From af5e3d794fc2f83f6cc3b5ddff386dad5463707d Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Tue, 23 Feb 2021 00:20:32 +0100 Subject: Consolidate error messages. --- client | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'client') diff --git a/client b/client index fdef865..6438f6a 100755 --- a/client +++ b/client @@ -87,13 +87,13 @@ do { if (defined (my $extra = $2)) { my $h = eval { JSON::->new->decode($extra) }; if ($@ or !defined $h) { - print STDERR "WARN: Ignoring extra greeting data from accountd \"$extra\"\n"; + print STDERR "Warning: Ignoring extra greeting data from accountd \"$extra\"\n"; } else { print STDERR "Received extra greeting data from accountd: $extra\n" if $ENV{DEBUG}; ($JWK_thumbprint, $ALG, $KID) = @$h{qw/jwk-thumbprint alg kid/}; } } - my $jwk_str = $S->getline() // die "ERROR: No JWK from lacme-accountd\n"; + my $jwk_str = $S->getline() // die "Error: No JWK from lacme-accountd\n"; $JWK = JSON::->new->decode($jwk_str); $JWK_thumbprint //= encode_base64url(sha256(json()->encode($JWK))); # SHA-256 is hardcoded, see RFC 8555 sec. 8.1 $ALG //= "RS256"; @@ -210,7 +210,7 @@ sub acme2($$;$) { $payload = defined $payload ? encode_base64url(json()->encode($payload)) : ""; $S->printflush($protected, ".", $payload, "\r\n"); - my $sig = $S->getline() // die "ERROR: No response from lacme-accountd\n"; + my $sig = $S->getline() // die "Error: lost connection with lacme-accountd\n"; $sig =~ s/\r\n\z// or die; undef $NONCE; # consume the nonce @@ -249,7 +249,7 @@ sub acme_resource($%) { if ($r eq "newAccount" or ($r eq "revokeCert" and !defined $KID)) { # per RFC 8555 sec. 6.2 these requests MUST have a JWK - print STDERR "WARNING: lacme-accountd supplied an empty JWK; try removing 'keyid' ", + print STDERR "Warning: lacme-accountd supplied an empty JWK; try removing 'keyid' ", "setting from lacme-accountd.conf if the ACME resource request fails.\n" unless %$JWK; return acme2($uri, {jwk => $JWK}, \%payload); @@ -342,7 +342,7 @@ elsif ($COMMAND eq 'newOrder') { $fh->print($keyAuthorization); $fh->close() or die "close: $!"; } elsif ($! == EEXIST) { - print STDERR "WARNING: File exists: $challenge->{token}\n"; + print STDERR "Warning: File exists: $challenge->{token}\n"; } else { die "open($challenge->{token}): $!"; } -- cgit v1.2.3 From c612a7ff44995f4f9c39fa0fb68470d90c88decf Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 24 Feb 2021 21:01:12 +0100 Subject: lacme: Default mode for certificate(-chain) creation is 0644 minus umask restrictions. Also, always spawn the client with umask 0022 so a starting lacme(8) with a restrictive umask doesn't impede serving challenge response files. --- client | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'client') diff --git a/client b/client index 6438f6a..33189d3 100755 --- a/client +++ b/client @@ -338,7 +338,8 @@ elsif ($COMMAND eq 'newOrder') { my $keyAuthorization = $challenge->{token}.'.'.$JWK_thumbprint; # serve $keyAuthorization at http://$domain/.well-known/acme-challenge/$challenge->{token} - if (sysopen(my $fh, $challenge->{token}, O_CREAT|O_EXCL|O_WRONLY, 0644)) { + if (sysopen(my $fh, $challenge->{token}, O_CREAT|O_EXCL|O_WRONLY)) { + # note: the file is created mode 0666 minus umask restrictions $fh->print($keyAuthorization); $fh->close() or die "close: $!"; } elsif ($! == EEXIST) { -- cgit v1.2.3 From 9a8f705eddd18ccc9a24fe0e7efe6b5a87b2be09 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 25 Feb 2021 01:41:59 +0100 Subject: lacme: pass a temporary JSON file with the client configuration to the internal client. So it doesn't have to parse the INI file again. Also, while lacme.conf is world-readable by default, one might restrict permissions and add private information in there, not realizing that everything, including comments, will be readable by the client. --- client | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) (limited to 'client') diff --git a/client b/client index 33189d3..8439ddb 100755 --- a/client +++ b/client @@ -56,8 +56,6 @@ use Date::Parse (); use LWP::UserAgent (); use JSON (); -use Config::Tiny (); - # Clean up PATH $ENV{PATH} = join ':', qw{/usr/bin /bin}; delete @ENV{qw/IFS CDPATH ENV BASH_ENV/}; @@ -107,11 +105,7 @@ do { my $CONFIG = do { my $conf = do { local $/ = undef; <$CONFFILE> }; - close $CONFFILE or die "close: $!"; - my $h = Config::Tiny::->read_string($conf) or die Config::Tiny::->errstr()."\n"; - $h->{_} //= {}; - $h->{client}->{$_} //= $h->{_}->{$_} foreach keys %{$h->{_}}; # add defaults - $h->{client}; + JSON::->new->decode($conf); }; my $UA = do { my %args = %$CONFIG; -- cgit v1.2.3 From b3af3526b293f396da02a6276ea86ca17dcd2d03 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 25 Jan 2023 03:23:51 +0100 Subject: Prepare new release v0.8.1. --- client | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'client') diff --git a/client b/client index 8439ddb..3cda821 100755 --- a/client +++ b/client @@ -43,7 +43,7 @@ use warnings; # instance own by another user and created with umask 0177) is not a # problem since SOCKET_FD can be bound as root prior to the execve(2). -our $VERSION = '0.8.0'; +our $VERSION = '0.8.1'; my $PROTOCOL_VERSION = 1; my $NAME = 'lacme-client'; -- cgit v1.2.3