aboutsummaryrefslogtreecommitdiffstats
path: root/debian/lacme.NEWS
blob: 91ddd30f9905b10993f26ef75fb20c7f5b818d33 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
lacme (0.8.0-1) UNRELEASED; urgency=medium

    The internal webserver now runs as system user _lacme-www:nogroup instead of
    www-data:www-data by default.  The internal ACME client now runs as system
    user _lacme-client:nogroup instead of nobody:nogroup by default.  Both
    settings are configurable in the lacme(8) configuration file.

    lacme(8) loads its configuration file from /etc/lacme/lacme.conf when
    running as root, and from $XDG_CONFIG_HOME/lacme/lacme.conf otherwise.
    There is no lookup in the current directory anymore, nor fallback lookup to
    /etc.

    'challenge-directory' now needs to be set to an *existing* directory
    (writable by the lacme client user).  Since lacme(8) spawns a builtin
    webserver by default the change only affects configurations with a custom
    'challenge-directory' setting.

 -- Guilhem Moulin <guilhem@debian.org>  Mon, 22 Feb 2021 02:00:00 +0100

lacme (0.7-1) unstable; urgency=high

    The certificate indicated by 'CAfile' is no longer used as is in
    'certificate-chain' (along with the leaf cert).  The chain returned
    by the ACME v2 endpoint is used instead.  This allows for more
    flexibility with respect to key/CA rotation.  See for instance
    https://letsencrypt.org/2020/11/06/own-two-feet.html and
    https://community.letsencrypt.org/t/beginning-issuance-from-r3/139018

   'CAfile' now defaults to /usr/share/lacme/ca-certificates.crt which
   is a concatenation of all known active CA certificates (which
   includes the previous default).  Starting December 2020 Let's Encrypt
   will use a different chain of trust for certificate issuance, so
   users will a non-default 'CAfile' might need to adjust the value.

 -- Guilhem Moulin <guilhem@debian.org>  Thu, 26 Nov 2020 00:08:32 +0100