1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
|
lacme (0.8.1) upstream;
+ lacme-accountd: improve log messages and refactor logging logic.
+ lacme-accountd: refuse to sign JWS with an invalid Protected Header.
- lacme: in the [accountd] config, let lacme-accountd(1) do the
%-expansion for 'config', not lacme(8) when building the command.
- lacme-accountd: don't log debug messages unless --debug is set.
- lacme: when getpwnam()/getgrnam()'s errno is 0, exclude it from error
messages.
-- Guilhem Moulin <guilhem@fripost.org> Mon, 22 Feb 2021 12:04:28 +0100
lacme (0.8.0) upstream;
* Breaking change: 'challenge-directory' now needs to be set to an
*existing* directory (writable by the lacme client user). Since
lacme(8) spawns a builtin webserver by default the change doesn't
affect default configurations.
Thanks to Benjamin Tietz for the idea and initial patch.
* Breaking change: the 'iptables' option is now ignored unless the
builtin webserver is used.
* Unprivileged user/group for the internal client resp. webserver are
now configurable at install time.
* lacme: new flag `--force`, which aliases to `--min-days=-1`, i.e.,
forces renewal regardless of the expiration date of existing
certificates.
* Remove decomissioned intermediate CAs Authority X3 and X4 from the
bundle.
* Remove cross-signed intermediate CAs from the bundle and add the
(self-signed) ISRG Root X1 and X2 instead. This allows us to fully
validate provided X.509 chains using that self-contained bundle,
regardless of which CAs is marqued as trusted under /etc/ssl/certs.
This change bumps the minimum OpenSSL version to 1.1.0.
* Breaking change: lacme(8) and lacme-accountd(1) respectively load
their configuration file from /etc/lacme/lacme.conf resp.
/etc/lacme/lacme-accountd.conf when running as root, and
$XDG_CONFIG_HOME/lacme/lacme.conf resp.
$XDG_CONFIG_HOME/lacme/lacme-accountd.conf when running as a normal
user. There is no fallback to /etc anymore, and the lookup in the
current directory as prefered choice is removed too. However
lacme-accountd(1) can be used without configuration file under
~/.config/lacme as it treats a non-existent default location as an
empty file.
* The client, webserver, and accountd commands are now split on
whitespace. This doesn't change the default behavior but allows
using `ssh -T lacme@account.example.net lacme-accountd` to spawn a
remote lacme-accountd server for instance.
* Add test suite against Let's Encrypt's staging environment
https://letsencrypt.org/docs/staging-environment/ .
* lacme(8)'s 'config' option in the [accountd] section no longer have a
default value. The previous default /etc/lacme/lacme-accountd.conf
is still honored when root privileges are preserved (the default).
* Deprecate setting 'privkey' in [accountd] section of the lacme(8)
configuration file. One need to use the lacme-accountd(1)
configuration file for that instead.
* lacme(8): add %-specifiers support for --config=, --socket=,
--config-certs= (and 'socket'/'config-certs'/'challenge-directory'
configuration options *before* privilege drop; and for the [accountd]
section 'command'/'config' configuration options *after* privilege
drop).
* lacme-accountd(1): add %-specifiers support for --config=, --socket=
and --privkey= (and 'socket'/'privkey' configuration options).
* lacme-accountd(1): base64url-decode incoming signature requests shown
in messages to the standard error.
* lacme-accountd(1): new setting 'logfile' to log (decoded) incoming
signature requests to a file.
* lacme-accountd(1): new setting 'keyid' to easily revoke all account
management access from the client.
+ Improve nginx/apache2 snippets for direct serving of challenge files
(with the new 'challenge-directory' logic symlinks can be disabled).
+ Split Nginx and Apapche2 static configuration snippets into seperate
files. That way users prefering that over reverse-proxying can just
source/enable the relevant files without having to uncomment
anything.
+ Add support for TLS Feature extension from RFC 7633; this is mostly
useful for OCSP Must-Staple.
+ client: use "lacme-client/$VERSION" as User-Agent header.
+ Consolidate error messages for consistency.
+ Sanitize environment when spawning the lacme client, webserver and
accountd.
+ accountd: replace internal option --conn-fd=FD with flag --stdio.
Using stdin/stdout makes it possible to tunnel the accountd
connection through ssh. The new flag is documented to allow safe
usage is authorized_keys(5) restrictions.
+ Remove dependency on List::Util (core module).
+ accountd: Pass JWA and JWK thumbprint via extended greeting data.
This gives better forward flexibility.
- lacme: delay webserver socket shutdown to after the process has
terminated.
- documentation: suggest to generate private key material with
genpkey(1ssl); also suggest a command to generate an ECDSA key not
just RSA; hint at which key algorithms are supported.
- documentation: clarify that "file:/path/to/account.key" can point to
a symmetrically-encrypted private key.
- documentation: emphasize default values in the config file, and move
the most common options ('hash', 'keyUsage', 'CAfile', 'min-days') to
the default section.
- Raise client timeout from 10 to 30s.
- Remove dependency on Types::Serialiser.
- client: fail immediately when the accountd is unreachable.
- Makefile: set executable bit for $(bindir)/lacme-accountd and
$(sbindir)/lacme.
- client: avoid "Use of uninitialized value in pattern match (m//)"
perl warnings when the accountd socket can't be reached.
- webserver: reopen stdin from /dev/null.
- Use 'acme-challenge.XXXXXXXXXX' as template for the temporary ACME
challenge directory.
- Set the DEBUG environment variable to 0/1 instead of ""/1.
- Use File::Basename::dirname() to correctly extract the parent
directory of the socket path.
- client: Print Terms of Service URL for 'account' command.
-- Guilhem Moulin <guilhem@fripost.org> Mon, 22 Feb 2021 03:19:57 +0100
lacme (0.7) upstream;
* Breaking change: the certificate indicated by 'CAfile' is no longer
used as is in 'certificate-chain' (along with the leaf cert). The
chain returned by the ACME v2 endpoint is used instead. This allows
for more flexibility with respect to key/CA rotation, cf.
https://letsencrypt.org/2020/11/06/own-two-feet.html and
https://community.letsencrypt.org/t/beginning-issuance-from-r3/139018
+ 'CAfile' now defaults to @@datadir@@/lacme/ca-certificates.crt which
is a concatenation of all known active CA certificates (which
includes the previous default).
-- Guilhem Moulin <guilhem@fripost.org> Wed, 25 Nov 2020 23:39:39 +0100
lacme (0.6.1) upstream;
+ Adapt Apache2 snippet to Apache2 2.4.
+ Ignore [accountd] section from lacme.conf when the --socket option is
defined. This allows remotely-controlled lacme processes being
controlled without modifying an config files.
* Makefile: major refactoring, add install and uninstall targets, honor
BUILD_DOCDIR and DESTDIR variables.
* Install lacme manual to section 8.
* Change default libexec dir from /usr/lib/lacme to /usr/libexec/lacme.
* Makefile: Use variables for target directories etc.
-- Guilhem Moulin <guilhem@fripost.org> Tue, 04 Aug 2020 01:39:47 +0200
lacme (0.6) upstream;
+ client: poll order URL instead of each authz URL successively.
+ lacme: new option 'account --deactivate' for client-initiated account
deactivation, see RFC 8555 sec. 7.3.6.
- lacme, client: new dependency Date::Parse, don't parse RFC 3339
datetime strings from X.509 certs manually.
- lacme: assume that the iptables(8) binaries are under /usr/sbin not
/sbin. As of Buster this is the case, and the maintainer plans to
drop compatibility symlinks once Bullseye is released.
- Link to RFC 8555 <https://tools.ietf.org/html/rfc8555> instead of the
ACME I-D URL.
- Issue GET and POST-as-GET requests (RFC 8555 sec. 6.3) for the
authorizations, order and certificate URLs.
-- Guilhem Moulin <guilhem@fripost.org> Wed, 21 Aug 2019 18:23:50 +0200
lacme (0.5) upstream;
+ Use ACME v2 endpoints (update protocol to the last draft of the spec
https://tools.ietf.org/html/draft-ietf-acme-acme-12 ). Remove the
'reg=' command, and rename the 'new-reg', 'new-cert' and
'revoke-cert' commands to 'account', 'newOrder', and 'revokeCert'
respectively, to match the the URI resource names. For backward
compatibility 'new-cert' and 'revoke-cert' remain supported.
- Fix manpage generation with pandoc >=2.1
-- Guilhem Moulin <guilhem@fripost.org> Thu, 26 Apr 2018 16:48:13 +0200
lacme (0.4) upstream;
* Fix generation of manpages with pandoc >=1.18
* Copy snippets/*.conf to /etc/lacme
-- Guilhem Moulin <guilhem@fripost.org> Fri, 28 Jul 2017 00:16:06 +0200
lacme (0.3) upstream;
+ When parsing config-cert files and directories (default "lacme-certs.conf
lacme-certs.conf.d"), import the default section of files read earlier.
+ new-cert: create certificate files atomically.
+ webserver: allow listening to multiple addresses (useful when
dual IPv4/IPv6 stack is not supported). Listen to a UNIX-domain
socket by default </var/run/lacme-www.socket>.
+ webserver: don't install temporary iptables by default. Hosts
without a public HTTP daemon listening on port 80 need to set the
'listen' option to [::] and/or 0.0.0.0, and possibly set the
'iptables' option to Yes.
+ Change 'min-days' default from 10 to 21, to avoid expiration notices
from Let's Encrypt when auto-renewal is done by a cronjob.
+ Provide nginx and apache2 configuration snippets.
- Ensure lacme's config file descriptor is not passed to the accountd
or webserver components.
- new-cert: sort section names if not passed explicitely.
- new-cert: new CLI option "min-days" overriding the value found in
the configuration file.
- new-cert: mark the basicConstraints (CA:FALSE) and keyUsage x509v3
extensions as critical in the CSR, following upstream fix of
Boulder's issue #565.
- webserver: refuse to follow symlink when serving ACME challenge
responses. When dropping privileges to a dedicated UID
(recommended) only the ACME client could write to its current
directory anyway, so following symlinks was not a serious
vulnerability.
- lacme(1), lacme-accountd(1): fix version number shown with
--version.
- client: remove potential race when creating ACME challenge response
files.
- When using open with mode "<&=" or ">&=", ensure the expression
(fileno) is interpreted as an integer. (This failed in Perl v5.14.2
from Debian Jessie.)
- Specify minimum required Perl version (v5.14.2). Moreover lacme(1)
requires Socket 1.95 or later (for instance for IPPROTO_IPV6).
-- Guilhem Moulin <guilhem@fripost.org> Sun, 19 Feb 2017 13:08:41 +0100
lacme (0.2) upstream;
+ Honor Retry-After headers for certificate issuance and challenge
responses.
+ Update example of Subscriber Agreement URL to v1.1.1.
+ lacme: automaticall spawn lacme-acountd when a "[accountd]" section
is present in the configuration file. The "socket" option is then
ignored, and the two processes communicate through a socket pair.
+ lacme: add an option --quiet to avoid mentioning valid certs (useful
in cronjobs)
+ "config-certs" now points to a space separated list of files or
directories. New default "lacme-certs.conf lacme-certs.conf.d/".
- Minor manpage fixes
- More useful message upon Validation Challenge failure.
-- Guilhem Moulin <guilhem@guilhem.org> Sat, 03 Dec 2016 16:40:56 +0100
lacme (0.1) upstream;
* Initial public release. Development was started in December 2015.
-- Guilhem Moulin <guilhem@guilhem.org> Tue, 14 Jun 2016 17:30:58 +0200
|