Mirror
/
acmed
mirror of https://github.com/breard-r/acmed.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
576 Commits
13 Branches
28 Tags
2.5 MiB
Tree: 14307c94ca
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '14307c94ca'
${ noResults }
acmed/CHANGELOG.md

450 lines
12 KiB
Raw Normal View History

ACMEd v0.7.0
5 years ago
Add man pages Documentation is a crucial point for every project, and the most effective and traditional way to document a program is to write man page. Here, the mdoc is used because it is simple. Because the documentation is quite different from the project itself, the man pages and others helpful files are distributed under a different license. For this usage, the GNU All-Permissive License is adequate. https://www.gnu.org/prep/maintain/html_node/License-Notices-for-Other-Files.html man 7 groff_mdoc
6 years ago
Allow to reuse a key pair instead of creating a new one at each renewal The default behavior of most ACME clients is to generate a new key pair at each renewal. While this choice is respectable and perfectly justified in most configuration, it is also quite incompatible with the use of HTTP Public Key Pinning (HPKP). Although HPKP is not wildly supported and sometimes deprecated, users wishing to use it should not be blocked. https://tools.ietf.org/html/rfc7469 https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
6 years ago
Load the configuration
4 weeks ago
Allow to reuse a key pair instead of creating a new one at each renewal The default behavior of most ACME clients is to generate a new key pair at each renewal. While this choice is respectable and perfectly justified in most configuration, it is also quite incompatible with the use of HTTP Public Key Pinning (HPKP). Although HPKP is not wildly supported and sometimes deprecated, users wishing to use it should not be blocked. https://tools.ietf.org/html/rfc7469 https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
6 years ago
Load the configuration
4 weeks ago
Allow to reuse a key pair instead of creating a new one at each renewal The default behavior of most ACME clients is to generate a new key pair at each renewal. While this choice is respectable and perfectly justified in most configuration, it is also quite incompatible with the use of HTTP Public Key Pinning (HPKP). Although HPKP is not wildly supported and sometimes deprecated, users wishing to use it should not be blocked. https://tools.ietf.org/html/rfc7469 https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
6 years ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
Load the configuration
4 weeks ago
ACMEd v0.24.0
1 month ago
Remove OpenSSL 1.0 for tacd
2 months ago
Update the change log
1 month ago
Load the configuration
4 weeks ago
Update the change log
1 month ago
Remove OpenSSL 1.0 for tacd
2 months ago
Load the configuration
4 weeks ago
Remove OpenSSL 1.0 for tacd
2 months ago
ACMEd v0.23.0
12 months ago
Update dependencies
1 year ago
Add the raw_proof variable to the challenge-tls-alpn-01 hook fixes #129
1 year ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
Add the raw_proof variable to the challenge-tls-alpn-01 hook fixes #129
1 year ago
Update dependencies
1 year ago
Load the configuration
4 weeks ago
Update dependencies
12 months ago
Update dependencies
1 year ago
ACMEd v0.22.2
1 year ago
Fix the default hooks
1 year ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
Fix the default hooks
1 year ago
ACMEd v0.22.1
1 year ago
Update the lockfile during release fix #103
1 year ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
Update the lockfile during release fix #103
1 year ago
ACMEd v0.22.0
1 year ago
Update the MSRV
2 years ago
Update the change log
1 year ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
Update the change log
1 year ago
Update the MSRV
2 years ago
Load the configuration
4 weeks ago
Update the MSRV
1 year ago
Update the change log
2 years ago
Format the change log
4 weeks ago
Change the template engine to MiniJinja
2 years ago
Format the change log
4 weeks ago
Update the MSRV
2 years ago
Update the change log
2 years ago
Update the change log
2 years ago
Load the configuration
4 weeks ago
Update the change log
2 years ago
Load the configuration
4 weeks ago
Update the change log
2 years ago
ACMEd v0.19.0
3 years ago
Fix an invalid reference in the command line arguments
3 years ago
Add the `--no-pid-file` argument Fixes #60
3 years ago
Load the configuration
4 weeks ago
Add the `--no-pid-file` argument Fixes #60
3 years ago
Fix an invalid reference in the command line arguments
3 years ago
Load the configuration
4 weeks ago
Fix an invalid reference in the command line arguments
3 years ago
Add some missing file path in log messages Rel #24
3 years ago
Format the change log
4 weeks ago
Fix an invalid reference in the command line arguments
3 years ago
ACMEd v0.19.0
3 years ago
Update the minimal required Rust version
3 years ago
Add the acmed@user.service systemd unit configuration
3 years ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
Add the acmed@user.service systemd unit configuration
3 years ago
Update the minimal required Rust version
3 years ago
Load the configuration
4 weeks ago
Fix the changelog
3 years ago
Update the minimal required Rust version
3 years ago
ACMEd v0.18.0
4 years ago
Add new verbs to the polkit rule
4 years ago
Load the configuration
4 weeks ago
Add support for Ed25519 and Ed448 account keys and certificates Fixes #36
4 years ago
Format the change log
4 weeks ago
Add new verbs to the polkit rule
4 years ago
ACMEd v0.18.0
4 years ago
Allow the configuration of some default values at compile time using environment variables
4 years ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
Allow the configuration of some default values at compile time using environment variables
4 years ago
Move the account and certificate default directories Those directories were located in /etc/acmed/, which is not the best choice. According to the Filesystem Hierarchy Standard, they should be located in /var/lib/acmed/. Because systems may have different conventions, those values are now configuration at build time. https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard
4 years ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
Move the account and certificate default directories Those directories were located in /etc/acmed/, which is not the best choice. According to the Filesystem Hierarchy Standard, they should be located in /var/lib/acmed/. Because systems may have different conventions, those values are now configuration at build time. https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard
4 years ago
Format the change log
4 weeks ago
update LFS compliance volatile runtime data * the former /var/run is depreciated -> using /run * update rust build scripts sources to use the new path * update CHANGELOG to reflect the changes Signed-off-by: Ralf Zerres <ralf.zerres@networkx.de>
4 years ago
Move the account and certificate default directories Those directories were located in /etc/acmed/, which is not the best choice. According to the Filesystem Hierarchy Standard, they should be located in /var/lib/acmed/. Because systems may have different conventions, those values are now configuration at build time. https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard
4 years ago
Allow the configuration of some default values at compile time using environment variables
4 years ago
ACMEd v0.16.0
4 years ago
Update the certificate's subject attributes
4 years ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
Update the certificate's subject attributes
4 years ago
Load the configuration
4 weeks ago
Update the certificate's subject attributes
4 years ago
ACMEd v0.15.0
4 years ago
Update the nom dependency
4 years ago
Add the file_name_format config directive
4 years ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
Add the file_name_format config directive
4 years ago
Include config files only once
4 years ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
Include config files only once
4 years ago
Allow certificates to have the same name but different key type
4 years ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
Allow certificates to have the same name but different key type
4 years ago
Update the nom dependency
4 years ago
ACMEd v0.14.0
4 years ago
Add the `root_certificates` parameter Being able to define root certificates in the command line is not enough for two reasons: 1. It is always global, you cannot define a root certificate for a specific endpoint. 2. Daemon scripts and unit files are not meant to be changed every time you need to add a root certificate. For those reasons, it is now to possible to define root certificates in the configuration. Those defined in the `global` section will be used on every endpoint, just like those added via the command line. Those defined in an endpoint will be used in this endpoint only.
4 years ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
Allow to specify a unique name for each certificate
4 years ago
Update the attohttpc dependency Finishes the job initiated in #39
4 years ago
Load the configuration
4 weeks ago
Update the attohttpc dependency Finishes the job initiated in #39
4 years ago
Add the `root_certificates` parameter Being able to define root certificates in the command line is not enough for two reasons: 1. It is always global, you cannot define a root certificate for a specific endpoint. 2. Daemon scripts and unit files are not meant to be changed every time you need to add a root certificate. For those reasons, it is now to possible to define root certificates in the configuration. Those defined in the `global` section will be used on every endpoint, just like those added via the command line. Those defined in an endpoint will be used in this endpoint only.
4 years ago
Fix the CHANGELOG
4 years ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
Fix the CHANGELOG
4 years ago
ACMEd v0.12.0
4 years ago
Allow to specify subject attributes for certificates
4 years ago
Load the configuration
4 weeks ago
Allow to specify subject attributes for certificates
4 years ago
Add support for NIST P-521 curve and ES512 signatures
4 years ago
Allow to specify subject attributes for certificates
4 years ago
Stop to require the `orders` field on account creation RFC 8555 states that: - when an account is successfully created, the server "returns this account object" (section 7.3); - the `orders` field in account objects is mandatory (section 7.1.2). Despite that, Boulder does not returns the `orders` field when an account is created. This non-standard behavior prevented ACMEd from creating account and testing them for existence. In order to allow ACMEd to retrieve certificates from CAs using Boulder, the `orders` field is no longer mandatory and the account existence is tested when the order is requested. https://github.com/letsencrypt/boulder/issues/3335
4 years ago
Load the configuration
4 weeks ago
Stop to require the `orders` field on account creation RFC 8555 states that: - when an account is successfully created, the server "returns this account object" (section 7.3); - the `orders` field in account objects is mandatory (section 7.1.2). Despite that, Boulder does not returns the `orders` field when an account is created. This non-standard behavior prevented ACMEd from creating account and testing them for existence. In order to allow ACMEd to retrieve certificates from CAs using Boulder, the `orders` field is no longer mandatory and the account existence is tested when the order is requested. https://github.com/letsencrypt/boulder/issues/3335
4 years ago
Allow to specify subject attributes for certificates
4 years ago
ACMEd v0.11.0
4 years ago
Refactor the account management Until now, the account management was archaic and it was impossible to improve it without this heavy refactoring. Accounts are now disjoint from both certificates and endpoints. They have their own hooks and their own environment variables. They are stored in a binary file instead of the PEM exports of the private and public keys. This refactoring will allow account management to evolve into something more serious, with real key rollover, contact information update and so on.
4 years ago
Load the configuration
4 weeks ago
Refactor the account management Until now, the account management was archaic and it was impossible to improve it without this heavy refactoring. Accounts are now disjoint from both certificates and endpoints. They have their own hooks and their own environment variables. They are stored in a binary file instead of the PEM exports of the private and public keys. This refactoring will allow account management to evolve into something more serious, with real key rollover, contact information update and so on.
4 years ago
Add external account binding
4 years ago
Refactor the account management Until now, the account management was archaic and it was impossible to improve it without this heavy refactoring. Accounts are now disjoint from both certificates and endpoints. They have their own hooks and their own environment variables. They are stored in a binary file instead of the PEM exports of the private and public keys. This refactoring will allow account management to evolve into something more serious, with real key rollover, contact information update and so on.
4 years ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
Refactor the account management Until now, the account management was archaic and it was impossible to improve it without this heavy refactoring. Accounts are now disjoint from both certificates and endpoints. They have their own hooks and their own environment variables. They are stored in a binary file instead of the PEM exports of the private and public keys. This refactoring will allow account management to evolve into something more serious, with real key rollover, contact information update and so on.
4 years ago
Update the CHANGELOG
4 years ago
Load the configuration
4 weeks ago
Update the CHANGELOG
4 years ago
Refactor the account management Until now, the account management was archaic and it was impossible to improve it without this heavy refactoring. Accounts are now disjoint from both certificates and endpoints. They have their own hooks and their own environment variables. They are stored in a binary file instead of the PEM exports of the private and public keys. This refactoring will allow account management to evolve into something more serious, with real key rollover, contact information update and so on.
4 years ago
ACMEd v0.10.0
4 years ago
Refactor the Makefile The previous version of the Makefile used features which are specific to GNU Make and therefore does not works on BSD systems. This new version, which is much more simpler, works both on GNU Make and BSD Make (tested on FreeBSD 12.1).
5 years ago
Allow to specify the account key type and signature alg in the config
4 years ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
Add Unix style globing for config file inclusion Close #6
4 years ago
Format the change log
4 weeks ago
Implement IP identifiers RFC 8738: https://tools.ietf.org/html/rfc8738
4 years ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
Refactor the certificate key type management The previous system used a duplicated enum (`acmed::certificate::Algorithm`) and an imprecise identifier name (algorithm) for both the certificate configuration and post operation hook variable. The first one has been replaced by the `acme_common::crypto::KeyType` enum and the second renames `key_type`.
4 years ago
Implement IP identifiers RFC 8738: https://tools.ietf.org/html/rfc8738
4 years ago
Allow to specify the account key type and signature alg in the config
4 years ago
Refactor the Makefile The previous version of the Makefile used features which are specific to GNU Make and therefore does not works on BSD systems. This new version, which is much more simpler, works both on GNU Make and BSD Make (tested on FreeBSD 12.1).
5 years ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
Refactor the Makefile The previous version of the Makefile used features which are specific to GNU Make and therefore does not works on BSD systems. This new version, which is much more simpler, works both on GNU Make and BSD Make (tested on FreeBSD 12.1).
5 years ago
ACMEd v0.9.0
5 years ago
Add support for user and groups names
5 years ago
Load the configuration
4 weeks ago
Add support for user and groups names
5 years ago
Replace `reqwest` by `attohttpc` `reqwest` is a very good crate, however ACMEd does not require most of its functionalities. For this job, `attohttpc` is also great and comes with much less dependencies. rel #1
5 years ago
Load the configuration
4 weeks ago
Replace `reqwest` by `attohttpc` `reqwest` is a very good crate, however ACMEd does not require most of its functionalities. For this job, `attohttpc` is also great and comes with much less dependencies. rel #1
5 years ago
Update the change log
5 years ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
Update the change log
5 years ago
Add support for user and groups names
5 years ago
ACMEd v0.8.0
5 years ago
Refactor the HTTP back-end The previous HTTP back-end was tightly coupled with the threads, which was very inconvenient. It is now completely decoupled so a new threading model may be implemented.
5 years ago
Load the configuration
4 weeks ago
Refactor the HTTP back-end The previous HTTP back-end was tightly coupled with the threads, which was very inconvenient. It is now completely decoupled so a new threading model may be implemented.
5 years ago
Load the configuration
4 weeks ago
`Make install` now work with the busybox toolchain.
5 years ago
Refactor the HTTP back-end The previous HTTP back-end was tightly coupled with the threads, which was very inconvenient. It is now completely decoupled so a new threading model may be implemented.
5 years ago
ACMEd v0.7.0
5 years ago
Replace * by _ in file names
5 years ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
Add internationalized domain names support
5 years ago
Replace * by _ in file names
5 years ago
Allow --pid-file to be used with --foreground The PID file is now always written whether or not ACMEd is running in the foreground. Previously, it was written only when running in the background. Fix #7
5 years ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
Allow --pid-file to be used with --foreground The PID file is now always written whether or not ACMEd is running in the foreground. Previously, it was written only when running in the background. Fix #7
5 years ago
Fix the type of the externalAccountRequired field
5 years ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
Fix the type of the externalAccountRequired field
5 years ago
Add internationalized domain names support
5 years ago
ACMEd v0.6.1
5 years ago
Update the change log
6 years ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
Fix the "foregroung" typo I made the typo once and then copy/pasted it everywhere.
5 years ago
Update the change log
6 years ago
ACMEd 0.6.0
6 years ago
Add an option to stop or continue after a failed hook
6 years ago
Load the configuration
4 weeks ago
Add an option to stop or continue after a failed hook
6 years ago
Format the change log
4 weeks ago
Add rate limits for HTTPS requests
6 years ago
Add an option to stop or continue after a failed hook
6 years ago
Clean the hooks right after the current challenge has been validated Cleaning hooks after the certificate has been retrieved is a mistake since a failure somewhere in the process will prevent all called hook to be cleaned. With the current implementation, only the currently failed hook is left without being cleaned.
6 years ago
Load the configuration
4 weeks ago
Renew certificates in parallel
6 years ago
Format the change log
4 weeks ago
Improve the logging format In order to renew different certificate at the same time, log messages must display which certificate they are referring to.
6 years ago
Clean the hooks right after the current challenge has been validated Cleaning hooks after the certificate has been retrieved is a mistake since a failure somewhere in the process will prevent all called hook to be cleaned. With the current implementation, only the currently failed hook is left without being cleaned.
6 years ago
Fix the http-01-echo default hook
6 years ago
Load the configuration
4 weeks ago
Fix the http-01-echo default hook
6 years ago
Add an option to stop or continue after a failed hook
6 years ago
ACMEd 0.5.0
6 years ago
Display a warning when fetching order or an authorization Orders and authorization can both contain an error which can, for example, help an user to fix a broken hook. It is therefore very useful to display it. Plus, when pooling one of those objects, having an error does not mean we should stop pooling since the error may be temporary.
6 years ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
Allow the config file to include other files
6 years ago
Add environment variables to hook templates
6 years ago
Format the change log
4 weeks ago
Allow tacd to listen on a unix socket
6 years ago
Display a warning when fetching order or an authorization Orders and authorization can both contain an error which can, for example, help an user to fix a broken hook. It is therefore very useful to display it. Plus, when pooling one of those objects, having an error does not mean we should stop pooling since the error may be temporary.
6 years ago
ACMEd 0.4.0
6 years ago
Add man pages Documentation is a crucial point for every project, and the most effective and traditional way to document a program is to write man page. Here, the mdoc is used because it is simple. Because the documentation is quite different from the project itself, the man pages and others helpful files are distributed under a different license. For this usage, the GNU All-Permissive License is adequate. https://www.gnu.org/prep/maintain/html_node/License-Notices-for-Other-Files.html man 7 groff_mdoc
6 years ago
Load the configuration
4 weeks ago
Add man pages Documentation is a crucial point for every project, and the most effective and traditional way to document a program is to write man page. Here, the mdoc is used because it is simple. Because the documentation is quite different from the project itself, the man pages and others helpful files are distributed under a different license. For this usage, the GNU All-Permissive License is adequate. https://www.gnu.org/prep/maintain/html_node/License-Notices-for-Other-Files.html man 7 groff_mdoc
6 years ago
Update the changelog
6 years ago
Format the change log
4 weeks ago
Add the is_clean_hook variable to challenge hooks
6 years ago
Format the change log
4 weeks ago
Update the changelog
6 years ago
Load the configuration
4 weeks ago
Update the changelog
6 years ago
Load the configuration
4 weeks ago
Update the changelog
6 years ago
Add man pages Documentation is a crucial point for every project, and the most effective and traditional way to document a program is to write man page. Here, the mdoc is used because it is simple. Because the documentation is quite different from the project itself, the man pages and others helpful files are distributed under a different license. For this usage, the GNU All-Permissive License is adequate. https://www.gnu.org/prep/maintain/html_node/License-Notices-for-Other-Files.html man 7 groff_mdoc
6 years ago
Fix the OpenSSL time parsing ACMEd was not able to parse some possible time representation, which could cause a certificate not being renewed at all. This commit support all current known outputs. https://github.com/openssl/openssl/blob/master/crypto/asn1/a_time.c
6 years ago
Load the configuration
4 weeks ago
Fix the OpenSSL time parsing ACMEd was not able to parse some possible time representation, which could cause a certificate not being renewed at all. This commit support all current known outputs. https://github.com/openssl/openssl/blob/master/crypto/asn1/a_time.c
6 years ago
Add man pages Documentation is a crucial point for every project, and the most effective and traditional way to document a program is to write man page. Here, the mdoc is used because it is simple. Because the documentation is quite different from the project itself, the man pages and others helpful files are distributed under a different license. For this usage, the GNU All-Permissive License is adequate. https://www.gnu.org/prep/maintain/html_node/License-Notices-for-Other-Files.html man 7 groff_mdoc
6 years ago
v0.3.0
6 years ago
Remove the `acme-lib` dependency Although the `acme-lib` crate comes very handy when creating a simple ACME client, a more advanced one may not want to use it. First of all, `acme-lib` does not support all of the ACME specification, some very interesting one are not implemented. Also, it does not store the account public key, which does not allow to revoke certificates. In addition to those two critical points, I would also add `acme-lib` has some troubles with its own dependencies: it uses both `openssl` and `ring`, which is redundant and contribute to inflate the size of the binary. Some of the dependencies also makes an excessive use of logging: even if logging is very useful, in some cases it really is too much and debugging becomes a nightmare. ref #1
6 years ago
Use account objects instead of an email field Defining an account solely by an email address is not the best strategy since the ACME protocol does not require it and also allows for more contacts information. Although this commit does not change the "one email" policy, it sets the bases so it could evolve in the future.
6 years ago
Load the configuration
4 weeks ago
Add tacd to the CHANGELOG
6 years ago
Use account objects instead of an email field Defining an account solely by an email address is not the best strategy since the ACME protocol does not require it and also allows for more contacts information. Although this commit does not change the "one email" policy, it sets the bases so it could evolve in the future.
6 years ago
Change the hook and domains definitions The previous system was too limited when it comes to flexibility using hooks. This limitation came from the false idea that, for a given certificate, all challenges must be validated with the same method. In order to prove that false, domains in a certificate can now make use of any challenge type available. In order to be more flexible, hooks are now given a type and are defined in the same registry (instead of 6). Each one will be called when considered relevant based on its type.
6 years ago
Format the change log
4 weeks ago
Update the CHANGELOG
6 years ago
Format the change log
4 weeks ago
Use account objects instead of an email field Defining an account solely by an email address is not the best strategy since the ACME protocol does not require it and also allows for more contacts information. Although this commit does not change the "one email" policy, it sets the bases so it could evolve in the future.
6 years ago
Remove the `acme-lib` dependency Although the `acme-lib` crate comes very handy when creating a simple ACME client, a more advanced one may not want to use it. First of all, `acme-lib` does not support all of the ACME specification, some very interesting one are not implemented. Also, it does not store the account public key, which does not allow to revoke certificates. In addition to those two critical points, I would also add `acme-lib` has some troubles with its own dependencies: it uses both `openssl` and `ring`, which is redundant and contribute to inflate the size of the binary. Some of the dependencies also makes an excessive use of logging: even if logging is very useful, in some cases it really is too much and debugging becomes a nightmare. ref #1
6 years ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
Remove the `acme-lib` dependency Although the `acme-lib` crate comes very handy when creating a simple ACME client, a more advanced one may not want to use it. First of all, `acme-lib` does not support all of the ACME specification, some very interesting one are not implemented. Also, it does not store the account public key, which does not allow to revoke certificates. In addition to those two critical points, I would also add `acme-lib` has some troubles with its own dependencies: it uses both `openssl` and `ring`, which is redundant and contribute to inflate the size of the binary. Some of the dependencies also makes an excessive use of logging: even if logging is very useful, in some cases it really is too much and debugging becomes a nightmare. ref #1
6 years ago
Format the change log
4 weeks ago
Remove the `acme-lib` dependency Although the `acme-lib` crate comes very handy when creating a simple ACME client, a more advanced one may not want to use it. First of all, `acme-lib` does not support all of the ACME specification, some very interesting one are not implemented. Also, it does not store the account public key, which does not allow to revoke certificates. In addition to those two critical points, I would also add `acme-lib` has some troubles with its own dependencies: it uses both `openssl` and `ring`, which is redundant and contribute to inflate the size of the binary. Some of the dependencies also makes an excessive use of logging: even if logging is very useful, in some cases it really is too much and debugging becomes a nightmare. ref #1
6 years ago
Load the configuration
4 weeks ago
Remove the `acme-lib` dependency Although the `acme-lib` crate comes very handy when creating a simple ACME client, a more advanced one may not want to use it. First of all, `acme-lib` does not support all of the ACME specification, some very interesting one are not implemented. Also, it does not store the account public key, which does not allow to revoke certificates. In addition to those two critical points, I would also add `acme-lib` has some troubles with its own dependencies: it uses both `openssl` and `ring`, which is redundant and contribute to inflate the size of the binary. Some of the dependencies also makes an excessive use of logging: even if logging is very useful, in some cases it really is too much and debugging becomes a nightmare. ref #1
6 years ago
Change the hook and domains definitions The previous system was too limited when it comes to flexibility using hooks. This limitation came from the false idea that, for a given certificate, all challenges must be validated with the same method. In order to prove that false, domains in a certificate can now make use of any challenge type available. In order to be more flexible, hooks are now given a type and are defined in the same registry (instead of 6). Each one will be called when considered relevant based on its type.
6 years ago
Remove the `acme-lib` dependency Although the `acme-lib` crate comes very handy when creating a simple ACME client, a more advanced one may not want to use it. First of all, `acme-lib` does not support all of the ACME specification, some very interesting one are not implemented. Also, it does not store the account public key, which does not allow to revoke certificates. In addition to those two critical points, I would also add `acme-lib` has some troubles with its own dependencies: it uses both `openssl` and `ring`, which is redundant and contribute to inflate the size of the binary. Some of the dependencies also makes an excessive use of logging: even if logging is very useful, in some cases it really is too much and debugging becomes a nightmare. ref #1
6 years ago
v0.2.1
6 years ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
v0.2.1
6 years ago
Allow to reuse a key pair instead of creating a new one at each renewal The default behavior of most ACME clients is to generate a new key pair at each renewal. While this choice is respectable and perfectly justified in most configuration, it is also quite incompatible with the use of HTTP Public Key Pinning (HPKP). Although HPKP is not wildly supported and sometimes deprecated, users wishing to use it should not be blocked. https://tools.ietf.org/html/rfc7469 https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
6 years ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
Rename post_operation_hook to post_operation_hooks
6 years ago
Load the configuration
4 weeks ago
Rename post_operation_hook to post_operation_hooks
6 years ago
Send logs to syslog
6 years ago
Format the change log
4 weeks ago
  1. [//]: # (Copyright 2019-2020 Rodolphe Bréard <rodolphe@breard.tf>)
  3. [//]: # (Copying and distribution of this file, with or without modification,)
  4. [//]: # (are permitted in any medium without royalty provided the copyright)
  5. [//]: # (notice and this notice are preserved. This file is offered as-is,)
  6. [//]: # (without any warranty.)
  8. # Changelog
  10. All notable changes to this project will be documented in this file.
  12. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
  13. and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
  16. ## [Unreleased]
  18. ### Changed
  20. - Instead of loading a default configuration file, ACMEd now loads all the
  21. files from a default configuration directory (by default,
  22. `/etc/acmed/conf-enabled`).
  24. ### Removed
  26. - tacd has been removed.
  27. - The `include` directive has been removed from the configuration.
  30. ## [0.24.0] - 2024-12-21
  32. ### Added
  34. - The file extension can now be customized.
  36. ### Changed
  38. - tacd does no longer supports OpenSSL 1.0.
  41. ## [0.23.0] - 2024-02-10
  43. ### Added
  45. - The `challenge-tls-alpn-01` hook now exposes the `raw_proof` variable, which
  46. contains the SHA-256 digest of the key authorization, encoded using Base64
  47. URL scheme without padding.
  49. ### Changed
  51. - The minimum supported Rust version (MSRV) is now 1.74.
  54. ## [0.22.2] - 2024-01-09
  56. ### Fixed
  58. - The default hooks were not properly updated during the 0.22.0 release, which
  59. causes the certificate renewal to fail.
  62. ## [0.22.1] - 2023-12-20
  64. ### Fixed
  66. - The `Cargo.lock` file is now updated before a new version is released (GitHub
  67. bug #103).
  70. ## [0.22.0] - 2023-12-20
  72. ### Fixed
  74. - ACMEd no longer crashes when the `random_early_renew` parameter is set to
  75. zero (GitHub bug #102).
  77. ### Changed
  79. - The minimum supported Rust version (MSRV) is now 1.70.
  80. - Manual (and badly designed) threads have been replaced by async.
  81. - Randomized early delay, for spacing out renewals when dealing with a lot of
  82. certificates.
  83. - Replaced the template engine TinyTemplate with MiniJinja.
  84. - The default period of time between the certificate renewal and its expiration
  85. date (`renew_delay`) has been changed from 3 weeks to 30 days.
  88. ## [0.21.0] - 2022-12-19
  90. ### Fixed
  92. - The JWK representation of ECDSA keys now have their coordinates padded.
  94. ### Changed
  96. - The minimal required Rust version is now 1.60.
  99. ## [0.20.0] - 2022-05-08
  101. ### Added
  103. - The `--no-pid-file` argument has been added to ACMEd and tacd.
  105. ### Fixed
  107. - An invalid reference in the command line arguments has been fixed.
  108. - Some missing file path in log messages has been added.
  109. - The calculation of the certificate's expiration delay does no longer break
  110. compilation on some systems.
  113. ## [0.19.0] - 2022-04-17
  115. ### Added
  117. - The `acmed@user.service` systemd unit configuration has been added as an
  118. alternative to the `acmed.service` unit.
  120. ### Changed
  122. - The minimal required Rust version is now 1.54.
  124. ## [0.18.0] - 2021-06-13
  126. ### Added
  128. - Add support for Ed25519 and Ed448 account keys and certificates.
  129. - In addition to `restart`, the Polkit rule also allows the `reload`,
  130. `try-restart`, `reload-or-restart` and `try-reload-or-restart` verbs.
  133. ## [0.17.0] - 2021-05-04
  135. ### Added
  137. - Allow the configuration of some default values at compile time using
  138. environment variables.
  140. ### Changed
  142. - The template engine has been changed in favor of TinyTemplate, which has a
  143. different syntax than the previous one.
  144. - The default account directory now is `/var/lib/acmed/accounts`.
  145. - The default certificates and private keys directory now is
  146. `/var/lib/acmed/certs`.
  147. - The default for volatile runtime data now is `/run`.
  150. ## [0.16.0] - 2020-11-11
  152. ### Added
  154. - The `pkcs9_email_address`, `postal_address` and `postal_code` subject
  155. attributes has been added.
  157. ### Changed
  159. - The `friendly_name` and `pseudonym` subject attributes has been removed.
  160. - The `street_address` subject attribute has been renamed `street`.
  163. ## [0.15.0] - 2020-11-03
  165. ### Added
  167. - The names of both the certificate file and the associated private key can now
  168. be configured.
  170. ### Fixed
  172. - Configuration files cannot be loaded more than one time, which prevents
  173. infinite recursion.
  175. ### Changed
  177. - Certificates are now allowed to share the same name if their respective key
  178. type is different.
  181. ## [0.14.0] - 2020-10-27
  183. ### Added
  185. - Add proxy support through the `HTTP_PROXY`, `HTTPS_PROXY` and `NO_PROXY`
  186. environment variables.
  187. - Allow to specify a unique name for each certificate.
  189. ### Changed
  191. - The minimal required Rust version is 1.42.0.
  194. ## [0.13.0] - 2020-10-10
  196. ### Added
  198. - In the configuration, `root_certificates` has been added to the `global` and
  199. `endpoint` sections as an array of strings representing the path to root
  200. certificate files.
  201. - At compilation, it is now possible to statically link OpenSSL using the
  202. `openssl_vendored` feature.
  203. - In the Makefile, it is now possible to specify which target triple to build
  204. for.
  207. ## [0.12.0] - 2020-09-26
  209. ### Added
  211. - Some subject attributes can now be specified.
  212. - Support for NIST P-521 certificates and account keys.
  214. ### Fixed
  216. - Support for Let's Encrypt non-standard account creation object.
  219. ## [0.11.0] - 2020-09-19
  221. ### Added
  223. - The `contacts` account configuration field has been added.
  224. - External account binding.
  226. ### Changed
  228. - The `email` account configuration field has been removed. In replacement, use
  229. the `contacts` field.
  230. - Accounts now have their own hooks and environment.
  231. - Accounts are now stored in a single binary file.
  233. ### Fixed
  235. - ACMEd can now build on platforms with a `time_t` not defined as an `i64`.
  236. - The Makefile is now fully works on FreeBSD.
  239. ## [0.10.0] - 2020-08-27
  241. ### Added
  243. - The account key type and signature algorithm can now be specified in the
  244. configuration using the `key_type` and `signature_algorithm` parameters.
  245. - The delay to renew a certificate before its expiration date can be specified
  246. in the configuration using the `renew_delay` parameter at either the
  247. certificate, endpoint and global level.
  248. - It is now possible to specify IP identifiers (RFC 8738) using the `ip`
  249. parameter instead of the `dns` one.
  250. - The hook templates of type `challenge-*` have a new `identifier_tls_alpn`
  251. field which contains, if available, the identifier in a form that is suitable
  252. to the TLS ALPN challenge.
  253. - Globing is now supported for configuration files inclusion.
  254. - The CSR's digest algorithm can now be specified using the `csr_digest`
  255. parameter.
  257. ### Changed
  259. - In the certificate configuration, the `domains` field has been renamed
  260. `identifiers`.
  261. - The `algorithm` certificate configuration field has been renamed `key_type`.
  262. - The `algorithm` hook template variable has been renamed `key_type`.
  263. - The `domain` hook template variable has been renamed `identifier`.
  264. - The default hooks have been updated.
  266. ### Fixed
  268. - The Makefile now works on FreeBSD. It should also work on other BSD although
  269. it has not been tested.
  272. ## [0.9.0] - 2020-08-01
  274. ### Added
  276. - System users and groups can now be specified by name in addition to uid/gid.
  278. ### Changed
  280. - The HTTP(S) part is now handled by `attohttpc` instead of `reqwest`.
  282. ### Fixed
  284. - In tacd, the `--acme-ext-file` parameter is now in conflict with `acme-ext`
  285. instead of itself.
  288. ## [0.8.0] - 2020-06-12
  290. ### Changed
  292. - The HTTP(S) part is now handled by `reqwest` instead of `http_req`.
  294. ### Fixed
  296. - `make install` now work with the busybox toolchain.
  299. ## [0.7.0] - 2020-03-12
  301. ### Added
  303. - Wildcard certificates are now supported. In the file name, the `*` is
  304. replaced by `_`.
  305. - Internationalized domain names are now supported.
  307. ### Changed
  309. - The PID file is now always written whether or not ACMEd is running in the
  310. foreground. Previously, it was written only when running in the background.
  312. ### Fixed
  314. - In the directory, the `externalAccountRequired` field is now a boolean
  315. instead of a string.
  318. ## [0.6.1] - 2019-09-13
  320. ### Fixed
  322. - A race condition when requesting multiple certificates on the same
  323. non-existent account has been fixed.
  324. - The `foregroung` option has been renamed `foreground`.
  327. ## [0.6.0] - 2019-06-05
  329. ### Added
  331. - Hooks now have the optional `allow_failure` field.
  332. - In hooks, the `stdin_str` has been added in replacement of the previous
  333. `stdin` behavior.
  334. - HTTPS request rate limits.
  336. ### Changed
  338. - Certificates are renewed in parallel.
  339. - Hooks are now cleaned right after the current challenge has been validated
  340. instead of after the certificate's retrieval.
  341. - In hooks, the `stdin` field now refers to the path of the file that should be
  342. written into the hook's standard input.
  343. - The logging format has been re-written.
  345. ### Fixed
  347. - The http-01-echo hook now correctly sets the file's access rights
  350. ## [0.5.0] - 2019-05-09
  352. ### Added
  354. - ACMEd now displays a warning when the server indicates an error in an order
  355. or an authorization.
  356. - A configuration file can now include several other files.
  357. - Hooks have access to environment variables.
  358. - In the configuration, the global section, certificates and domains can define
  359. environment variables for the hooks.
  360. - tacd is now able to listen on a unix socket.
  363. ## [0.4.0] - 2019-05-08
  365. ### Added
  367. - Man pages.
  368. - The project can now be built and installed using `make`.
  369. - The post-operation hooks now have access to the `is_success` template
  370. variable.
  371. - Challenge hooks now have the `is_clean_hook` template variable.
  372. - An existing certificate will be renewed if more domains have been added in
  373. the configuration.
  375. ### Changed
  377. - Unknown configuration fields are no longer tolerated.
  379. ### Removed
  381. - In challenge hooks, the `algorithm` template variable has been removed.
  383. ### Fixed
  385. - In some cases, ACMEd was unable to parse a certificate's expiration date.
  388. ## [0.3.0] - 2019-04-30
  390. ### Added
  392. - tacd, the TLS-ALPN-01 validation daemon.
  393. - An account object has been added in the configuration.
  394. - In the configuration, hooks now have a mandatory `type` variable.
  395. - It is now possible to declare hooks to clean after the challenge validation
  396. hooks.
  397. - The CLI `--root-cert` option has been added.
  398. - Failure recovery: HTTPS requests rejected by the server that are recoverable,
  399. like the badNonce error, are now retried several times before being
  400. considered a hard failure.
  401. - The TLS-ALPN-01 challenge is now supported. The proof is a string
  402. representation of the acmeIdentifier extension. The self-signed certificate
  403. itself has to be built by a hook.
  405. ### Changed
  407. - In the configuration, the `email` certificate field has been replaced by the
  408. `account` field which matches an account object.
  409. - The format of the `domain` configuration variable has changed and now
  410. includes the challenge type.
  411. - The `token` challenge hook variable has been renamed `file_name`.
  412. - The `challenge_hooks`, `post_operation_hooks`, `file_pre_create_hooks`,
  413. `file_post_create_hooks`, `file_pre_edit_hooks` and `file_post_edit_hooks`
  414. certificate variables has been replaced by `hooks`.
  415. - The logs has been purged from many useless debug and trace entries.
  417. ### Removed
  419. - The DER storage format has been removed.
  420. - The `challenge` certificate variables has been removed.
  423. ## [0.2.1] - 2019-03-30
  425. ### Fixed
  427. - The bug that prevented from requesting more than two certificates has been
  428. fixed.
  431. ## [0.2.0] - 2019-03-27
  433. ### Added
  435. - The `kp_reuse` flag allow to reuse a key pair instead of creating a new one
  436. at each renewal.
  437. - It is now possible to define hook groups that can reference either hooks or
  438. other hook groups.
  439. - Hooks can be defined when before and after a file is created or edited
  440. (`file_pre_create_hooks`, `file_post_create_hooks`, `file_pre_edit_hooks` and
  441. `file_post_edit_hooks`).
  442. - It is now possible to send logs either to syslog or stderr using the
  443. `--to-syslog` and `--to-stderr` arguments.
  445. ### Changed
  447. - `post_operation_hook` has been renamed `post_operation_hooks`.
  448. - By default, logs are now sent to syslog instead of stderr.
  449. - The process is now daemonized by default. It is possible to still run it in
  450. the foreground using the `--foregroung` flag.