1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
|
lacme (0.6) upstream;
+ client: poll order URL instead of each authz URL successively.
+ lacme: new option 'account --deactivate' for client-initiated account
deactivation, see RFC 8555 sec. 7.3.6.
- lacme, client: new dependency Date::Parse, don't parse RFC 3339
datetime strings from X.509 certs manually.
- lacme: assume that the iptables(1) binaries are under /usr/sbin not
/sbin. As of Buster this is the case, and the maintainer plans to
drop compatibility symlinks once Bullseye is released.
- Link to RFC 8555 <https://tools.ietf.org/html/rfc8555> instead of the
ACME I-D URL.
- Issue GET and POST-as-GET requests (RFC 8555 sec. 6.3) for the
authorizations, order and certificate URLs.
-- Guilhem Moulin <guilhem@fripost.org> Wed, 21 Aug 2019 18:23:50 +0200
lacme (0.5) upstream;
+ Use ACME v2 endpoints (update protocol to the last draft of the spec
https://tools.ietf.org/html/draft-ietf-acme-acme-12 ). Remove the
'reg=' command, and rename the 'new-reg', 'new-cert' and
'revoke-cert' commands to 'account', 'newOrder', and 'revokeCert'
respectively, to match the the URI resource names. For backward
compatibility 'new-cert' and 'revoke-cert' remain supported.
- Fix manpage generation with pandoc >=2.1
-- Guilhem Moulin <guilhem@fripost.org> Thu, 26 Apr 2018 16:48:13 +0200
lacme (0.4) upstream;
* Fix generation of manpages with pandoc >=1.18
* Copy snippets/*.conf to /etc/lacme
-- Guilhem Moulin <guilhem@fripost.org> Fri, 28 Jul 2017 00:16:06 +0200
lacme (0.3) upstream;
+ When parsing config-cert files and directories (default "lacme-certs.conf
lacme-certs.conf.d"), import the default section of files read earlier.
+ new-cert: create certificate files atomically.
+ webserver: allow listening to multiple addresses (useful when
dual IPv4/IPv6 stack is not supported). Listen to a UNIX-domain
socket by default </var/run/lacme-www.socket>.
+ webserver: don't install temporary iptables by default. Hosts
without a public HTTP daemon listening on port 80 need to set the
'listen' option to [::] and/or 0.0.0.0, and possibly set the
'iptables' option to Yes.
+ Change 'min-days' default from 10 to 21, to avoid expiration notices
from Let's Encrypt when auto-renewal is done by a cronjob.
+ Provide nginx and apache2 configuration snippets.
- Ensure lacme's config file descriptor is not passed to the accountd
or webserver components.
- new-cert: sort section names if not passed explicitely.
- new-cert: new CLI option "min-days" overriding the value found in
the configuration file.
- new-cert: mark the basicConstraints (CA:FALSE) and keyUsage x509v3
extensions as critical in the CSR, following upstream fix of
Boulder's issue #565.
- webserver: refuse to follow symlink when serving ACME challenge
responses. When dropping privileges to a dedicated UID
(recommended) only the ACME client could write to its current
directory anyway, so following symlinks was not a serious
vulnerability.
- lacme(1), lacme-accountd(1): fix version number shown with
--version.
- client: remove potential race when creating ACME challenge response
files.
- When using open with mode "<&=" or ">&=", ensure the expression
(fileno) is interpreted as an integer. (This failed in Perl v5.14.2
from Debian Jessie.)
- Specify minimum required Perl version (v5.14.2). Moreover lacme(1)
requires Socket 1.95 or later (for instance for IPPROTO_IPV6).
-- Guilhem Moulin <guilhem@fripost.org> Sun, 19 Feb 2017 13:08:41 +0100
lacme (0.2) upstream;
+ Honor Retry-After headers for certificate issuance and challenge
responses.
+ Update example of Subscriber Agreement URL to v1.1.1.
+ lacme: automaticall spawn lacme-acountd when a "[accountd]" section
is present in the configuration file. The "socket" option is then
ignored, and the two processes communicate through a socket pair.
+ lacme: add an option --quiet to avoid mentioning valid certs (useful
in cronjobs)
+ "config-certs" now points to a space separated list of files or
directories. New default "lacme-certs.conf lacme-certs.conf.d/".
- Minor manpage fixes
- More useful message upon Validation Challenge failure.
-- Guilhem Moulin <guilhem@guilhem.org> Sat, 03 Dec 2016 16:40:56 +0100
lacme (0.1) upstream;
* Initial public release. Development was started in December 2015.
-- Guilhem Moulin <guilhem@guilhem.org> Tue, 14 Jun 2016 17:30:58 +0200
|