From 61e4ad1347f51a84400cbf87633cc99f657f9ad7 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Wed, 9 Dec 2020 20:28:46 +0100
Subject: Make unprivileged user/group for the internal client resp. webserver
 configurable.

---
 Makefile | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

(limited to 'Makefile')

diff --git a/Makefile b/Makefile
index a4098de..afc5c71 100644
--- a/Makefile
+++ b/Makefile
@@ -35,6 +35,11 @@ mandir ?= $(datarootdir)/man
 man1dir ?= $(mandir)/man1
 man8dir ?= $(mandir)/man8
 
+lacme_www_user ?= www-data
+lacme_www_group ?= www-data
+lacme_client_user ?= nobody
+lacme_client_group ?= nogroup
+
 $(BUILDDIR)/%: %
 	mkdir -pv -- $(dir $@)
 	cp --no-dereference --preserve=mode,links,xattr -vfT -- "$<" "$@"
@@ -43,7 +48,12 @@ $(BUILDDIR)/%: %
 	        s#@@libexecdir@@#$(libexecdir)#g; \
 	        s#@@datadir@@#$(datadir)#g; \
 	        s#@@runstatedir@@#$(runstatedir)#g; \
-	        s#@@sysconfdir@@#$(sysconfdir)#g;" -- "$@"
+	        s#@@sysconfdir@@#$(sysconfdir)#g; \
+	        s#@@lacme_www_user@@#$(lacme_www_user)#g; \
+	        s#@@lacme_www_group@@#$(lacme_www_group)#g; \
+	        s#@@lacme_client_user@@#$(lacme_client_user)#g; \
+	        s#@@lacme_client_group@@#$(lacme_client_group)#g;" \
+	        -- "$@"
 
 install: all
 	install -m0644 -vDt $(sysconfdir)/lacme $(BUILDDIR)/config/*.conf $(BUILDDIR)/snippets/*.conf
-- 
cgit v1.2.3


From 2c1a396728a381685923f7b1c4dea53d225112fc Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Sun, 14 Feb 2021 22:59:11 +0100
Subject: Add (self-signed) ISRG Roots to the CA bundle.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This allows us to fully validate provided X.509 chains using that
self-contained bundle, regardless of which CAs is marqued as trusted
under /etc/ssl/certs.

Also, remove cross-signed intermediate CAs from the bundle as they're
useless in a self-contained bundle.

Also, remove decomissioned intermediate CAs Authority X3 and X4 from the
bundle.

This change bumps the minimum OpenSSL version to 1.1.0 (for
verify(1ssl)'s ‘-trusted’ and ‘-show_chain’ options).
---
 Makefile | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

(limited to 'Makefile')

diff --git a/Makefile b/Makefile
index afc5c71..fa830c4 100644
--- a/Makefile
+++ b/Makefile
@@ -13,13 +13,12 @@ $(MANUAL_FILES): $(BUILDDIR)/%: $(BUILDDIR)/%.md
 
 # used for validation, see https://letsencrypt.org/certificates/
 $(BUILDDIR)/certs/ca-certificates.crt: \
-        certs/letsencryptauthorityx[34].pem \
-        certs/lets-encrypt-x[34]-cross-signed.pem \
+        certs/isrgrootx1.pem \
+        certs/isrg-root-x2.pem \
         certs/lets-encrypt-r[34].pem \
-        certs/lets-encrypt-r[34]-cross-signed.pem \
         certs/lets-encrypt-e[12].pem
 	mkdir -pv -- $(BUILDDIR)/certs
-	cat $^ >$@
+	cat -- $^ >$@
 
 prefix ?= $(DESTDIR)
 exec_prefix ?= $(prefix)
-- 
cgit v1.2.3


From 91881351597ce28d8b6448a712396d4432d4a8ba Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Sun, 14 Feb 2021 23:51:30 +0100
Subject: Makefile: new 'release' target.

---
 Makefile | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

(limited to 'Makefile')

diff --git a/Makefile b/Makefile
index fa830c4..3c8c6bc 100644
--- a/Makefile
+++ b/Makefile
@@ -54,6 +54,20 @@ $(BUILDDIR)/%: %
 	        s#@@lacme_client_group@@#$(lacme_client_group)#g;" \
 	        -- "$@"
 
+release:
+	@if ! git diff HEAD --quiet -- ./Changelog ./lacme ./lacme-accountd; then \
+		echo "Dirty state, refusing to release!" >&2; \
+		exit 1; \
+	fi
+	VERS=$$(dpkg-parsechangelog -l Changelog -SVersion 2>/dev/null) && \
+		if git rev-parse -q --verify "refs/tags/v$$VERS" >/dev/null; then echo "tag exists" 2>/dev/null; exit 1; fi && \
+		sed -ri "0,/^( -- .*)  .*/ s//\\1  $(shell date -R)/" ./Changelog && \
+		sed -ri "0,/^(our\\s+\\\$$VERSION\\s*=\\s*)'[0-9.]+'\\s*;/ s//\\1'$$VERS';/" \
+			-- ./lacme ./lacme-accountd && \
+		git commit -m "Prepare new release v$$VERS." \
+			-- ./Changelog ./lacme ./lacme-accountd && \
+		git tag -sm "Release version $$VERS" "v$$VERS"
+
 install: all
 	install -m0644 -vDt $(sysconfdir)/lacme $(BUILDDIR)/config/*.conf $(BUILDDIR)/snippets/*.conf
 	install -vd $(sysconfdir)/lacme/lacme-certs.conf.d
@@ -72,4 +86,4 @@ uninstall:
 clean:
 	rm -rvf -- $(BUILDDIR)
 
-.PHONY: all doc manual install uninstall clean
+.PHONY: all doc manual release install uninstall clean
-- 
cgit v1.2.3


From a8bc34b6ff5eccabef7420d5d5deeb8e1a9e2816 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Tue, 16 Feb 2021 16:18:16 +0100
Subject: Add certs-staging/fake*.pem for tests using the staging environment.

See https://letsencrypt.org/docs/staging-environment/ .
---
 Makefile | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

(limited to 'Makefile')

diff --git a/Makefile b/Makefile
index 3c8c6bc..c37c45b 100644
--- a/Makefile
+++ b/Makefile
@@ -2,7 +2,9 @@ DESTDIR ?= /usr/local
 BUILDDIR ?= ./build
 MANUAL_FILES = $(addprefix $(BUILDDIR)/,$(patsubst ./%.md,%,$(wildcard ./*.[1-9].md)))
 
-all: manual $(addprefix $(BUILDDIR)/,lacme lacme-accountd client webserver $(wildcard certs/* config/* snippets/*) certs/ca-certificates.crt)
+all: manual $(addprefix $(BUILDDIR)/,lacme lacme-accountd client webserver \
+	$(wildcard certs/* config/* snippets/*) \
+	certs/ca-certificates.crt certs-staging/ca-certificates.crt)
 doc: manual
 
 manual: $(MANUAL_FILES)
@@ -17,7 +19,14 @@ $(BUILDDIR)/certs/ca-certificates.crt: \
         certs/isrg-root-x2.pem \
         certs/lets-encrypt-r[34].pem \
         certs/lets-encrypt-e[12].pem
-	mkdir -pv -- $(BUILDDIR)/certs
+	mkdir -pv -- $(dir $@)
+	cat -- $^ >$@
+
+# Staging Environment for tests, see https://letsencrypt.org/docs/staging-environment/
+$(BUILDDIR)/certs-staging/ca-certificates.crt: \
+        certs-staging/fakelerootx1.pem \
+        certs-staging/fakeleintermediatex1.pem
+	mkdir -pv -- $(dir $@)
 	cat -- $^ >$@
 
 prefix ?= $(DESTDIR)
-- 
cgit v1.2.3


From c75bc6c37840b8fc2c57424d24c06a0bfe399de6 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Tue, 16 Feb 2021 01:06:01 +0100
Subject: client: use "lacme-client/$VERSION" as User-Agent header.

---
 Makefile | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'Makefile')

diff --git a/Makefile b/Makefile
index c37c45b..7b0cd1a 100644
--- a/Makefile
+++ b/Makefile
@@ -64,7 +64,7 @@ $(BUILDDIR)/%: %
 	        -- "$@"
 
 release:
-	@if ! git diff HEAD --quiet -- ./Changelog ./lacme ./lacme-accountd; then \
+	@if ! git diff HEAD --quiet -- ./Changelog ./lacme ./lacme-accountd ./client; then \
 		echo "Dirty state, refusing to release!" >&2; \
 		exit 1; \
 	fi
@@ -72,9 +72,9 @@ release:
 		if git rev-parse -q --verify "refs/tags/v$$VERS" >/dev/null; then echo "tag exists" 2>/dev/null; exit 1; fi && \
 		sed -ri "0,/^( -- .*)  .*/ s//\\1  $(shell date -R)/" ./Changelog && \
 		sed -ri "0,/^(our\\s+\\\$$VERSION\\s*=\\s*)'[0-9.]+'\\s*;/ s//\\1'$$VERS';/" \
-			-- ./lacme ./lacme-accountd && \
+			-- ./lacme ./lacme-accountd ./client && \
 		git commit -m "Prepare new release v$$VERS." \
-			-- ./Changelog ./lacme ./lacme-accountd && \
+			-- ./Changelog ./lacme ./lacme-accountd ./client && \
 		git tag -sm "Release version $$VERS" "v$$VERS"
 
 install: all
-- 
cgit v1.2.3


From bddbc17b87f3de29657f1dd2b9a065901e955c15 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Wed, 17 Feb 2021 11:34:33 +0100
Subject: Makefile: set executable bit for $(bindir)/lacme-accountd and
 $(sbindir)/lacme.

---
 Makefile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'Makefile')

diff --git a/Makefile b/Makefile
index 7b0cd1a..06e8cb2 100644
--- a/Makefile
+++ b/Makefile
@@ -84,8 +84,8 @@ install: all
 	install -m0755 -vDt $(libexecdir)/lacme $(BUILDDIR)/client $(BUILDDIR)/webserver
 	install -m0644 -vDt $(man1dir) $(BUILDDIR)/lacme-accountd.1
 	install -m0644 -vDt $(man8dir) $(BUILDDIR)/lacme.8
-	install -m0644 -vDt $(bindir) $(BUILDDIR)/lacme-accountd
-	install -m0644 -vDt $(sbindir) $(BUILDDIR)/lacme
+	install -m0755 -vDt $(bindir) $(BUILDDIR)/lacme-accountd
+	install -m0755 -vDt $(sbindir) $(BUILDDIR)/lacme
 
 uninstall:
 	rm -vf -- $(bindir)/lacme-accountd $(sbindir)/lacme
-- 
cgit v1.2.3


From c214f20a835d0da4bd0c5a85a4bd9089fc4febcb Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Fri, 19 Feb 2021 23:15:52 +0100
Subject: Update staging hierarchy.

Cf. https://community.letsencrypt.org/t/staging-hierarchy-new-root-cert/145677 .
---
 Makefile | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'Makefile')

diff --git a/Makefile b/Makefile
index 06e8cb2..3ad440c 100644
--- a/Makefile
+++ b/Makefile
@@ -24,8 +24,9 @@ $(BUILDDIR)/certs/ca-certificates.crt: \
 
 # Staging Environment for tests, see https://letsencrypt.org/docs/staging-environment/
 $(BUILDDIR)/certs-staging/ca-certificates.crt: \
-        certs-staging/fakelerootx1.pem \
-        certs-staging/fakeleintermediatex1.pem
+        certs-staging/letsencrypt-stg-root-x[12].pem \
+        certs-staging/letsencrypt-stg-int-r[34].pem \
+        certs-staging/letsencrypt-stg-int-e[12].pem
 	mkdir -pv -- $(dir $@)
 	cat -- $^ >$@
 
-- 
cgit v1.2.3


From e3a3f59865290ea70de66ffa3b017916aac3ffef Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Thu, 18 Feb 2021 16:05:31 +0100
Subject: Makefile wibble

---
 Makefile | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

(limited to 'Makefile')

diff --git a/Makefile b/Makefile
index 3ad440c..0fdd9df 100644
--- a/Makefile
+++ b/Makefile
@@ -79,14 +79,14 @@ release:
 		git tag -sm "Release version $$VERS" "v$$VERS"
 
 install: all
-	install -m0644 -vDt $(sysconfdir)/lacme $(BUILDDIR)/config/*.conf $(BUILDDIR)/snippets/*.conf
-	install -vd $(sysconfdir)/lacme/lacme-certs.conf.d
-	install -m0644 -vDt $(datadir)/lacme $(BUILDDIR)/certs/*
-	install -m0755 -vDt $(libexecdir)/lacme $(BUILDDIR)/client $(BUILDDIR)/webserver
-	install -m0644 -vDt $(man1dir) $(BUILDDIR)/lacme-accountd.1
-	install -m0644 -vDt $(man8dir) $(BUILDDIR)/lacme.8
-	install -m0755 -vDt $(bindir) $(BUILDDIR)/lacme-accountd
-	install -m0755 -vDt $(sbindir) $(BUILDDIR)/lacme
+	install -m0644 -vDt $(sysconfdir)/lacme -- $(BUILDDIR)/config/*.conf $(BUILDDIR)/snippets/*.conf
+	install -m0755 -vd -- $(sysconfdir)/lacme/lacme-certs.conf.d
+	install -m0644 -vDt $(datadir)/lacme -- $(BUILDDIR)/certs/*
+	install -m0755 -vDt $(libexecdir)/lacme -- $(BUILDDIR)/client $(BUILDDIR)/webserver
+	install -m0644 -vDt $(man1dir) -- $(BUILDDIR)/lacme-accountd.1
+	install -m0644 -vDt $(man8dir) -- $(BUILDDIR)/lacme.8
+	install -m0755 -vDt $(sbindir) -- $(BUILDDIR)/lacme
+	install -m0755 -vDt $(bindir) -- $(BUILDDIR)/lacme-accountd
 
 uninstall:
 	rm -vf -- $(bindir)/lacme-accountd $(sbindir)/lacme
-- 
cgit v1.2.3


From 8d7b50989d1c446b81c73e8ababfce6f0351ee59 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Thu, 18 Feb 2021 16:11:24 +0100
Subject: =?UTF-8?q?Symlink=20$(sysconfdir)/apache2/conf-available/lacme.co?=
 =?UTF-8?q?nf=20=E2=86=92=20../../lacme/apache2.conf.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This is useful for enabling the snippet with `a2enconf lacme`, cf.
https://bugs.debian.org/955859 .
---
 Makefile | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'Makefile')

diff --git a/Makefile b/Makefile
index 0fdd9df..3a8e461 100644
--- a/Makefile
+++ b/Makefile
@@ -87,11 +87,14 @@ install: all
 	install -m0644 -vDt $(man8dir) -- $(BUILDDIR)/lacme.8
 	install -m0755 -vDt $(sbindir) -- $(BUILDDIR)/lacme
 	install -m0755 -vDt $(bindir) -- $(BUILDDIR)/lacme-accountd
+	install -m0755 -vdD -- $(sysconfdir)/apache2/conf-available
+	ln -sv -- ../../lacme/apache2.conf $(sysconfdir)/apache2/conf-available/lacme.conf
 
 uninstall:
 	rm -vf -- $(bindir)/lacme-accountd $(sbindir)/lacme
 	rm -vf -- $(man1dir)/lacme-accountd.1 $(man8dir)/lacme.8
 	rm -rvf -- $(sysconfdir)/lacme $(datadir)/lacme $(libexecdir)/lacme
+	rm -vf -- $(sysconfdir)/apache2/conf-available/lacme.conf
 
 clean:
 	rm -rvf -- $(BUILDDIR)
-- 
cgit v1.2.3


From 2114bd775df342f3491cdd839031254041b655ae Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Fri, 19 Feb 2021 00:48:40 +0100
Subject: typofix

---
 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'Makefile')

diff --git a/Makefile b/Makefile
index 3a8e461..2ac524b 100644
--- a/Makefile
+++ b/Makefile
@@ -38,7 +38,7 @@ libexecdir ?= $(exec_prefix)/libexec
 datarootdir ?= $(prefix)/share
 datadir ?= $(datarootdir)
 sysconfdir ?= $(prefix)/etc
-localstatedir =? $(prefix)/var
+localstatedir ?= $(prefix)/var
 runstatedir ?= $(localstatedir)/run
 mandir ?= $(datarootdir)/man
 man1dir ?= $(mandir)/man1
-- 
cgit v1.2.3


From 0ef94d85e58497dcb2c4c954cadcac918032467a Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Thu, 18 Feb 2021 21:07:01 +0100
Subject: Add %-specifiers support.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

lacme(8): for --config=, --socket=, --config-certs= (and ‘socket’/
‘config-certs’/‘challenge-directory’ configuration options *before*
privilege drop; and for the [accountd] section ‘command’/‘config’
configuration options *after* privilege drop).

lacme-accountd(1): for --config=, --socket= and --privkey= (and
‘socket’/‘privkey’ configuration options).

This also changes the default configuration file location.  lacme(8) and
lacme-accountd(1) now respectively use /etc/lacme/lacme.conf resp.
/etc/lacme/lacme-accountd.conf when running as root, and
$XDG_CONFIG_HOME/lacme/lacme.conf resp. $XDG_CONFIG_HOME/lacme/lacme-accountd.conf
when running as a normal user.  There is no fallback to /etc anymore.
---
 Makefile | 1 +
 1 file changed, 1 insertion(+)

(limited to 'Makefile')

diff --git a/Makefile b/Makefile
index 2ac524b..a4caff0 100644
--- a/Makefile
+++ b/Makefile
@@ -56,6 +56,7 @@ $(BUILDDIR)/%: %
 	        s#@@sbindir@@#$(sbindir)#g; \
 	        s#@@libexecdir@@#$(libexecdir)#g; \
 	        s#@@datadir@@#$(datadir)#g; \
+	        s#@@localstatedir@@#$(localstatedir)#g; \
 	        s#@@runstatedir@@#$(runstatedir)#g; \
 	        s#@@sysconfdir@@#$(sysconfdir)#g; \
 	        s#@@lacme_www_user@@#$(lacme_www_user)#g; \
-- 
cgit v1.2.3


From 626c0418b3d8c3747a7be8e2620d7c85a8c2c613 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Sun, 21 Feb 2021 02:55:46 +0100
Subject: Make the ACME API server URL configurable at build time.

---
 Makefile | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'Makefile')

diff --git a/Makefile b/Makefile
index a4caff0..16ac04e 100644
--- a/Makefile
+++ b/Makefile
@@ -49,6 +49,8 @@ lacme_www_group ?= www-data
 lacme_client_user ?= nobody
 lacme_client_group ?= nogroup
 
+acmeapi_server ?= https://acme-v02.api.letsencrypt.org/directory
+
 $(BUILDDIR)/%: %
 	mkdir -pv -- $(dir $@)
 	cp --no-dereference --preserve=mode,links,xattr -vfT -- "$<" "$@"
@@ -62,8 +64,9 @@ $(BUILDDIR)/%: %
 	        s#@@lacme_www_user@@#$(lacme_www_user)#g; \
 	        s#@@lacme_www_group@@#$(lacme_www_group)#g; \
 	        s#@@lacme_client_user@@#$(lacme_client_user)#g; \
-	        s#@@lacme_client_group@@#$(lacme_client_group)#g;" \
-	        -- "$@"
+	        s#@@lacme_client_group@@#$(lacme_client_group)#g; \
+	        s#@@acmeapi_server@@#$(acmeapi_server)#g; \
+	        " -- "$@"
 
 release:
 	@if ! git diff HEAD --quiet -- ./Changelog ./lacme ./lacme-accountd ./client; then \
-- 
cgit v1.2.3