lacme (0.8.1) upstream;
+ lacme-accountd: improve log messages and refactor logging logic.
+ lacme-accountd: refuse to sign JWS with an invalid Protected Header.
+ lacme: don't write certificate(-chain) file on chown/chmod failure.
+ lacme: default mode for certificate(-chain) creation is 0644 minus
umask restrictions. Also, always spawn the client with umask 0022 so
a starting lacme(8) with a restrictive umask doesn't impede serving
challenge files.
+ lacme: add 'owner' resp. 'mode' as (prefered) alias for 'chown' resp.
'chmod'.
+ lacme: split certificates using Net::SSLeay::PEM_* instead of calling
openssl.
+ lacme: pass a temporary JSON file with the client configuration to
the internal client, so it doesn't have to parse the INI file again.
- lacme: in the [accountd] config, let lacme-accountd(1) do the
%-expansion for 'config', not lacme(8) when building the command.
- lacme-accountd: don't log debug messages unless --debug is set.
- lacme: when getpwnam()/getgrnam()'s errno is 0, exclude it from error
messages.
- tests/drop-privileges: ensure failure to drop privileges yields an
error instead of retaining root priviliges.
- tests/cert-install: include tests for failing chown(2) due to unknown
user/group name.
- lacme: ignore empty values in settings 'chown', 'chmod', 'certificate'
and 'certificate-chain'.
- lacme: return an error when the 'mode'/'chown' isn't a number.
-- Guilhem Moulin <guilhem@fripost.org> Mon, 22 Feb 2021 12:04:28 +0100
lacme (0.8.0) upstream;
* Breaking change: 'challenge-directory' now needs to be set to an
*existing* directory (writable by the lacme client user). Since
lacme(8) spawns a builtin webserver by default the change doesn't
affect default configurations.
Thanks to Benjamin Tietz for the idea and initial patch.
* Breaking change: the 'iptables' option is now ignored unless the
builtin webserver is used.
* Unprivileged user/group for the internal client resp. webserver are
now configurable at install time.
* lacme: new flag `--force`, which aliases to `--min-days=-1`, i.e.,
forces renewal regardless of the expiration date of existing
certificates.
* Remove decomissioned intermediate CAs Authority X3 and X4 from the
bundle.
* Remove cross-signed intermediate CAs from the bundle and add the
(self-signed) ISRG Root X1 and X2 instead. This allows us to fully
validate provided X.509 chains using that self-contained bundle,
regardless of which CAs is marqued as trusted under /etc/ssl/certs.
This change bumps the minimum OpenSSL version to 1.1.0.
* Breaking change: lacme(8) and lacme-accountd(1) respectively load
their configuration file from /etc/lacme/lacme.conf resp.
/etc/lacme/lacme-accountd.conf when running as root, and
$XDG_CONFIG_HOME/lacme/lacme.conf resp.
$XDG_CONFIG_HOME/lacme/lacme-accountd.conf when running as a normal
user. There is no fallback to /etc anymore, and the lookup in the
current directory as prefered choice is removed too. However
lacme-accountd(1) can be used without configuration file under
~/.config/lacme as it treats a non-existent default location as an
empty file.
* The client, webserver, and accountd commands are now split on
whitespace. This doesn't change the default behavior but allows
using `ssh -T lacme@account.example.net lacme-accountd` to spawn a
remote lacme-accountd server for instance.
* Add test suite against Let's Encrypt's staging environment
https://letsencrypt.org/docs/staging-environment/ .
* lacme(8)'s 'config' option in the [accountd] section no longer have a
default value. The previous default /etc/lacme/lacme-accountd.conf
is still honored when root privileges are preserved (the default).
* Deprecate setting 'privkey' in [accountd] section of the lacme(8)
configuration file. One need to use the lacme-accountd(1)
configuration file for that instead.
* lacme(8): add %-specifiers support for --config=, --socket=,
--config-certs= (and 'socket'/'config-certs'/'challenge-directory'
configuration options *before* privilege drop; and for the [accountd]
section 'command'/'config' configuration options *after* privilege
drop).
* lacme-accountd(1): add %-specifiers support for --config=, --socket=
and --privkey= (and 'socket'/'privkey' configuration options).
* lacme-accountd(1): base64url-decode incoming signature requests shown
in messages to the standard error.
* lacme-accountd(1): new setting 'logfile' to log (decoded) incoming
signature requests to a file.
* lacme-accountd(1): new setting 'keyid' to easily revoke all account
management access from the client.
+ Improve nginx/apache2 snippets for direct serving of challenge files
(with the new 'challenge-directory' logic symlinks can be disabled).
+ Split Nginx and Apapche2 static configuration snippets into seperate
files. That way users prefering that over reverse-proxying can just
source/enable the relevant files without having to uncomment
anything.
+ Add support for TLS Feature extension from RFC 7633; this is mostly
useful for OCSP Must-Staple.
+ client: use "lacme-client/$VERSION" as User-Agent header.
+ Consolidate error messages for consistency.
+ Sanitize environment when spawning the lacme client, webserver and
accountd.
+ accountd: replace internal option --conn-fd=FD with flag --stdio.
Using stdin/stdout makes it possible to tunnel the accountd
connection through ssh. The new flag is documented to allow safe
usage is authorized_keys(5) restrictions.
+ Remove dependency on List::Util (core module).
+ accountd: Pass JWA and JWK thumbprint via extended greeting data.
This gives better forward flexibility.
- lacme: delay webserver socket shutdown to after the process has
terminated.
- documentation: suggest to generate private key material with
genpkey(1ssl); also suggest a command to generate an ECDSA key not
just RSA; hint at which key algorithms are supported.
- documentation: clarify that "file:/path/to/account.key" can point to
a symmetrically-encrypted private key.
- documentation: emphasize default values in the config file, and move
the most common options ('hash', 'keyUsage', 'CAfile', 'min-days') to
the default section.
- Raise client timeout from 10 to 30s.
- Remove dependency on Types::Serialiser.
- client: fail immediately when the accountd is unreachable.
- Makefile: set executable bit for $(bindir)/lacme-accountd and
$(sbindir)/lacme.
- client: avoid "Use of uninitialized value in pattern match (m//)"
perl warnings when the accountd socket can't be reached.
- webserver: reopen stdin from /dev/null.
- Use 'acme-challenge.XXXXXXXXXX' as template for the temporary ACME
challenge directory.
- Set the DEBUG environment variable to 0/1 instead of ""/1.
- Use File::Basename::dirname() to correctly extract the parent
directory of the socket path.
- client: Print Terms of Service URL for 'account' command.
-- Guilhem Moulin <guilhem@fripost.org> Mon, 22 Feb 2021 03:19:57 +0100
lacme (0.7) upstream;
* Breaking change: the certificate indicated by 'CAfile' is no longer
used as is in 'certificate-chain' (along with the leaf cert). The
chain returned by the ACME v2 endpoint is used instead. This allows
for more flexibility with respect to key/CA rotation, cf.
https://letsencrypt.org/2020/11/06/own-two-feet.html and
https://community.letsencrypt.org/t/beginning-issuance-from-r3/139018
+ 'CAfile' now defaults to @@datadir@@/lacme/ca-certificates.crt which
is a concatenation of all known active CA certificates (which
includes the previous default).
-- Guilhem Moulin <guilhem@fripost.org> Wed, 25 Nov 2020 23:39:39 +0100
lacme (0.6.1) upstream;
+ Adapt Apache2 snippet to Apache2 2.4.
+ Ignore [accountd] section from lacme.conf when the --socket option is
defined. This allows remotely-controlled lacme processes being
controlled without modifying an config files.
* Makefile: major refactoring, add install and uninstall targets, honor
BUILD_DOCDIR and DESTDIR variables.
* Install lacme manual to section 8.
* Change default libexec dir from /usr/lib/lacme to /usr/libexec/lacme.
* Makefile: Use variables for target directories etc.
-- Guilhem Moulin <guilhem@fripost.org> Tue, 04 Aug 2020 01:39:47 +0200
lacme (0.6) upstream;
+ client: poll order URL instead of each authz URL successively.
+ lacme: new option 'account --deactivate' for client-initiated account
deactivation, see RFC 8555 sec. 7.3.6.
- lacme, client: new dependency Date::Parse, don't parse RFC 3339
datetime strings from X.509 certs manually.
- lacme: assume that the iptables(8) binaries are under /usr/sbin not
/sbin. As of Buster this is the case, and the maintainer plans to
drop compatibility symlinks once Bullseye is released.
- Link to RFC 8555 <https://tools.ietf.org/html/rfc8555> instead of the
ACME I-D URL.
- Issue GET and POST-as-GET requests (RFC 8555 sec. 6.3) for the
authorizations, order and certificate URLs.
-- Guilhem Moulin <guilhem@fripost.org> Wed, 21 Aug 2019 18:23:50 +0200
lacme (0.5) upstream;
+ Use ACME v2 endpoints (update protocol to the last draft of the spec
https://tools.ietf.org/html/draft-ietf-acme-acme-12 ). Remove the
'reg=' command, and rename the 'new-reg', 'new-cert' and
'revoke-cert' commands to 'account', 'newOrder', and 'revokeCert'
respectively, to match the the URI resource names. For backward
compatibility 'new-cert' and 'revoke-cert' remain supported.
- Fix manpage generation with pandoc >=2.1
-- Guilhem Moulin <guilhem@fripost.org> Thu, 26 Apr 2018 16:48:13 +0200
lacme (0.4) upstream;
* Fix generation of manpages with pandoc >=1.18
* Copy snippets/*.conf to /etc/lacme
-- Guilhem Moulin <guilhem@fripost.org> Fri, 28 Jul 2017 00:16:06 +0200
lacme (0.3) upstream;
+ When parsing config-cert files and directories (default "lacme-certs.conf
lacme-certs.conf.d"), import the default section of files read earlier.
+ new-cert: create certificate files atomically.
+ webserver: allow listening to multiple addresses (useful when
dual IPv4/IPv6 stack is not supported). Listen to a UNIX-domain
socket by default </var/run/lacme-www.socket>.
+ webserver: don't install temporary iptables by default. Hosts
without a public HTTP daemon listening on port 80 need to set the
'listen' option to [::] and/or 0.0.0.0, and possibly set the
'iptables' option to Yes.
+ Change 'min-days' default from 10 to 21, to avoid expiration notices
from Let's Encrypt when auto-renewal is done by a cronjob.
+ Provide nginx and apache2 configuration snippets.
- Ensure lacme's config file descriptor is not passed to the accountd
or webserver components.
- new-cert: sort section names if not passed explicitely.
- new-cert: new CLI option "min-days" overriding the value found in
the configuration file.
- new-cert: mark the basicConstraints (CA:FALSE) and keyUsage x509v3
extensions as critical in the CSR, following upstream fix of
Boulder's issue #565.
- webserver: refuse to follow symlink when serving ACME challenge
responses. When dropping privileges to a dedicated UID
(recommended) only the ACME client could write to its current
directory anyway, so following symlinks was not a serious
vulnerability.
- lacme(1), lacme-accountd(1): fix version number shown with
--version.
- client: remove potential race when creating ACME challenge response
files.
- When using open with mode "<&=" or ">&=", ensure the expression
(fileno) is interpreted as an integer. (This failed in Perl v5.14.2
from Debian Jessie.)
- Specify minimum required Perl version (v5.14.2). Moreover lacme(1)
requires Socket 1.95 or later (for instance for IPPROTO_IPV6).
-- Guilhem Moulin <guilhem@fripost.org> Sun, 19 Feb 2017 13:08:41 +0100
lacme (0.2) upstream;
+ Honor Retry-After headers for certificate issuance and challenge
responses.
+ Update example of Subscriber Agreement URL to v1.1.1.
+ lacme: automaticall spawn lacme-acountd when a "[accountd]" section
is present in the configuration file. The "socket" option is then
ignored, and the two processes communicate through a socket pair.
+ lacme: add an option --quiet to avoid mentioning valid certs (useful
in cronjobs)
+ "config-certs" now points to a space separated list of files or
directories. New default "lacme-certs.conf lacme-certs.conf.d/".
- Minor manpage fixes
- More useful message upon Validation Challenge failure.
- If restricting access via umask() fails, don't include errno in the
error message as it's not set on failure.
-- Guilhem Moulin <guilhem@guilhem.org> Sat, 03 Dec 2016 16:40:56 +0100
lacme (0.1) upstream;
* Initial public release. Development was started in December 2015.
-- Guilhem Moulin <guilhem@guilhem.org> Tue, 14 Jun 2016 17:30:58 +0200