lacme (0.7) UNRELEASED; + Default listening socket for the webserver component is now /run/lacme-www.socket. (It was previously under the legacy directory /var/run.) -- Guilhem Moulin Thu, 22 Aug 2019 00:31:35 +0200 lacme (0.6) upstream; + client: poll order URL instead of each authz URL successively. + lacme: new option 'account --deactivate' for client-initiated account deactivation, see RFC 8555 sec. 7.3.6. - lacme, client: new dependency Date::Parse, don't parse RFC 3339 datetime strings from X.509 certs manually. - lacme: assume that the iptables(1) binaries are under /usr/sbin not /sbin. As of Buster this is the case, and the maintainer plans to drop compatibility symlinks once Bullseye is released. - Link to RFC 8555 instead of the ACME I-D URL. - Issue GET and POST-as-GET requests (RFC 8555 sec. 6.3) for the authorizations, order and certificate URLs. -- Guilhem Moulin Wed, 21 Aug 2019 18:23:50 +0200 lacme (0.5) upstream; + Use ACME v2 endpoints (update protocol to the last draft of the spec https://tools.ietf.org/html/draft-ietf-acme-acme-12 ). Remove the 'reg=' command, and rename the 'new-reg', 'new-cert' and 'revoke-cert' commands to 'account', 'newOrder', and 'revokeCert' respectively, to match the the URI resource names. For backward compatibility 'new-cert' and 'revoke-cert' remain supported. - Fix manpage generation with pandoc >=2.1 -- Guilhem Moulin Thu, 26 Apr 2018 16:48:13 +0200 lacme (0.4) upstream; * Fix generation of manpages with pandoc >=1.18 * Copy snippets/*.conf to /etc/lacme -- Guilhem Moulin Fri, 28 Jul 2017 00:16:06 +0200 lacme (0.3) upstream; + When parsing config-cert files and directories (default "lacme-certs.conf lacme-certs.conf.d"), import the default section of files read earlier. + new-cert: create certificate files atomically. + webserver: allow listening to multiple addresses (useful when dual IPv4/IPv6 stack is not supported). Listen to a UNIX-domain socket by default . + webserver: don't install temporary iptables by default. Hosts without a public HTTP daemon listening on port 80 need to set the 'listen' option to [::] and/or 0.0.0.0, and possibly set the 'iptables' option to Yes. + Change 'min-days' default from 10 to 21, to avoid expiration notices from Let's Encrypt when auto-renewal is done by a cronjob. + Provide nginx and apache2 configuration snippets. - Ensure lacme's config file descriptor is not passed to the accountd or webserver components. - new-cert: sort section names if not passed explicitely. - new-cert: new CLI option "min-days" overriding the value found in the configuration file. - new-cert: mark the basicConstraints (CA:FALSE) and keyUsage x509v3 extensions as critical in the CSR, following upstream fix of Boulder's issue #565. - webserver: refuse to follow symlink when serving ACME challenge responses. When dropping privileges to a dedicated UID (recommended) only the ACME client could write to its current directory anyway, so following symlinks was not a serious vulnerability. - lacme(1), lacme-accountd(1): fix version number shown with --version. - client: remove potential race when creating ACME challenge response files. - When using open with mode "<&=" or ">&=", ensure the expression (fileno) is interpreted as an integer. (This failed in Perl v5.14.2 from Debian Jessie.) - Specify minimum required Perl version (v5.14.2). Moreover lacme(1) requires Socket 1.95 or later (for instance for IPPROTO_IPV6). -- Guilhem Moulin Sun, 19 Feb 2017 13:08:41 +0100 lacme (0.2) upstream; + Honor Retry-After headers for certificate issuance and challenge responses. + Update example of Subscriber Agreement URL to v1.1.1. + lacme: automaticall spawn lacme-acountd when a "[accountd]" section is present in the configuration file. The "socket" option is then ignored, and the two processes communicate through a socket pair. + lacme: add an option --quiet to avoid mentioning valid certs (useful in cronjobs) + "config-certs" now points to a space separated list of files or directories. New default "lacme-certs.conf lacme-certs.conf.d/". - Minor manpage fixes - More useful message upon Validation Challenge failure. -- Guilhem Moulin Sat, 03 Dec 2016 16:40:56 +0100 lacme (0.1) upstream; * Initial public release. Development was started in December 2015. -- Guilhem Moulin Tue, 14 Jun 2016 17:30:58 +0200