aboutsummaryrefslogtreecommitdiffstats
path: root/Changelog
blob: 4aa9f4f2a3898e959d8e96f72741def8980d9bbb (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
lacme (0.8.1) upstream;

 + lacme-accountd: improve log messages and refactor logging logic.
 + lacme-accountd: refuse to sign JWS with an invalid Protected Header.
 + lacme: don't write certificate(-chain) file on chown/chmod failure.
 + lacme: default mode for certificate(-chain) creation is 0644 minus
   umask restrictions.  Also, always spawn the client with umask 0022 so
   a starting lacme(8) with a restrictive umask doesn't impede serving
   challenge files.
 + lacme: add 'owner' resp. 'mode' as (prefered) alias for 'chown' resp.
   'chmod'.
 + lacme: split certificates using Net::SSLeay::PEM_* instead of calling
   openssl.
 + lacme: pass a temporary JSON file with the client configuration to
   the internal client, so it doesn't have to parse the INI file again.
 - lacme: in the [accountd] config, let lacme-accountd(1) do the
   %-expansion for 'config', not lacme(8) when building the command.
 - lacme-accountd: don't log debug messages unless --debug is set.
 - lacme: when getpwnam()/getgrnam()'s errno is 0, exclude it from error
   messages.
 - tests/drop-privileges: ensure failure to drop privileges yields an
   error instead of retaining root priviliges.
 - tests/cert-install: include tests for failing chown(2) due to unknown
   user/group name.
 - lacme: ignore empty values in settings 'chown', 'chmod', 'certificate'
   and 'certificate-chain'.
 - lacme: return an error when the 'mode'/'chown' isn't a number.
 - Makefile: replace '$(dir $@)' with '$(@D)'.
 - Test suite: Adjust against current Let's Encrypt staging environment.

 -- Guilhem Moulin <guilhem@fripost.org>  Mon, 22 Feb 2021 12:04:28 +0100

lacme (0.8.0) upstream;

 * Breaking change: 'challenge-directory' now needs to be set to an
   *existing* directory (writable by the lacme client user).  Since
   lacme(8) spawns a builtin webserver by default the change doesn't
   affect default configurations.
   Thanks to Benjamin Tietz for the idea and initial patch.
 * Breaking change: the 'iptables' option is now ignored unless the
   builtin webserver is used.
 * Unprivileged user/group for the internal client resp. webserver are
   now configurable at install time.
 * lacme: new flag `--force`, which aliases to `--min-days=-1`, i.e.,
   forces renewal regardless of the expiration date of existing
   certificates.
 * Remove decomissioned intermediate CAs Authority X3 and X4 from the
   bundle.
 * Remove cross-signed intermediate CAs from the bundle and add the
   (self-signed) ISRG Root X1 and X2 instead.  This allows us to fully
   validate provided X.509 chains using that self-contained bundle,
   regardless of which CAs is marqued as trusted under /etc/ssl/certs.
   This change bumps the minimum OpenSSL version to 1.1.0.
 * Breaking change: lacme(8) and lacme-accountd(1) respectively load
   their configuration file from /etc/lacme/lacme.conf resp.
   /etc/lacme/lacme-accountd.conf when running as root, and
   $XDG_CONFIG_HOME/lacme/lacme.conf resp.
   $XDG_CONFIG_HOME/lacme/lacme-accountd.conf when running as a normal
   user.  There is no fallback to /etc anymore, and the lookup in the
   current directory as prefered choice is removed too.  However
   lacme-accountd(1) can be used without configuration file under
   ~/.config/lacme as it treats a non-existent default location as an
   empty file.
 * The client, webserver, and accountd commands are now split on
   whitespace.  This doesn't change the default behavior but allows
   using `ssh -T lacme@account.example.net lacme-accountd` to spawn a
   remote lacme-accountd server for instance.
 * Add test suite against Let's Encrypt's staging environment
   https://letsencrypt.org/docs/staging-environment/ .
 * lacme(8)'s 'config' option in the [accountd] section no longer have a
   default value.  The previous default /etc/lacme/lacme-accountd.conf
   is still honored when root privileges are preserved (the default).
 * Deprecate setting 'privkey' in [accountd] section of the lacme(8)
   configuration file.  One need to use the lacme-accountd(1)
   configuration file for that instead.
 * lacme(8): add %-specifiers support for --config=, --socket=,
   --config-certs= (and 'socket'/'config-certs'/'challenge-directory'
   configuration options *before* privilege drop; and for the [accountd]
   section 'command'/'config' configuration options *after* privilege
   drop).
 * lacme-accountd(1): add %-specifiers support for --config=, --socket=
   and --privkey= (and 'socket'/'privkey' configuration options).
 * lacme-accountd(1): base64url-decode incoming signature requests shown
   in messages to the standard error.
 * lacme-accountd(1): new setting 'logfile' to log (decoded) incoming
   signature requests to a file.
 * lacme-accountd(1): new setting 'keyid' to easily revoke all account
   management access from the client.
 + Improve nginx/apache2 snippets for direct serving of challenge files
   (with the new 'challenge-directory' logic symlinks can be disabled).
 + Split Nginx and Apapche2 static configuration snippets into seperate
   files.  That way users prefering that over reverse-proxying can just
   source/enable the relevant files without having to uncomment
   anything.
 + Add support for TLS Feature extension from RFC 7633; this is mostly
   useful for OCSP Must-Staple.
 + client: use "lacme-client/$VERSION" as User-Agent header.
 + Consolidate error messages for consistency.
 + Sanitize environment when spawning the lacme client, webserver and
   accountd.
 + accountd: replace internal option --conn-fd=FD with flag --stdio.
   Using stdin/stdout makes it possible to tunnel the accountd
   connection through ssh.  The new flag is documented to allow safe
   usage is authorized_keys(5) restrictions.
 + Remove dependency on List::Util (core module).
 + accountd: Pass JWA and JWK thumbprint via extended greeting data.
   This gives better forward flexibility.
 - lacme: delay webserver socket shutdown to after the process has
   terminated.
 - documentation: suggest to generate private key material with
   genpkey(1ssl); also suggest a command to generate an ECDSA key not
   just RSA; hint at which key algorithms are supported.
 - documentation: clarify that "file:/path/to/account.key" can point to
   a symmetrically-encrypted private key.
 - documentation: emphasize default values in the config file, and move
   the most common options ('hash', 'keyUsage', 'CAfile', 'min-days') to
   the default section.
 - Raise client timeout from 10 to 30s.
 - Remove dependency on Types::Serialiser.
 - client: fail immediately when the accountd is unreachable.
 - Makefile: set executable bit for $(bindir)/lacme-accountd and
   $(sbindir)/lacme.
 - client: avoid "Use of uninitialized value in pattern match (m//)"
   perl warnings when the accountd socket can't be reached.
 - webserver: reopen stdin from /dev/null.
 - Use 'acme-challenge.XXXXXXXXXX' as template for the temporary ACME
   challenge directory.
 - Set the DEBUG environment variable to 0/1 instead of ""/1.
 - Use File::Basename::dirname() to correctly extract the parent
   directory of the socket path.
 - client: Print Terms of Service URL for 'account' command.

 -- Guilhem Moulin <guilhem@fripost.org>  Mon, 22 Feb 2021 03:19:57 +0100

lacme (0.7) upstream;

 * Breaking change: the certificate indicated by 'CAfile' is no longer
   used as is in 'certificate-chain' (along with the leaf cert).  The
   chain returned by the ACME v2 endpoint is used instead.  This allows
   for more flexibility with respect to key/CA rotation, cf.
   https://letsencrypt.org/2020/11/06/own-two-feet.html and
   https://community.letsencrypt.org/t/beginning-issuance-from-r3/139018
 + 'CAfile' now defaults to @@datadir@@/lacme/ca-certificates.crt which
   is a concatenation of all known active CA certificates (which
   includes the previous default).

 -- Guilhem Moulin <guilhem@fripost.org>  Wed, 25 Nov 2020 23:39:39 +0100

lacme (0.6.1) upstream;

 + Adapt Apache2 snippet to Apache2 2.4.
 + Ignore [accountd] section from lacme.conf when the --socket option is
   defined.  This allows remotely-controlled lacme processes being
   controlled without modifying an config files.
 * Makefile: major refactoring, add install and uninstall targets, honor
   BUILD_DOCDIR and DESTDIR variables.
 * Install lacme manual to section 8.
 * Change default libexec dir from /usr/lib/lacme to /usr/libexec/lacme.
 * Makefile: Use variables for target directories etc.

 -- Guilhem Moulin <guilhem@fripost.org>  Tue, 04 Aug 2020 01:39:47 +0200

lacme (0.6) upstream;

 + client: poll order URL instead of each authz URL successively.
 + lacme: new option 'account --deactivate' for client-initiated account
   deactivation, see RFC 8555 sec. 7.3.6.
 - lacme, client: new dependency Date::Parse, don't parse RFC 3339
   datetime strings from X.509 certs manually.
 - lacme: assume that the iptables(8) binaries are under /usr/sbin not
   /sbin.  As of Buster this is the case, and the maintainer plans to
   drop compatibility symlinks once Bullseye is released.
 - Link to RFC 8555 <https://tools.ietf.org/html/rfc8555> instead of the
   ACME I-D URL.
 - Issue GET and POST-as-GET requests (RFC 8555 sec. 6.3) for the
   authorizations, order and certificate URLs.

 -- Guilhem Moulin <guilhem@fripost.org>  Wed, 21 Aug 2019 18:23:50 +0200

lacme (0.5) upstream;

  + Use ACME v2 endpoints (update protocol to the last draft of the spec
    https://tools.ietf.org/html/draft-ietf-acme-acme-12 ).  Remove the
	'reg=' command, and rename the 'new-reg', 'new-cert' and
	'revoke-cert' commands to 'account', 'newOrder', and 'revokeCert'
	respectively, to match the the URI resource names.  For backward
	compatibility 'new-cert' and 'revoke-cert' remain supported.
  - Fix manpage generation with pandoc >=2.1

 -- Guilhem Moulin <guilhem@fripost.org>  Thu, 26 Apr 2018 16:48:13 +0200

lacme (0.4) upstream;

  * Fix generation of manpages with pandoc >=1.18
  * Copy snippets/*.conf to /etc/lacme

 -- Guilhem Moulin <guilhem@fripost.org>  Fri, 28 Jul 2017 00:16:06 +0200

lacme (0.3) upstream;

  + When parsing config-cert files and directories (default "lacme-certs.conf
    lacme-certs.conf.d"), import the default section of files read earlier.
  + new-cert: create certificate files atomically.
  + webserver: allow listening to multiple addresses (useful when
    dual IPv4/IPv6 stack is not supported).  Listen to a UNIX-domain
    socket by default </var/run/lacme-www.socket>.
  + webserver: don't install temporary iptables by default.  Hosts
    without a public HTTP daemon listening on port 80 need to set the
    'listen' option to [::] and/or 0.0.0.0, and possibly set the
    'iptables' option to Yes.
  + Change 'min-days' default from 10 to 21, to avoid expiration notices
    from Let's Encrypt when auto-renewal is done by a cronjob.
  + Provide nginx and apache2 configuration snippets.
  - Ensure lacme's config file descriptor is not passed to the accountd
    or webserver components.
  - new-cert: sort section names if not passed explicitely.
  - new-cert: new CLI option "min-days" overriding the value found in
    the configuration file.
  - new-cert: mark the basicConstraints (CA:FALSE) and keyUsage x509v3
    extensions as critical in the CSR, following upstream fix of
    Boulder's issue #565.
  - webserver: refuse to follow symlink when serving ACME challenge
    responses.  When dropping privileges to a dedicated UID
    (recommended) only the ACME client could write to its current
    directory anyway, so following symlinks was not a serious
    vulnerability.
  - lacme(1), lacme-accountd(1): fix version number shown with
    --version.
  - client: remove potential race when creating ACME challenge response
    files.
  - When using open with mode "<&=" or ">&=", ensure the expression
    (fileno) is interpreted as an integer.  (This failed in Perl v5.14.2
    from Debian Jessie.)
  - Specify minimum required Perl version (v5.14.2).  Moreover lacme(1)
    requires Socket 1.95 or later (for instance for IPPROTO_IPV6).

 -- Guilhem Moulin <guilhem@fripost.org>  Sun, 19 Feb 2017 13:08:41 +0100

lacme (0.2) upstream;

  + Honor Retry-After headers for certificate issuance and challenge
    responses.
  + Update example of Subscriber Agreement URL to v1.1.1.
  + lacme: automaticall spawn lacme-acountd when a "[accountd]" section
    is present in the configuration file.  The "socket" option is then
    ignored, and the two processes communicate through a socket pair.
  + lacme: add an option --quiet to avoid mentioning valid certs (useful
    in cronjobs)
  + "config-certs" now points to a space separated list of files or
    directories.  New default "lacme-certs.conf lacme-certs.conf.d/".
  - Minor manpage fixes
  - More useful message upon Validation Challenge failure.
  - If restricting access via umask() fails, don't include errno in the
    error message as it's not set on failure.

 -- Guilhem Moulin <guilhem@guilhem.org>  Sat, 03 Dec 2016 16:40:56 +0100

lacme (0.1) upstream;

  * Initial public release.  Development was started in December 2015.

 -- Guilhem Moulin <guilhem@guilhem.org>  Tue, 14 Jun 2016 17:30:58 +0200