Changelog


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62

lacme (0.3) upstream;

  + When parsing config-cert files and directories (default "lacme-certs.conf
    lacme-certs.conf.d"), import the default section of files read earlier.
  + new-cert: create certificate files atomically.
  + webserver: allow listening to multiple addresses (useful when
    dual IPv4/IPv6 stack is not supported).  Listen to a UNIX-domain
    socket by default </var/run/lacme.socket>.
  + webserver: don't install temporary iptables by default.  Hosts
    without a public HTTP daemon listening on port 80 need to set the
    'listen' option to [::] and/or 0.0.0.0, and possibly set the
    'iptables' option to Yes.
  + Change 'min-days' default from 10 to 21, to avoid expiration notices
    from Let's Encrypt when auto-renewal is done by a cronjob.
  + Provide nginx and apache2 configuration snippets.
  - Ensure lacme's config file descriptor is not passed to the accountd
    or webserver components.
  - new-cert: sort section names if not passed explicitely.
  - new-cert: new CLI option "min-days" overriding the value found in
    the configuration file.
  - new-cert: mark the basicConstraints (CA:FALSE) and keyUsage x509v3
    extensions as critical in the CSR, following upstream fix of
    Boulder's issue #565.
  - webserver: refuse to follow symlink when serving ACME challenge
    responses.  When dropping privileges to a dedicated UID
    (recommended) only the ACME client could write to its current
    directory anyway, so following symlinks was not a serious
    vulnerability.
  - lacme(1), lacme-accountd(1): fix version number shown with
    --version.
  - client: remove potential race when creating ACME challenge response
    files.
  - When using open with mode "<&=" or ">&=", ensure the expression
    (fileno) is interpreted as an integer.  (This failed in Perl v5.14.2
    from Debian Jessie.)
  - Specify minimum required Perl version (v5.14.2).  Moreover lacme(1)
    requires Socket 1.95 or later (for instance for IPPROTO_IPV6).

 -- Guilhem Moulin <guilhem@guilhem.org>  Sun, 19 Feb 2017 13:08:41 +0100

lacme (0.2) upstream;

  + Honor Retry-After headers for certificate issuance and challenge
    responses.
  + Update example of Subscriber Agreement URL to v1.1.1.
  + lacme: automaticall spawn lacme-acountd when a "[accountd]" section
    is present in the configuration file.  The "socket" option is then
    ignored, and the two processes communicate through a socket pair.
  + lacme: add an option --quiet to avoid mentioning valid certs (useful
    in cronjobs)
  + "config-certs" now points to a space separated list of files or
    directories.  New default "lacme-certs.conf lacme-certs.conf.d/".
  - Minor manpage fixes
  - More useful message upon Validation Challenge failure.

 -- Guilhem Moulin <guilhem@guilhem.org>  Sat, 03 Dec 2016 16:40:56 +0100

lacme (0.1) upstream;

  * Initial public release.  Development was started in December 2015.

 -- Guilhem Moulin <guilhem@guilhem.org>  Tue, 14 Jun 2016 17:30:58 +0200