lacme (0.8.3) upstream; + Fix post-issuance validation logic. We avoid pinning the intermediate certificates in the bundle and instead validate the leaf certificate with intermediates supplied during issuance as untrusted (used for chain building only). Only the root certificates are used as trust anchor. Not pinning intermediate certificates is in line with Let's Encrypt's latest recommendations. + Pass `-in /dev/stdin` option to openssl(1) to avoid warning with OpenSSL 3.2 or later. + Fix test suite. -- Guilhem Moulin Thu, 13 Jun 2024 17:39:34 +0200 lacme (0.8.2) upstream; + client: Handle "ready" → "processing" → "valid" status change during newOrder, instead of just "ready" → "valid". The latter may be what we observe when the server is fast enough, but according to RFC 8555 sec. 7.1.6 the state actually transitions via "processing" state and we need to account for that. - Test suite: Point stretch's archive URL to archive.d.o. -- Guilhem Moulin Tue, 25 Apr 2023 20:06:22 +0200 lacme (0.8.1) upstream; + lacme-accountd: improve log messages and refactor logging logic. + lacme-accountd: refuse to sign JWS with an invalid Protected Header. + lacme: don't write certificate(-chain) file on chown/chmod failure. + lacme: default mode for certificate(-chain) creation is 0644 minus umask restrictions. Also, always spawn the client with umask 0022 so a starting lacme(8) with a restrictive umask doesn't impede serving challenge files. + lacme: add 'owner' resp. 'mode' as (prefered) alias for 'chown' resp. 'chmod'. + lacme: split certificates using Net::SSLeay::PEM_* instead of calling openssl. + lacme: pass a temporary JSON file with the client configuration to the internal client, so it doesn't have to parse the INI file again. - lacme: in the [accountd] config, let lacme-accountd(1) do the %-expansion for 'config', not lacme(8) when building the command. - lacme-accountd: don't log debug messages unless --debug is set. - lacme: when getpwnam()/getgrnam()'s errno is 0, exclude it from error messages. - tests/drop-privileges: ensure failure to drop privileges yields an error instead of retaining root priviliges. - tests/cert-install: include tests for failing chown(2) due to unknown user/group name. - lacme: ignore empty values in settings 'chown', 'chmod', 'certificate' and 'certificate-chain'. - lacme: return an error when the 'mode'/'chown' isn't a number. - Makefile: replace '$(dir $@)' with '$(@D)'. - Test suite: Adjust against current Let's Encrypt staging environment. -- Guilhem Moulin Wed, 25 Jan 2023 03:23:51 +0100 lacme (0.8.0) upstream; * Breaking change: 'challenge-directory' now needs to be set to an *existing* directory (writable by the lacme client user). Since lacme(8) spawns a builtin webserver by default the change doesn't affect default configurations. Thanks to Benjamin Tietz for the idea and initial patch. * Breaking change: the 'iptables' option is now ignored unless the builtin webserver is used. * Unprivileged user/group for the internal client resp. webserver are now configurable at install time. * lacme: new flag `--force`, which aliases to `--min-days=-1`, i.e., forces renewal regardless of the expiration date of existing certificates. * Remove decomissioned intermediate CAs Authority X3 and X4 from the bundle. * Remove cross-signed intermediate CAs from the bundle and add the (self-signed) ISRG Root X1 and X2 instead. This allows us to fully validate provided X.509 chains using that self-contained bundle, regardless of which CAs is marqued as trusted under /etc/ssl/certs. This change bumps the minimum OpenSSL version to 1.1.0. * Breaking change: lacme(8) and lacme-accountd(1) respectively load their configuration file from /etc/lacme/lacme.conf resp. /etc/lacme/lacme-accountd.conf when running as root, and $XDG_CONFIG_HOME/lacme/lacme.conf resp. $XDG_CONFIG_HOME/lacme/lacme-accountd.conf when running as a normal user. There is no fallback to /etc anymore, and the lookup in the current directory as prefered choice is removed too. However lacme-accountd(1) can be used without configuration file under ~/.config/lacme as it treats a non-existent default location as an empty file. * The client, webserver, and accountd commands are now split on whitespace. This doesn't change the default behavior but allows using `ssh -T lacme@account.example.net lacme-accountd` to spawn a remote lacme-accountd server for instance. * Add test suite against Let's Encrypt's staging environment https://letsencrypt.org/docs/staging-environment/ . * lacme(8)'s 'config' option in the [accountd] section no longer have a default value. The previous default /etc/lacme/lacme-accountd.conf is still honored when root privileges are preserved (the default). * Deprecate setting 'privkey' in [accountd] section of the lacme(8) configuration file. One need to use the lacme-accountd(1) configuration file for that instead. * lacme(8): add %-specifiers support for --config=, --socket=, --config-certs= (and 'socket'/'config-certs'/'challenge-directory' configuration options *before* privilege drop; and for the [accountd] section 'command'/'config' configuration options *after* privilege drop). * lacme-accountd(1): add %-specifiers support for --config=, --socket= and --privkey= (and 'socket'/'privkey' configuration options). * lacme-accountd(1): base64url-decode incoming signature requests shown in messages to the standard error. * lacme-accountd(1): new setting 'logfile' to log (decoded) incoming signature requests to a file. * lacme-accountd(1): new setting 'keyid' to easily revoke all account management access from the client. + Improve nginx/apache2 snippets for direct serving of challenge files (with the new 'challenge-directory' logic symlinks can be disabled). + Split Nginx and Apapche2 static configuration snippets into seperate files. That way users prefering that over reverse-proxying can just source/enable the relevant files without having to uncomment anything. + Add support for TLS Feature extension from RFC 7633; this is mostly useful for OCSP Must-Staple. + client: use "lacme-client/$VERSION" as User-Agent header. + Consolidate error messages for consistency. + Sanitize environment when spawning the lacme client, webserver and accountd. + accountd: replace internal option --conn-fd=FD with flag --stdio. Using stdin/stdout makes it possible to tunnel the accountd connection through ssh. The new flag is documented to allow safe usage is authorized_keys(5) restrictions. + Remove dependency on List::Util (core module). + accountd: Pass JWA and JWK thumbprint via extended greeting data. This gives better forward flexibility. - lacme: delay webserver socket shutdown to after the process has terminated. - documentation: suggest to generate private key material with genpkey(1ssl); also suggest a command to generate an ECDSA key not just RSA; hint at which key algorithms are supported. - documentation: clarify that "file:/path/to/account.key" can point to a symmetrically-encrypted private key. - documentation: emphasize default values in the config file, and move the most common options ('hash', 'keyUsage', 'CAfile', 'min-days') to the default section. - Raise client timeout from 10 to 30s. - Remove dependency on Types::Serialiser. - client: fail immediately when the accountd is unreachable. - Makefile: set executable bit for $(bindir)/lacme-accountd and $(sbindir)/lacme. - client: avoid "Use of uninitialized value in pattern match (m//)" perl warnings when the accountd socket can't be reached. - webserver: reopen stdin from /dev/null. - Use 'acme-challenge.XXXXXXXXXX' as template for the temporary ACME challenge directory. - Set the DEBUG environment variable to 0/1 instead of ""/1. - Use File::Basename::dirname() to correctly extract the parent directory of the socket path. - client: Print Terms of Service URL for 'account' command. -- Guilhem Moulin Mon, 22 Feb 2021 03:19:57 +0100 lacme (0.7) upstream; * Breaking change: the certificate indicated by 'CAfile' is no longer used as is in 'certificate-chain' (along with the leaf cert). The chain returned by the ACME v2 endpoint is used instead. This allows for more flexibility with respect to key/CA rotation, cf. https://letsencrypt.org/2020/11/06/own-two-feet.html and https://community.letsencrypt.org/t/beginning-issuance-from-r3/139018 + 'CAfile' now defaults to @@datadir@@/lacme/ca-certificates.crt which is a concatenation of all known active CA certificates (which includes the previous default). -- Guilhem Moulin Wed, 25 Nov 2020 23:39:39 +0100 lacme (0.6.1) upstream; + Adapt Apache2 snippet to Apache2 2.4. + Ignore [accountd] section from lacme.conf when the --socket option is defined. This allows remotely-controlled lacme processes being controlled without modifying an config files. * Makefile: major refactoring, add install and uninstall targets, honor BUILD_DOCDIR and DESTDIR variables. * Install lacme manual to section 8. * Change default libexec dir from /usr/lib/lacme to /usr/libexec/lacme. * Makefile: Use variables for target directories etc. -- Guilhem Moulin Tue, 04 Aug 2020 01:39:47 +0200 lacme (0.6) upstream; + client: poll order URL instead of each authz URL successively. + lacme: new option 'account --deactivate' for client-initiated account deactivation, see RFC 8555 sec. 7.3.6. - lacme, client: new dependency Date::Parse, don't parse RFC 3339 datetime strings from X.509 certs manually. - lacme: assume that the iptables(8) binaries are under /usr/sbin not /sbin. As of Buster this is the case, and the maintainer plans to drop compatibility symlinks once Bullseye is released. - Link to RFC 8555 instead of the ACME I-D URL. - Issue GET and POST-as-GET requests (RFC 8555 sec. 6.3) for the authorizations, order and certificate URLs. -- Guilhem Moulin Wed, 21 Aug 2019 18:23:50 +0200 lacme (0.5) upstream; + Use ACME v2 endpoints (update protocol to the last draft of the spec https://tools.ietf.org/html/draft-ietf-acme-acme-12 ). Remove the 'reg=' command, and rename the 'new-reg', 'new-cert' and 'revoke-cert' commands to 'account', 'newOrder', and 'revokeCert' respectively, to match the the URI resource names. For backward compatibility 'new-cert' and 'revoke-cert' remain supported. - Fix manpage generation with pandoc >=2.1 -- Guilhem Moulin Thu, 26 Apr 2018 16:48:13 +0200 lacme (0.4) upstream; * Fix generation of manpages with pandoc >=1.18 * Copy snippets/*.conf to /etc/lacme -- Guilhem Moulin Fri, 28 Jul 2017 00:16:06 +0200 lacme (0.3) upstream; + When parsing config-cert files and directories (default "lacme-certs.conf lacme-certs.conf.d"), import the default section of files read earlier. + new-cert: create certificate files atomically. + webserver: allow listening to multiple addresses (useful when dual IPv4/IPv6 stack is not supported). Listen to a UNIX-domain socket by default . + webserver: don't install temporary iptables by default. Hosts without a public HTTP daemon listening on port 80 need to set the 'listen' option to [::] and/or 0.0.0.0, and possibly set the 'iptables' option to Yes. + Change 'min-days' default from 10 to 21, to avoid expiration notices from Let's Encrypt when auto-renewal is done by a cronjob. + Provide nginx and apache2 configuration snippets. - Ensure lacme's config file descriptor is not passed to the accountd or webserver components. - new-cert: sort section names if not passed explicitely. - new-cert: new CLI option "min-days" overriding the value found in the configuration file. - new-cert: mark the basicConstraints (CA:FALSE) and keyUsage x509v3 extensions as critical in the CSR, following upstream fix of Boulder's issue #565. - webserver: refuse to follow symlink when serving ACME challenge responses. When dropping privileges to a dedicated UID (recommended) only the ACME client could write to its current directory anyway, so following symlinks was not a serious vulnerability. - lacme(1), lacme-accountd(1): fix version number shown with --version. - client: remove potential race when creating ACME challenge response files. - When using open with mode "<&=" or ">&=", ensure the expression (fileno) is interpreted as an integer. (This failed in Perl v5.14.2 from Debian Jessie.) - Specify minimum required Perl version (v5.14.2). Moreover lacme(1) requires Socket 1.95 or later (for instance for IPPROTO_IPV6). -- Guilhem Moulin Sun, 19 Feb 2017 13:08:41 +0100 lacme (0.2) upstream; + Honor Retry-After headers for certificate issuance and challenge responses. + Update example of Subscriber Agreement URL to v1.1.1. + lacme: automaticall spawn lacme-acountd when a "[accountd]" section is present in the configuration file. The "socket" option is then ignored, and the two processes communicate through a socket pair. + lacme: add an option --quiet to avoid mentioning valid certs (useful in cronjobs) + "config-certs" now points to a space separated list of files or directories. New default "lacme-certs.conf lacme-certs.conf.d/". - Minor manpage fixes - More useful message upon Validation Challenge failure. - If restricting access via umask() fails, don't include errno in the error message as it's not set on failure. -- Guilhem Moulin Sat, 03 Dec 2016 16:40:56 +0100 lacme (0.1) upstream; * Initial public release. Development was started in December 2015. -- Guilhem Moulin Tue, 14 Jun 2016 17:30:58 +0200