| 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
 | lacme (0.7) UNRELEASED;
 + Default listening socket for the webserver component is now
   /run/lacme-www.socket.  (It was previously under the legacy directory
   /var/run.)
 + Adapt Apache2 snippet to Apache2 2.4.
 * Makefile: major refactoring, add install and uninstall targets, honor
   BUILD_DOCDIR and DESTDIR variables.
 * Install lacme manual to section 8.
 * Change default libexec dir from /usr/lib/lacme to /usr/libexec/lacme.
 -- Guilhem Moulin <guilhem@debian.org>  Thu, 22 Aug 2019 00:31:35 +0200
lacme (0.6) upstream;
 + client: poll order URL instead of each authz URL successively.
 + lacme: new option 'account --deactivate' for client-initiated account
   deactivation, see RFC 8555 sec. 7.3.6.
 - lacme, client: new dependency Date::Parse, don't parse RFC 3339
   datetime strings from X.509 certs manually.
 - lacme: assume that the iptables(8) binaries are under /usr/sbin not
   /sbin.  As of Buster this is the case, and the maintainer plans to
   drop compatibility symlinks once Bullseye is released.
 - Link to RFC 8555 <https://tools.ietf.org/html/rfc8555> instead of the
   ACME I-D URL.
 - Issue GET and POST-as-GET requests (RFC 8555 sec. 6.3) for the
   authorizations, order and certificate URLs.
 -- Guilhem Moulin <guilhem@fripost.org>  Wed, 21 Aug 2019 18:23:50 +0200
lacme (0.5) upstream;
  + Use ACME v2 endpoints (update protocol to the last draft of the spec
    https://tools.ietf.org/html/draft-ietf-acme-acme-12 ).  Remove the
	'reg=' command, and rename the 'new-reg', 'new-cert' and
	'revoke-cert' commands to 'account', 'newOrder', and 'revokeCert'
	respectively, to match the the URI resource names.  For backward
	compatibility 'new-cert' and 'revoke-cert' remain supported.
  - Fix manpage generation with pandoc >=2.1
 -- Guilhem Moulin <guilhem@fripost.org>  Thu, 26 Apr 2018 16:48:13 +0200
lacme (0.4) upstream;
  * Fix generation of manpages with pandoc >=1.18
  * Copy snippets/*.conf to /etc/lacme
 -- Guilhem Moulin <guilhem@fripost.org>  Fri, 28 Jul 2017 00:16:06 +0200
lacme (0.3) upstream;
  + When parsing config-cert files and directories (default "lacme-certs.conf
    lacme-certs.conf.d"), import the default section of files read earlier.
  + new-cert: create certificate files atomically.
  + webserver: allow listening to multiple addresses (useful when
    dual IPv4/IPv6 stack is not supported).  Listen to a UNIX-domain
    socket by default </var/run/lacme-www.socket>.
  + webserver: don't install temporary iptables by default.  Hosts
    without a public HTTP daemon listening on port 80 need to set the
    'listen' option to [::] and/or 0.0.0.0, and possibly set the
    'iptables' option to Yes.
  + Change 'min-days' default from 10 to 21, to avoid expiration notices
    from Let's Encrypt when auto-renewal is done by a cronjob.
  + Provide nginx and apache2 configuration snippets.
  - Ensure lacme's config file descriptor is not passed to the accountd
    or webserver components.
  - new-cert: sort section names if not passed explicitely.
  - new-cert: new CLI option "min-days" overriding the value found in
    the configuration file.
  - new-cert: mark the basicConstraints (CA:FALSE) and keyUsage x509v3
    extensions as critical in the CSR, following upstream fix of
    Boulder's issue #565.
  - webserver: refuse to follow symlink when serving ACME challenge
    responses.  When dropping privileges to a dedicated UID
    (recommended) only the ACME client could write to its current
    directory anyway, so following symlinks was not a serious
    vulnerability.
  - lacme(1), lacme-accountd(1): fix version number shown with
    --version.
  - client: remove potential race when creating ACME challenge response
    files.
  - When using open with mode "<&=" or ">&=", ensure the expression
    (fileno) is interpreted as an integer.  (This failed in Perl v5.14.2
    from Debian Jessie.)
  - Specify minimum required Perl version (v5.14.2).  Moreover lacme(1)
    requires Socket 1.95 or later (for instance for IPPROTO_IPV6).
 -- Guilhem Moulin <guilhem@fripost.org>  Sun, 19 Feb 2017 13:08:41 +0100
lacme (0.2) upstream;
  + Honor Retry-After headers for certificate issuance and challenge
    responses.
  + Update example of Subscriber Agreement URL to v1.1.1.
  + lacme: automaticall spawn lacme-acountd when a "[accountd]" section
    is present in the configuration file.  The "socket" option is then
    ignored, and the two processes communicate through a socket pair.
  + lacme: add an option --quiet to avoid mentioning valid certs (useful
    in cronjobs)
  + "config-certs" now points to a space separated list of files or
    directories.  New default "lacme-certs.conf lacme-certs.conf.d/".
  - Minor manpage fixes
  - More useful message upon Validation Challenge failure.
 -- Guilhem Moulin <guilhem@guilhem.org>  Sat, 03 Dec 2016 16:40:56 +0100
lacme (0.1) upstream;
  * Initial public release.  Development was started in December 2015.
 -- Guilhem Moulin <guilhem@guilhem.org>  Tue, 14 Jun 2016 17:30:58 +0200
 |