lacme (0.8.0-1) UNRELEASED; urgency=medium The internal webserver now runs as system user _lacme-www:nogroup instead of www-data:www-data by default. The internal ACME client now runs as system user _lacme-client:nogroup instead of nobody:nogroup by default. Both settings are configurable in the lacme(8) configuration file. lacme(8) loads its configuration file from /etc/lacme/lacme.conf when running as root, and from $XDG_CONFIG_HOME/lacme/lacme.conf otherwise. There is no lookup in the current directory anymore, nor fallback lookup to /etc. 'challenge-directory' now needs to be set to an *existing* directory (writable by the lacme client user). Since lacme(8) spawns a builtin webserver by default the change only affects configurations with a custom 'challenge-directory' setting. -- Guilhem Moulin Mon, 22 Feb 2021 02:00:00 +0100 lacme (0.7-1) unstable; urgency=high The certificate indicated by 'CAfile' is no longer used as is in 'certificate-chain' (along with the leaf cert). The chain returned by the ACME v2 endpoint is used instead. This allows for more flexibility with respect to key/CA rotation. See for instance https://letsencrypt.org/2020/11/06/own-two-feet.html and https://community.letsencrypt.org/t/beginning-issuance-from-r3/139018 'CAfile' now defaults to /usr/share/lacme/ca-certificates.crt which is a concatenation of all known active CA certificates (which includes the previous default). Starting December 2020 Let's Encrypt will use a different chain of trust for certificate issuance, so users will a non-default 'CAfile' might need to adjust the value. -- Guilhem Moulin Thu, 26 Nov 2020 00:08:32 +0100