blob: b3c08db5f52e6dba1e1d17ec81624720a066f26f (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
lacme (0.8.0-1) unstable; urgency=low
The internal webserver now runs as system user _lacme-www:nogroup instead of
www-data:www-data by default. The internal ACME client now runs as system
user _lacme-client:nogroup instead of nobody:nogroup by default. Both
settings are configurable in the lacme(8) configuration file.
lacme(8) loads its configuration file from /etc/lacme/lacme.conf when
running as root, and from $XDG_CONFIG_HOME/lacme/lacme.conf otherwise.
There is no lookup in the current directory anymore, nor fallback lookup to
/etc.
'challenge-directory' now needs to be set to an *existing* directory
(writable by the lacme client user). Since lacme(8) spawns a builtin
webserver by default the change only affects configurations with a custom
'challenge-directory' setting.
-- Guilhem Moulin <guilhem@debian.org> Mon, 22 Feb 2021 03:31:23 +0100
lacme (0.7-1) unstable; urgency=high
The certificate indicated by 'CAfile' is no longer used as is in
'certificate-chain' (along with the leaf cert). The chain returned
by the ACME v2 endpoint is used instead. This allows for more
flexibility with respect to key/CA rotation. See for instance
https://letsencrypt.org/2020/11/06/own-two-feet.html and
https://community.letsencrypt.org/t/beginning-issuance-from-r3/139018
'CAfile' now defaults to /usr/share/lacme/ca-certificates.crt which
is a concatenation of all known active CA certificates (which
includes the previous default). Starting December 2020 Let's Encrypt
will use a different chain of trust for certificate issuance, so
users will a non-default 'CAfile' might need to adjust the value.
-- Guilhem Moulin <guilhem@debian.org> Thu, 26 Nov 2020 00:08:32 +0100
|