//)" perl warnings. When the accountd socket can't be reached. --- Changelog | 2 ++ 1 file changed, 2 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 51f9728..ac8102c 100644 --- a/Changelog +++ b/Changelog @@ -42,6 +42,8 @@ lacme (0.7.1) upstream; - client: fail immediately when the accountd is unreachable. - Makefile: set executable bit for $(bindir)/lacme-accountd and $(sbindir)/lacme. + - client: avoid "Use of uninitialized value in pattern match (m//)" + perl warnings when the accountd socket can't be reached. -- Guilhem Moulin Wed, 09 Dec 2020 18:23:22 +0100 -- cgit v1.2.3 From 3a5c3f0596398d64bb34498f40becbcd32ffa5de Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 17 Feb 2021 11:42:18 +0100 Subject: Consolidate error messages for consistency. --- Changelog | 1 + 1 file changed, 1 insertion(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index ac8102c..cda155f 100644 --- a/Changelog +++ b/Changelog @@ -27,6 +27,7 @@ lacme (0.7.1) upstream; + Add support for TLS Feature extension from RFC 7633; this is mostly useful for OCSP Must-Staple. + client: use "lacme-client/$VERSION" as User-Agent header. + + Consolidate error messages for consistency. - lacme: delay webserver socket shutdown to after the process has terminated. - documentation: suggest to generate private key material with -- cgit v1.2.3 From 4886d0dd6c77d029209cc09a9e15a89ffb23b9fc Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 17 Feb 2021 19:03:00 +0100 Subject: Sanitize environment when spawning children. Set $HOME, $USER, $SHELL, $PATH, $LOGNAME to appropriate values (and perserve $TERM), which matches the login(1) behavior. --- Changelog | 2 ++ 1 file changed, 2 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index cda155f..019c076 100644 --- a/Changelog +++ b/Changelog @@ -28,6 +28,8 @@ lacme (0.7.1) upstream; useful for OCSP Must-Staple. + client: use "lacme-client/$VERSION" as User-Agent header. + Consolidate error messages for consistency. + + Sanitize environment when spawning the lacme client, webserver and + accountd. - lacme: delay webserver socket shutdown to after the process has terminated. - documentation: suggest to generate private key material with -- cgit v1.2.3 From d6f008f8a3a9724e5acbcb8b9df29304279f4106 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 17 Feb 2021 20:54:19 +0100 Subject: Split Nginx and Apapche2 static configuration snippets into seperate files. That way users prefering that over reverse-proxying can just source/enable the relevant files without having to uncomment anything. --- Changelog | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 019c076..35503e9 100644 --- a/Changelog +++ b/Changelog @@ -24,6 +24,10 @@ lacme (0.7.1) upstream; configuration file. + Improve nginx/apache2 snippets for direct serving of challenge files (with the new 'challenge-directory' logic symlinks can be disabled). + + Split Nginx and Apapche2 static configuration snippets into seperate + files. That way users prefering that over reverse-proxying can just + source/enable the relevant files without having to uncomment + anything. + Add support for TLS Feature extension from RFC 7633; this is mostly useful for OCSP Must-Staple. + client: use "lacme-client/$VERSION" as User-Agent header. -- cgit v1.2.3 From 044a4cb8b4ba06c6355c5e9978cd5dbfe9df94b2 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 17 Feb 2021 23:15:03 +0100 Subject: webserver: reopen stdin from /dev/null. Having both lacme(8) and its webserver component reading from the same standard input could yield starvation. --- Changelog | 1 + 1 file changed, 1 insertion(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 35503e9..c476ee1 100644 --- a/Changelog +++ b/Changelog @@ -51,6 +51,7 @@ lacme (0.7.1) upstream; $(sbindir)/lacme. - client: avoid "Use of uninitialized value in pattern match (m//)" perl warnings when the accountd socket can't be reached. + - webserver: reopen stdin from /dev/null. -- Guilhem Moulin Wed, 09 Dec 2020 18:23:22 +0100 -- cgit v1.2.3 From 2e455335a9e8aa9aaace98bc4d61f53a2c93b930 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 17 Feb 2021 23:19:51 +0100 Subject: Use 'acme-challenge.XXXXXXXXXX' as template for the temporary ACME challenge directory. --- Changelog | 2 ++ 1 file changed, 2 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index c476ee1..5dd416a 100644 --- a/Changelog +++ b/Changelog @@ -52,6 +52,8 @@ lacme (0.7.1) upstream; - client: avoid "Use of uninitialized value in pattern match (m//)" perl warnings when the accountd socket can't be reached. - webserver: reopen stdin from /dev/null. + - Use 'acme-challenge.XXXXXXXXXX' as template for the temporary ACME + challenge directory. -- Guilhem Moulin Wed, 09 Dec 2020 18:23:22 +0100 -- cgit v1.2.3 From 32c27cecbe7ab3bdf0cbc984c50b37fbe231e79d Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 17 Feb 2021 23:34:08 +0100 Subject: Set the DEBUG environment variable to 0/1 instead of ""/1. --- Changelog | 1 + 1 file changed, 1 insertion(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 5dd416a..0f9b6ca 100644 --- a/Changelog +++ b/Changelog @@ -54,6 +54,7 @@ lacme (0.7.1) upstream; - webserver: reopen stdin from /dev/null. - Use 'acme-challenge.XXXXXXXXXX' as template for the temporary ACME challenge directory. + - Set the DEBUG environment variable to 0/1 instead of ""/1. -- Guilhem Moulin Wed, 09 Dec 2020 18:23:22 +0100 -- cgit v1.2.3 From d72df441f86f759bf143df745ff13fd9b90597bf Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 17 Feb 2021 23:53:31 +0100 Subject: Split client/webserver/accountd commands on whitespace. This doesn't change the default behavior. --- Changelog | 2 ++ 1 file changed, 2 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 0f9b6ca..68a1f83 100644 --- a/Changelog +++ b/Changelog @@ -22,6 +22,8 @@ lacme (0.7.1) upstream; * Breaking change: lacme(8) resp. lacme-accountd(1) no longer consider ./lacme.conf resp. ./lacme-accountd.conf as default location for the configuration file. + * The client, webserver, and accountd commands are now split on + whitespace. This doesn't change the default behavior. + Improve nginx/apache2 snippets for direct serving of challenge files (with the new 'challenge-directory' logic symlinks can be disabled). + Split Nginx and Apapche2 static configuration snippets into seperate -- cgit v1.2.3 From 42a8f9813716ed3495b6f49edea429b127eef0f0 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 18 Feb 2021 00:49:46 +0100 Subject: accountd: replace internal option --conn-fd=FD with flag --stdio. Using stdin/stdout makes it possible to tunnel the accountd connection through ssh. --- Changelog | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 68a1f83..4d18b38 100644 --- a/Changelog +++ b/Changelog @@ -23,7 +23,9 @@ lacme (0.7.1) upstream; ./lacme.conf resp. ./lacme-accountd.conf as default location for the configuration file. * The client, webserver, and accountd commands are now split on - whitespace. This doesn't change the default behavior. + whitespace. This doesn't change the default behavior but allows + using `ssh -T lacme@account.example.net lacme-accountd` to spawn a + remote lacme-accountd server for instance. + Improve nginx/apache2 snippets for direct serving of challenge files (with the new 'challenge-directory' logic symlinks can be disabled). + Split Nginx and Apapche2 static configuration snippets into seperate @@ -36,6 +38,9 @@ lacme (0.7.1) upstream; + Consolidate error messages for consistency. + Sanitize environment when spawning the lacme client, webserver and accountd. + + accountd: replace internal option --conn-fd=FD with flag --stdio. + Using stdin/stdout makes it possible to tunnel the accountd + connection through ssh. - lacme: delay webserver socket shutdown to after the process has terminated. - documentation: suggest to generate private key material with -- cgit v1.2.3 From baa7c25db322a9472c9155422057ec56aa93f439 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Fri, 19 Feb 2021 00:06:49 +0100 Subject: Use File::Basename::dirname(). MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit To correctly extract the parent directory of the socket path. The previous returned an empty string when the socket path didn't contain ‘/’. --- Changelog | 2 ++ 1 file changed, 2 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 4d18b38..5bca11e 100644 --- a/Changelog +++ b/Changelog @@ -62,6 +62,8 @@ lacme (0.7.1) upstream; - Use 'acme-challenge.XXXXXXXXXX' as template for the temporary ACME challenge directory. - Set the DEBUG environment variable to 0/1 instead of ""/1. + - Use File::Basename::dirname() to correctly extract the parent + directory of the socket path. -- Guilhem Moulin Wed, 09 Dec 2020 18:23:22 +0100 -- cgit v1.2.3 From 11d971bc07ceb4359565e6611ae03a0c0134d153 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Fri, 19 Feb 2021 23:22:15 +0100 Subject: Add test suite against Let's Encrypt's staging environment. https://letsencrypt.org/docs/staging-environment/ --- Changelog | 2 ++ 1 file changed, 2 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 5bca11e..9e58239 100644 --- a/Changelog +++ b/Changelog @@ -26,6 +26,8 @@ lacme (0.7.1) upstream; whitespace. This doesn't change the default behavior but allows using `ssh -T lacme@account.example.net lacme-accountd` to spawn a remote lacme-accountd server for instance. + * Add test suite against Let's Encrypt's staging environment + https://letsencrypt.org/docs/staging-environment/ . + Improve nginx/apache2 snippets for direct serving of challenge files (with the new 'challenge-directory' logic symlinks can be disabled). + Split Nginx and Apapche2 static configuration snippets into seperate -- cgit v1.2.3 From 1c4fc8c431e69780625600a4ee8526e1a3cbb3f4 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 18 Feb 2021 01:04:45 +0100 Subject: lacme(8)'s 'config' option in the [accountd] section no longer have a default value. The previous default, namely /etc/lacme/lacme-accountd.conf, is still honored when there is the user running lacme doesn't have a ~/.config/lacme/lacme-account.conf configuration file. --- Changelog | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 9e58239..a700625 100644 --- a/Changelog +++ b/Changelog @@ -28,6 +28,10 @@ lacme (0.7.1) upstream; remote lacme-accountd server for instance. * Add test suite against Let's Encrypt's staging environment https://letsencrypt.org/docs/staging-environment/ . + * lacme(8)'s 'config' option in the [accountd] section no longer have a + default value. The previous default /etc/lacme/lacme-accountd.conf + is still honored when there is the user running lacme doesn't have a + ~/.config/lacme/lacme-account.conf configuration file. + Improve nginx/apache2 snippets for direct serving of challenge files (with the new 'challenge-directory' logic symlinks can be disabled). + Split Nginx and Apapche2 static configuration snippets into seperate -- cgit v1.2.3 From ad1856777bf108826008b60a1e70c1e3fbb94ec7 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 18 Feb 2021 01:14:23 +0100 Subject: Deprecate setting 'privkey' in [accountd] section of the lacme(8) configuration file. One need to use the lacme-accountd(1) configuration file for that instead. --- Changelog | 3 +++ 1 file changed, 3 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index a700625..abdb3ef 100644 --- a/Changelog +++ b/Changelog @@ -32,6 +32,9 @@ lacme (0.7.1) upstream; default value. The previous default /etc/lacme/lacme-accountd.conf is still honored when there is the user running lacme doesn't have a ~/.config/lacme/lacme-account.conf configuration file. + * Deprecate setting 'privkey' in [accountd] section of the lacme(8) + configuration file. One need to use the lacme-accountd(1) + configuration file for that instead. + Improve nginx/apache2 snippets for direct serving of challenge files (with the new 'challenge-directory' logic symlinks can be disabled). + Split Nginx and Apapche2 static configuration snippets into seperate -- cgit v1.2.3 From 8de74ffb4a2008a61c05e9a24c8fa9b14858d2be Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Fri, 19 Feb 2021 18:31:20 +0100 Subject: Remove dependency on List::Util (core module). --- Changelog | 1 + 1 file changed, 1 insertion(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index abdb3ef..8952ba6 100644 --- a/Changelog +++ b/Changelog @@ -50,6 +50,7 @@ lacme (0.7.1) upstream; + accountd: replace internal option --conn-fd=FD with flag --stdio. Using stdin/stdout makes it possible to tunnel the accountd connection through ssh. + + Remove dependency on List::Util (core module). - lacme: delay webserver socket shutdown to after the process has terminated. - documentation: suggest to generate private key material with -- cgit v1.2.3 From 0ef94d85e58497dcb2c4c954cadcac918032467a Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 18 Feb 2021 21:07:01 +0100 Subject: Add %-specifiers support. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit lacme(8): for --config=, --socket=, --config-certs= (and ‘socket’/ ‘config-certs’/‘challenge-directory’ configuration options *before* privilege drop; and for the [accountd] section ‘command’/‘config’ configuration options *after* privilege drop). lacme-accountd(1): for --config=, --socket= and --privkey= (and ‘socket’/‘privkey’ configuration options). This also changes the default configuration file location. lacme(8) and lacme-accountd(1) now respectively use /etc/lacme/lacme.conf resp. /etc/lacme/lacme-accountd.conf when running as root, and $XDG_CONFIG_HOME/lacme/lacme.conf resp. $XDG_CONFIG_HOME/lacme/lacme-accountd.conf when running as a normal user. There is no fallback to /etc anymore. --- Changelog | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 8952ba6..966b0b0 100644 --- a/Changelog +++ b/Changelog @@ -19,9 +19,16 @@ lacme (0.7.1) upstream; validate provided X.509 chains using that self-contained bundle, regardless of which CAs is marqued as trusted under /etc/ssl/certs. This change bumps the minimum OpenSSL version to 1.1.0. - * Breaking change: lacme(8) resp. lacme-accountd(1) no longer consider - ./lacme.conf resp. ./lacme-accountd.conf as default location for the - configuration file. + * Breaking change: lacme(8) and lacme-accountd(1) respectively load + their configuration file from /etc/lacme/lacme.conf resp. + /etc/lacme/lacme-accountd.conf when running as root, and + $XDG_CONFIG_HOME/lacme/lacme.conf resp. + $XDG_CONFIG_HOME/lacme/lacme-accountd.conf when running as a normal + user. There is no fallback to /etc anymore, and the lookup in the + current directory as prefered choice is removed too. However + lacme-accountd(1) can be used without configuration file under + ~/.config/lacme as it treats a non-existent default location as an + empty file. * The client, webserver, and accountd commands are now split on whitespace. This doesn't change the default behavior but allows using `ssh -T lacme@account.example.net lacme-accountd` to spawn a @@ -30,11 +37,17 @@ lacme (0.7.1) upstream; https://letsencrypt.org/docs/staging-environment/ . * lacme(8)'s 'config' option in the [accountd] section no longer have a default value. The previous default /etc/lacme/lacme-accountd.conf - is still honored when there is the user running lacme doesn't have a - ~/.config/lacme/lacme-account.conf configuration file. + is still honored when root privileges are preserved (the default). * Deprecate setting 'privkey' in [accountd] section of the lacme(8) configuration file. One need to use the lacme-accountd(1) configuration file for that instead. + * lacme(8): add %-specifiers support for --config=, --socket=, + --config-certs= (and 'socket'/'config-certs'/'challenge-directory' + configuration options *before* privilege drop; and for the [accountd] + section 'command'/'config' configuration options *after* privilege + drop). + * lacme-accountd(1): add %-specifiers support for --config=, --socket= + and --privkey= (and 'socket'/'privkey' configuration options). + Improve nginx/apache2 snippets for direct serving of challenge files (with the new 'challenge-directory' logic symlinks can be disabled). + Split Nginx and Apapche2 static configuration snippets into seperate -- cgit v1.2.3 From 8e612e071b8c0fc99ebf91673f53ca5f0d6bdd11 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sat, 20 Feb 2021 19:56:15 +0100 Subject: Document `lacme-accountd --stdio`. It's an internal flag, but can be useful for authorized_keys(5) restrictions. --- Changelog | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 966b0b0..baf67b9 100644 --- a/Changelog +++ b/Changelog @@ -62,7 +62,8 @@ lacme (0.7.1) upstream; accountd. + accountd: replace internal option --conn-fd=FD with flag --stdio. Using stdin/stdout makes it possible to tunnel the accountd - connection through ssh. + connection through ssh. The new flag is documented to allow safe + usage is authorized_keys(5) restrictions. + Remove dependency on List::Util (core module). - lacme: delay webserver socket shutdown to after the process has terminated. -- cgit v1.2.3 From cf3d42c066d2f54d4a57aa38907a7c6c7d06aeb6 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Tue, 16 Feb 2021 00:00:40 +0100 Subject: lacme-accountd(1): base64url-decode incoming signature requests. Before printing them to the standard error. --- Changelog | 2 ++ 1 file changed, 2 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index baf67b9..c69d0d0 100644 --- a/Changelog +++ b/Changelog @@ -48,6 +48,8 @@ lacme (0.7.1) upstream; drop). * lacme-accountd(1): add %-specifiers support for --config=, --socket= and --privkey= (and 'socket'/'privkey' configuration options). + * lacme-accountd(1): base64url-decode incoming signature requests shown + in messages to the standard error. + Improve nginx/apache2 snippets for direct serving of challenge files (with the new 'challenge-directory' logic symlinks can be disabled). + Split Nginx and Apapche2 static configuration snippets into seperate -- cgit v1.2.3 From 74c0a11722cf1e01b9a9834e89a07b55eaf01080 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sat, 20 Feb 2021 22:05:18 +0100 Subject: lacme-accountd: new setting 'logfile' to log signature requests. Prefixed with a timestamp. --- Changelog | 2 ++ 1 file changed, 2 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index c69d0d0..e6becda 100644 --- a/Changelog +++ b/Changelog @@ -50,6 +50,8 @@ lacme (0.7.1) upstream; and --privkey= (and 'socket'/'privkey' configuration options). * lacme-accountd(1): base64url-decode incoming signature requests shown in messages to the standard error. + * lacme-accountd(1): new setting 'logfile' to log (decoded) incoming + signature requests to a file. + Improve nginx/apache2 snippets for direct serving of challenge files (with the new 'challenge-directory' logic symlinks can be disabled). + Split Nginx and Apapche2 static configuration snippets into seperate -- cgit v1.2.3 From ba6addf54cef0b1536dc87c42a41b4dc207ac884 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sun, 21 Feb 2021 14:27:50 +0100 Subject: accountd: Pass JWA and JWK thumbprint via extended greeting data. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Passing the JWA to the ACME client is required if we want to support account keys other than RSA. As of 0.7 both lacme-accountd(1) and lacme(8) hardcode “RS256” (SHA256withRSA per RFC 7518 sec. A.1). Passing the JWK thumbprint is handy as it gives more flexibility if RFC 8555 sec. 8.1 were to be updated with another digest algorithm (it's currently hardcoded to SHA-256). A single lacme-account(1) instance might be used to sign requests from many clients, and it's easier to upgrade a single ‘lacme-accountd’ than many ‘lacme’. Moreover, in some restricted environments lacme-accountd might hide the JWK from the client to prevent ‘newAccount’ requests (such as contact updates); passing its thumbprint is enough for ‘newOrder’ requests. --- Changelog | 2 ++ 1 file changed, 2 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index e6becda..ffd9536 100644 --- a/Changelog +++ b/Changelog @@ -69,6 +69,8 @@ lacme (0.7.1) upstream; connection through ssh. The new flag is documented to allow safe usage is authorized_keys(5) restrictions. + Remove dependency on List::Util (core module). + + accountd: Pass JWA and JWK thumbprint via extended greeting data. + This gives better forward flexibility. - lacme: delay webserver socket shutdown to after the process has terminated. - documentation: suggest to generate private key material with -- cgit v1.2.3 From 9898b1877ce2973bbc336921969bd7f16d3698fa Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sun, 21 Feb 2021 18:49:14 +0100 Subject: lacme-accountd(1): new setting 'keyid'. This saves a round trip and provides a safeguard against malicious clients. --- Changelog | 2 ++ 1 file changed, 2 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index ffd9536..9c606fe 100644 --- a/Changelog +++ b/Changelog @@ -52,6 +52,8 @@ lacme (0.7.1) upstream; in messages to the standard error. * lacme-accountd(1): new setting 'logfile' to log (decoded) incoming signature requests to a file. + * lacme-accountd(1): new setting 'keyid' to easily revoke all account + management access from the client. + Improve nginx/apache2 snippets for direct serving of challenge files (with the new 'challenge-directory' logic symlinks can be disabled). + Split Nginx and Apapche2 static configuration snippets into seperate -- cgit v1.2.3 From ed85b6a6740028ce9ce821975a534f696eabd8ed Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Mon, 22 Feb 2021 01:04:58 +0100 Subject: client: Print Terms of Service URL for 'account' command. --- Changelog | 1 + 1 file changed, 1 insertion(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 9c606fe..a402207 100644 --- a/Changelog +++ b/Changelog @@ -96,6 +96,7 @@ lacme (0.7.1) upstream; - Set the DEBUG environment variable to 0/1 instead of ""/1. - Use File::Basename::dirname() to correctly extract the parent directory of the socket path. + - client: Print Terms of Service URL for 'account' command. -- Guilhem Moulin Wed, 09 Dec 2020 18:23:22 +0100 -- cgit v1.2.3 From 3eba02ef820a393bd5781be9f8fcda1611ae7c3d Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Mon, 22 Feb 2021 03:19:57 +0100 Subject: Prepare new release v0.8.0. --- Changelog | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'Changelog') diff --git a/Changelog b/Changelog index a402207..9f12237 100644 --- a/Changelog +++ b/Changelog @@ -1,4 +1,4 @@ -lacme (0.7.1) upstream; +lacme (0.8.0) upstream; * Breaking change: 'challenge-directory' now needs to be set to an *existing* directory (writable by the lacme client user). Since @@ -98,7 +98,7 @@ lacme (0.7.1) upstream; directory of the socket path. - client: Print Terms of Service URL for 'account' command. - -- Guilhem Moulin Wed, 09 Dec 2020 18:23:22 +0100 + -- Guilhem Moulin Mon, 22 Feb 2021 03:19:57 +0100 lacme (0.7) upstream; -- cgit v1.2.3