Mirror
/
acmed
mirror of https://github.com/breard-r/acmed.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
593 Commits
13 Branches
28 Tags
2.5 MiB
Tree: 2937edcb8c
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '2937edcb8c'
${ noResults }
acmed/CHANGELOG.md

454 lines
12 KiB
Raw Normal View History

ACMEd v0.7.0
5 years ago
Add man pages Documentation is a crucial point for every project, and the most effective and traditional way to document a program is to write man page. Here, the mdoc is used because it is simple. Because the documentation is quite different from the project itself, the man pages and others helpful files are distributed under a different license. For this usage, the GNU All-Permissive License is adequate. https://www.gnu.org/prep/maintain/html_node/License-Notices-for-Other-Files.html man 7 groff_mdoc
6 years ago
Allow to reuse a key pair instead of creating a new one at each renewal The default behavior of most ACME clients is to generate a new key pair at each renewal. While this choice is respectable and perfectly justified in most configuration, it is also quite incompatible with the use of HTTP Public Key Pinning (HPKP). Although HPKP is not wildly supported and sometimes deprecated, users wishing to use it should not be blocked. https://tools.ietf.org/html/rfc7469 https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
6 years ago
Load the configuration
4 weeks ago
Allow to reuse a key pair instead of creating a new one at each renewal The default behavior of most ACME clients is to generate a new key pair at each renewal. While this choice is respectable and perfectly justified in most configuration, it is also quite incompatible with the use of HTTP Public Key Pinning (HPKP). Although HPKP is not wildly supported and sometimes deprecated, users wishing to use it should not be blocked. https://tools.ietf.org/html/rfc7469 https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
6 years ago
Load the configuration
4 weeks ago
Allow to reuse a key pair instead of creating a new one at each renewal The default behavior of most ACME clients is to generate a new key pair at each renewal. While this choice is respectable and perfectly justified in most configuration, it is also quite incompatible with the use of HTTP Public Key Pinning (HPKP). Although HPKP is not wildly supported and sometimes deprecated, users wishing to use it should not be blocked. https://tools.ietf.org/html/rfc7469 https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
6 years ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
Use a table of table for the hooks and groups
4 weeks ago
Update the change log
3 weeks ago
Load the configuration
4 weeks ago
ACMEd v0.24.0
1 month ago
Remove OpenSSL 1.0 for tacd
2 months ago
Update the change log
1 month ago
Load the configuration
4 weeks ago
Update the change log
1 month ago
Remove OpenSSL 1.0 for tacd
2 months ago
Load the configuration
4 weeks ago
Remove OpenSSL 1.0 for tacd
2 months ago
ACMEd v0.23.0
12 months ago
Update dependencies
1 year ago
Add the raw_proof variable to the challenge-tls-alpn-01 hook fixes #129
1 year ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
Add the raw_proof variable to the challenge-tls-alpn-01 hook fixes #129
1 year ago
Update dependencies
1 year ago
Load the configuration
4 weeks ago
Update dependencies
12 months ago
Update dependencies
1 year ago
ACMEd v0.22.2
1 year ago
Fix the default hooks
1 year ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
Fix the default hooks
1 year ago
ACMEd v0.22.1
1 year ago
Update the lockfile during release fix #103
1 year ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
Update the lockfile during release fix #103
1 year ago
ACMEd v0.22.0
1 year ago
Update the MSRV
2 years ago
Update the change log
1 year ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
Update the change log
1 year ago
Update the MSRV
2 years ago
Load the configuration
4 weeks ago
Update the MSRV
1 year ago
Update the change log
2 years ago
Format the change log
4 weeks ago
Change the template engine to MiniJinja
2 years ago
Format the change log
4 weeks ago
Update the MSRV
2 years ago
Update the change log
2 years ago
Update the change log
2 years ago
Load the configuration
4 weeks ago
Update the change log
2 years ago
Load the configuration
4 weeks ago
Update the change log
2 years ago
ACMEd v0.19.0
3 years ago
Fix an invalid reference in the command line arguments
3 years ago
Add the `--no-pid-file` argument Fixes #60
3 years ago
Load the configuration
4 weeks ago
Add the `--no-pid-file` argument Fixes #60
3 years ago
Fix an invalid reference in the command line arguments
3 years ago
Load the configuration
4 weeks ago
Fix an invalid reference in the command line arguments
3 years ago
Add some missing file path in log messages Rel #24
3 years ago
Format the change log
4 weeks ago
Fix an invalid reference in the command line arguments
3 years ago
ACMEd v0.19.0
3 years ago
Update the minimal required Rust version
3 years ago
Add the acmed@user.service systemd unit configuration
3 years ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
Add the acmed@user.service systemd unit configuration
3 years ago
Update the minimal required Rust version
3 years ago
Load the configuration
4 weeks ago
Fix the changelog
3 years ago
Update the minimal required Rust version
3 years ago
ACMEd v0.18.0
4 years ago
Add new verbs to the polkit rule
4 years ago
Load the configuration
4 weeks ago
Add support for Ed25519 and Ed448 account keys and certificates Fixes #36
4 years ago
Format the change log
4 weeks ago
Add new verbs to the polkit rule
4 years ago
ACMEd v0.18.0
4 years ago
Allow the configuration of some default values at compile time using environment variables
4 years ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
Allow the configuration of some default values at compile time using environment variables
4 years ago
Move the account and certificate default directories Those directories were located in /etc/acmed/, which is not the best choice. According to the Filesystem Hierarchy Standard, they should be located in /var/lib/acmed/. Because systems may have different conventions, those values are now configuration at build time. https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard
4 years ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
Move the account and certificate default directories Those directories were located in /etc/acmed/, which is not the best choice. According to the Filesystem Hierarchy Standard, they should be located in /var/lib/acmed/. Because systems may have different conventions, those values are now configuration at build time. https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard
4 years ago
Format the change log
4 weeks ago
update LFS compliance volatile runtime data * the former /var/run is depreciated -> using /run * update rust build scripts sources to use the new path * update CHANGELOG to reflect the changes Signed-off-by: Ralf Zerres <ralf.zerres@networkx.de>
4 years ago
Move the account and certificate default directories Those directories were located in /etc/acmed/, which is not the best choice. According to the Filesystem Hierarchy Standard, they should be located in /var/lib/acmed/. Because systems may have different conventions, those values are now configuration at build time. https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard
4 years ago
Allow the configuration of some default values at compile time using environment variables
4 years ago
ACMEd v0.16.0
4 years ago
Update the certificate's subject attributes
4 years ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
Update the certificate's subject attributes
4 years ago
Load the configuration
4 weeks ago
Update the certificate's subject attributes
4 years ago
ACMEd v0.15.0
4 years ago
Update the nom dependency
4 years ago
Add the file_name_format config directive
4 years ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
Add the file_name_format config directive
4 years ago
Include config files only once
4 years ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
Include config files only once
4 years ago
Allow certificates to have the same name but different key type
4 years ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
Allow certificates to have the same name but different key type
4 years ago
Update the nom dependency
4 years ago
ACMEd v0.14.0
4 years ago
Add the `root_certificates` parameter Being able to define root certificates in the command line is not enough for two reasons: 1. It is always global, you cannot define a root certificate for a specific endpoint. 2. Daemon scripts and unit files are not meant to be changed every time you need to add a root certificate. For those reasons, it is now to possible to define root certificates in the configuration. Those defined in the `global` section will be used on every endpoint, just like those added via the command line. Those defined in an endpoint will be used in this endpoint only.
4 years ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
Allow to specify a unique name for each certificate
4 years ago
Update the attohttpc dependency Finishes the job initiated in #39
4 years ago
Load the configuration
4 weeks ago
Update the attohttpc dependency Finishes the job initiated in #39
4 years ago
Add the `root_certificates` parameter Being able to define root certificates in the command line is not enough for two reasons: 1. It is always global, you cannot define a root certificate for a specific endpoint. 2. Daemon scripts and unit files are not meant to be changed every time you need to add a root certificate. For those reasons, it is now to possible to define root certificates in the configuration. Those defined in the `global` section will be used on every endpoint, just like those added via the command line. Those defined in an endpoint will be used in this endpoint only.
4 years ago
Fix the CHANGELOG
4 years ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
Fix the CHANGELOG
4 years ago
ACMEd v0.12.0
4 years ago
Allow to specify subject attributes for certificates
4 years ago
Load the configuration
4 weeks ago
Allow to specify subject attributes for certificates
4 years ago
Add support for NIST P-521 curve and ES512 signatures
4 years ago
Allow to specify subject attributes for certificates
4 years ago
Stop to require the `orders` field on account creation RFC 8555 states that: - when an account is successfully created, the server "returns this account object" (section 7.3); - the `orders` field in account objects is mandatory (section 7.1.2). Despite that, Boulder does not returns the `orders` field when an account is created. This non-standard behavior prevented ACMEd from creating account and testing them for existence. In order to allow ACMEd to retrieve certificates from CAs using Boulder, the `orders` field is no longer mandatory and the account existence is tested when the order is requested. https://github.com/letsencrypt/boulder/issues/3335
4 years ago
Load the configuration
4 weeks ago
Stop to require the `orders` field on account creation RFC 8555 states that: - when an account is successfully created, the server "returns this account object" (section 7.3); - the `orders` field in account objects is mandatory (section 7.1.2). Despite that, Boulder does not returns the `orders` field when an account is created. This non-standard behavior prevented ACMEd from creating account and testing them for existence. In order to allow ACMEd to retrieve certificates from CAs using Boulder, the `orders` field is no longer mandatory and the account existence is tested when the order is requested. https://github.com/letsencrypt/boulder/issues/3335
4 years ago
Allow to specify subject attributes for certificates
4 years ago
ACMEd v0.11.0
4 years ago
Refactor the account management Until now, the account management was archaic and it was impossible to improve it without this heavy refactoring. Accounts are now disjoint from both certificates and endpoints. They have their own hooks and their own environment variables. They are stored in a binary file instead of the PEM exports of the private and public keys. This refactoring will allow account management to evolve into something more serious, with real key rollover, contact information update and so on.
4 years ago
Load the configuration
4 weeks ago
Refactor the account management Until now, the account management was archaic and it was impossible to improve it without this heavy refactoring. Accounts are now disjoint from both certificates and endpoints. They have their own hooks and their own environment variables. They are stored in a binary file instead of the PEM exports of the private and public keys. This refactoring will allow account management to evolve into something more serious, with real key rollover, contact information update and so on.
4 years ago
Add external account binding
4 years ago
Refactor the account management Until now, the account management was archaic and it was impossible to improve it without this heavy refactoring. Accounts are now disjoint from both certificates and endpoints. They have their own hooks and their own environment variables. They are stored in a binary file instead of the PEM exports of the private and public keys. This refactoring will allow account management to evolve into something more serious, with real key rollover, contact information update and so on.
4 years ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
Refactor the account management Until now, the account management was archaic and it was impossible to improve it without this heavy refactoring. Accounts are now disjoint from both certificates and endpoints. They have their own hooks and their own environment variables. They are stored in a binary file instead of the PEM exports of the private and public keys. This refactoring will allow account management to evolve into something more serious, with real key rollover, contact information update and so on.
4 years ago
Update the CHANGELOG
4 years ago
Load the configuration
4 weeks ago
Update the CHANGELOG
4 years ago
Refactor the account management Until now, the account management was archaic and it was impossible to improve it without this heavy refactoring. Accounts are now disjoint from both certificates and endpoints. They have their own hooks and their own environment variables. They are stored in a binary file instead of the PEM exports of the private and public keys. This refactoring will allow account management to evolve into something more serious, with real key rollover, contact information update and so on.
4 years ago
ACMEd v0.10.0
4 years ago
Refactor the Makefile The previous version of the Makefile used features which are specific to GNU Make and therefore does not works on BSD systems. This new version, which is much more simpler, works both on GNU Make and BSD Make (tested on FreeBSD 12.1).
5 years ago
Allow to specify the account key type and signature alg in the config
4 years ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
Add Unix style globing for config file inclusion Close #6
4 years ago
Format the change log
4 weeks ago
Implement IP identifiers RFC 8738: https://tools.ietf.org/html/rfc8738
4 years ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
Refactor the certificate key type management The previous system used a duplicated enum (`acmed::certificate::Algorithm`) and an imprecise identifier name (algorithm) for both the certificate configuration and post operation hook variable. The first one has been replaced by the `acme_common::crypto::KeyType` enum and the second renames `key_type`.
4 years ago
Implement IP identifiers RFC 8738: https://tools.ietf.org/html/rfc8738
4 years ago
Allow to specify the account key type and signature alg in the config
4 years ago
Refactor the Makefile The previous version of the Makefile used features which are specific to GNU Make and therefore does not works on BSD systems. This new version, which is much more simpler, works both on GNU Make and BSD Make (tested on FreeBSD 12.1).
5 years ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
Refactor the Makefile The previous version of the Makefile used features which are specific to GNU Make and therefore does not works on BSD systems. This new version, which is much more simpler, works both on GNU Make and BSD Make (tested on FreeBSD 12.1).
5 years ago
ACMEd v0.9.0
5 years ago
Add support for user and groups names
5 years ago
Load the configuration
4 weeks ago
Add support for user and groups names
5 years ago
Replace `reqwest` by `attohttpc` `reqwest` is a very good crate, however ACMEd does not require most of its functionalities. For this job, `attohttpc` is also great and comes with much less dependencies. rel #1
5 years ago
Load the configuration
4 weeks ago
Replace `reqwest` by `attohttpc` `reqwest` is a very good crate, however ACMEd does not require most of its functionalities. For this job, `attohttpc` is also great and comes with much less dependencies. rel #1
5 years ago
Update the change log
5 years ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
Update the change log
5 years ago
Add support for user and groups names
5 years ago
ACMEd v0.8.0
5 years ago
Refactor the HTTP back-end The previous HTTP back-end was tightly coupled with the threads, which was very inconvenient. It is now completely decoupled so a new threading model may be implemented.
5 years ago
Load the configuration
4 weeks ago
Refactor the HTTP back-end The previous HTTP back-end was tightly coupled with the threads, which was very inconvenient. It is now completely decoupled so a new threading model may be implemented.
5 years ago
Load the configuration
4 weeks ago
`Make install` now work with the busybox toolchain.
5 years ago
Refactor the HTTP back-end The previous HTTP back-end was tightly coupled with the threads, which was very inconvenient. It is now completely decoupled so a new threading model may be implemented.
5 years ago
ACMEd v0.7.0
5 years ago
Replace * by _ in file names
5 years ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
Add internationalized domain names support
5 years ago
Replace * by _ in file names
5 years ago
Allow --pid-file to be used with --foreground The PID file is now always written whether or not ACMEd is running in the foreground. Previously, it was written only when running in the background. Fix #7
5 years ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
Allow --pid-file to be used with --foreground The PID file is now always written whether or not ACMEd is running in the foreground. Previously, it was written only when running in the background. Fix #7
5 years ago
Fix the type of the externalAccountRequired field
5 years ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
Fix the type of the externalAccountRequired field
5 years ago
Add internationalized domain names support
5 years ago
ACMEd v0.6.1
5 years ago
Update the change log
6 years ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
Fix the "foregroung" typo I made the typo once and then copy/pasted it everywhere.
5 years ago
Update the change log
6 years ago
ACMEd 0.6.0
6 years ago
Add an option to stop or continue after a failed hook
6 years ago
Load the configuration
4 weeks ago
Add an option to stop or continue after a failed hook
6 years ago
Format the change log
4 weeks ago
Add rate limits for HTTPS requests
6 years ago
Add an option to stop or continue after a failed hook
6 years ago
Clean the hooks right after the current challenge has been validated Cleaning hooks after the certificate has been retrieved is a mistake since a failure somewhere in the process will prevent all called hook to be cleaned. With the current implementation, only the currently failed hook is left without being cleaned.
6 years ago
Load the configuration
4 weeks ago
Renew certificates in parallel
6 years ago
Format the change log
4 weeks ago
Improve the logging format In order to renew different certificate at the same time, log messages must display which certificate they are referring to.
6 years ago
Clean the hooks right after the current challenge has been validated Cleaning hooks after the certificate has been retrieved is a mistake since a failure somewhere in the process will prevent all called hook to be cleaned. With the current implementation, only the currently failed hook is left without being cleaned.
6 years ago
Fix the http-01-echo default hook
6 years ago
Load the configuration
4 weeks ago
Fix the http-01-echo default hook
6 years ago
Add an option to stop or continue after a failed hook
6 years ago
ACMEd 0.5.0
6 years ago
Display a warning when fetching order or an authorization Orders and authorization can both contain an error which can, for example, help an user to fix a broken hook. It is therefore very useful to display it. Plus, when pooling one of those objects, having an error does not mean we should stop pooling since the error may be temporary.
6 years ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
Allow the config file to include other files
6 years ago
Add environment variables to hook templates
6 years ago
Format the change log
4 weeks ago
Allow tacd to listen on a unix socket
6 years ago
Display a warning when fetching order or an authorization Orders and authorization can both contain an error which can, for example, help an user to fix a broken hook. It is therefore very useful to display it. Plus, when pooling one of those objects, having an error does not mean we should stop pooling since the error may be temporary.
6 years ago
ACMEd 0.4.0
6 years ago
Add man pages Documentation is a crucial point for every project, and the most effective and traditional way to document a program is to write man page. Here, the mdoc is used because it is simple. Because the documentation is quite different from the project itself, the man pages and others helpful files are distributed under a different license. For this usage, the GNU All-Permissive License is adequate. https://www.gnu.org/prep/maintain/html_node/License-Notices-for-Other-Files.html man 7 groff_mdoc
6 years ago
Load the configuration
4 weeks ago
Add man pages Documentation is a crucial point for every project, and the most effective and traditional way to document a program is to write man page. Here, the mdoc is used because it is simple. Because the documentation is quite different from the project itself, the man pages and others helpful files are distributed under a different license. For this usage, the GNU All-Permissive License is adequate. https://www.gnu.org/prep/maintain/html_node/License-Notices-for-Other-Files.html man 7 groff_mdoc
6 years ago
Update the changelog
6 years ago
Format the change log
4 weeks ago
Add the is_clean_hook variable to challenge hooks
6 years ago
Format the change log
4 weeks ago
Update the changelog
6 years ago
Load the configuration
4 weeks ago
Update the changelog
6 years ago
Load the configuration
4 weeks ago
Update the changelog
6 years ago
Add man pages Documentation is a crucial point for every project, and the most effective and traditional way to document a program is to write man page. Here, the mdoc is used because it is simple. Because the documentation is quite different from the project itself, the man pages and others helpful files are distributed under a different license. For this usage, the GNU All-Permissive License is adequate. https://www.gnu.org/prep/maintain/html_node/License-Notices-for-Other-Files.html man 7 groff_mdoc
6 years ago
Fix the OpenSSL time parsing ACMEd was not able to parse some possible time representation, which could cause a certificate not being renewed at all. This commit support all current known outputs. https://github.com/openssl/openssl/blob/master/crypto/asn1/a_time.c
6 years ago
Load the configuration
4 weeks ago
Fix the OpenSSL time parsing ACMEd was not able to parse some possible time representation, which could cause a certificate not being renewed at all. This commit support all current known outputs. https://github.com/openssl/openssl/blob/master/crypto/asn1/a_time.c
6 years ago
Add man pages Documentation is a crucial point for every project, and the most effective and traditional way to document a program is to write man page. Here, the mdoc is used because it is simple. Because the documentation is quite different from the project itself, the man pages and others helpful files are distributed under a different license. For this usage, the GNU All-Permissive License is adequate. https://www.gnu.org/prep/maintain/html_node/License-Notices-for-Other-Files.html man 7 groff_mdoc
6 years ago
v0.3.0
6 years ago
Remove the `acme-lib` dependency Although the `acme-lib` crate comes very handy when creating a simple ACME client, a more advanced one may not want to use it. First of all, `acme-lib` does not support all of the ACME specification, some very interesting one are not implemented. Also, it does not store the account public key, which does not allow to revoke certificates. In addition to those two critical points, I would also add `acme-lib` has some troubles with its own dependencies: it uses both `openssl` and `ring`, which is redundant and contribute to inflate the size of the binary. Some of the dependencies also makes an excessive use of logging: even if logging is very useful, in some cases it really is too much and debugging becomes a nightmare. ref #1
6 years ago
Use account objects instead of an email field Defining an account solely by an email address is not the best strategy since the ACME protocol does not require it and also allows for more contacts information. Although this commit does not change the "one email" policy, it sets the bases so it could evolve in the future.
6 years ago
Load the configuration
4 weeks ago
Add tacd to the CHANGELOG
6 years ago
Use account objects instead of an email field Defining an account solely by an email address is not the best strategy since the ACME protocol does not require it and also allows for more contacts information. Although this commit does not change the "one email" policy, it sets the bases so it could evolve in the future.
6 years ago
Change the hook and domains definitions The previous system was too limited when it comes to flexibility using hooks. This limitation came from the false idea that, for a given certificate, all challenges must be validated with the same method. In order to prove that false, domains in a certificate can now make use of any challenge type available. In order to be more flexible, hooks are now given a type and are defined in the same registry (instead of 6). Each one will be called when considered relevant based on its type.
6 years ago
Format the change log
4 weeks ago
Update the CHANGELOG
6 years ago
Format the change log
4 weeks ago
Use account objects instead of an email field Defining an account solely by an email address is not the best strategy since the ACME protocol does not require it and also allows for more contacts information. Although this commit does not change the "one email" policy, it sets the bases so it could evolve in the future.
6 years ago
Remove the `acme-lib` dependency Although the `acme-lib` crate comes very handy when creating a simple ACME client, a more advanced one may not want to use it. First of all, `acme-lib` does not support all of the ACME specification, some very interesting one are not implemented. Also, it does not store the account public key, which does not allow to revoke certificates. In addition to those two critical points, I would also add `acme-lib` has some troubles with its own dependencies: it uses both `openssl` and `ring`, which is redundant and contribute to inflate the size of the binary. Some of the dependencies also makes an excessive use of logging: even if logging is very useful, in some cases it really is too much and debugging becomes a nightmare. ref #1
6 years ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
Remove the `acme-lib` dependency Although the `acme-lib` crate comes very handy when creating a simple ACME client, a more advanced one may not want to use it. First of all, `acme-lib` does not support all of the ACME specification, some very interesting one are not implemented. Also, it does not store the account public key, which does not allow to revoke certificates. In addition to those two critical points, I would also add `acme-lib` has some troubles with its own dependencies: it uses both `openssl` and `ring`, which is redundant and contribute to inflate the size of the binary. Some of the dependencies also makes an excessive use of logging: even if logging is very useful, in some cases it really is too much and debugging becomes a nightmare. ref #1
6 years ago
Format the change log
4 weeks ago
Remove the `acme-lib` dependency Although the `acme-lib` crate comes very handy when creating a simple ACME client, a more advanced one may not want to use it. First of all, `acme-lib` does not support all of the ACME specification, some very interesting one are not implemented. Also, it does not store the account public key, which does not allow to revoke certificates. In addition to those two critical points, I would also add `acme-lib` has some troubles with its own dependencies: it uses both `openssl` and `ring`, which is redundant and contribute to inflate the size of the binary. Some of the dependencies also makes an excessive use of logging: even if logging is very useful, in some cases it really is too much and debugging becomes a nightmare. ref #1
6 years ago
Load the configuration
4 weeks ago
Remove the `acme-lib` dependency Although the `acme-lib` crate comes very handy when creating a simple ACME client, a more advanced one may not want to use it. First of all, `acme-lib` does not support all of the ACME specification, some very interesting one are not implemented. Also, it does not store the account public key, which does not allow to revoke certificates. In addition to those two critical points, I would also add `acme-lib` has some troubles with its own dependencies: it uses both `openssl` and `ring`, which is redundant and contribute to inflate the size of the binary. Some of the dependencies also makes an excessive use of logging: even if logging is very useful, in some cases it really is too much and debugging becomes a nightmare. ref #1
6 years ago
Change the hook and domains definitions The previous system was too limited when it comes to flexibility using hooks. This limitation came from the false idea that, for a given certificate, all challenges must be validated with the same method. In order to prove that false, domains in a certificate can now make use of any challenge type available. In order to be more flexible, hooks are now given a type and are defined in the same registry (instead of 6). Each one will be called when considered relevant based on its type.
6 years ago
Remove the `acme-lib` dependency Although the `acme-lib` crate comes very handy when creating a simple ACME client, a more advanced one may not want to use it. First of all, `acme-lib` does not support all of the ACME specification, some very interesting one are not implemented. Also, it does not store the account public key, which does not allow to revoke certificates. In addition to those two critical points, I would also add `acme-lib` has some troubles with its own dependencies: it uses both `openssl` and `ring`, which is redundant and contribute to inflate the size of the binary. Some of the dependencies also makes an excessive use of logging: even if logging is very useful, in some cases it really is too much and debugging becomes a nightmare. ref #1
6 years ago
v0.2.1
6 years ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
v0.2.1
6 years ago
Allow to reuse a key pair instead of creating a new one at each renewal The default behavior of most ACME clients is to generate a new key pair at each renewal. While this choice is respectable and perfectly justified in most configuration, it is also quite incompatible with the use of HTTP Public Key Pinning (HPKP). Although HPKP is not wildly supported and sometimes deprecated, users wishing to use it should not be blocked. https://tools.ietf.org/html/rfc7469 https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
6 years ago
Load the configuration
4 weeks ago
Format the change log
4 weeks ago
Rename post_operation_hook to post_operation_hooks
6 years ago
Load the configuration
4 weeks ago
Rename post_operation_hook to post_operation_hooks
6 years ago
Send logs to syslog
6 years ago
Format the change log
4 weeks ago
  1. [//]: # (Copyright 2019-2020 Rodolphe Bréard <rodolphe@breard.tf>)
  3. [//]: # (Copying and distribution of this file, with or without modification,)
  4. [//]: # (are permitted in any medium without royalty provided the copyright)
  5. [//]: # (notice and this notice are preserved. This file is offered as-is,)
  6. [//]: # (without any warranty.)
  8. # Changelog
  10. All notable changes to this project will be documented in this file.
  12. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
  13. and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
  16. ## [Unreleased]
  18. ### Changed
  20. - Instead of loading a default configuration file, ACMEd now loads all the
  21. files from a default configuration directory (by default,
  22. `/etc/acmed/conf-enabled`).
  23. - The configuration arrays for accounts, endpoints, rate limits, hooks and
  24. groups has been replaced by tables.
  25. - The name of user-defined hooks and groups cannot start with `internal:`,
  26. which is now reserved for internal hooks.
  28. ### Removed
  30. - tacd has been removed.
  31. - The `include` directive has been removed from the configuration.
  34. ## [0.24.0] - 2024-12-21
  36. ### Added
  38. - The file extension can now be customized.
  40. ### Changed
  42. - tacd does no longer supports OpenSSL 1.0.
  45. ## [0.23.0] - 2024-02-10
  47. ### Added
  49. - The `challenge-tls-alpn-01` hook now exposes the `raw_proof` variable, which
  50. contains the SHA-256 digest of the key authorization, encoded using Base64
  51. URL scheme without padding.
  53. ### Changed
  55. - The minimum supported Rust version (MSRV) is now 1.74.
  58. ## [0.22.2] - 2024-01-09
  60. ### Fixed
  62. - The default hooks were not properly updated during the 0.22.0 release, which
  63. causes the certificate renewal to fail.
  66. ## [0.22.1] - 2023-12-20
  68. ### Fixed
  70. - The `Cargo.lock` file is now updated before a new version is released (GitHub
  71. bug #103).
  74. ## [0.22.0] - 2023-12-20
  76. ### Fixed
  78. - ACMEd no longer crashes when the `random_early_renew` parameter is set to
  79. zero (GitHub bug #102).
  81. ### Changed
  83. - The minimum supported Rust version (MSRV) is now 1.70.
  84. - Manual (and badly designed) threads have been replaced by async.
  85. - Randomized early delay, for spacing out renewals when dealing with a lot of
  86. certificates.
  87. - Replaced the template engine TinyTemplate with MiniJinja.
  88. - The default period of time between the certificate renewal and its expiration
  89. date (`renew_delay`) has been changed from 3 weeks to 30 days.
  92. ## [0.21.0] - 2022-12-19
  94. ### Fixed
  96. - The JWK representation of ECDSA keys now have their coordinates padded.
  98. ### Changed
  100. - The minimal required Rust version is now 1.60.
  103. ## [0.20.0] - 2022-05-08
  105. ### Added
  107. - The `--no-pid-file` argument has been added to ACMEd and tacd.
  109. ### Fixed
  111. - An invalid reference in the command line arguments has been fixed.
  112. - Some missing file path in log messages has been added.
  113. - The calculation of the certificate's expiration delay does no longer break
  114. compilation on some systems.
  117. ## [0.19.0] - 2022-04-17
  119. ### Added
  121. - The `acmed@user.service` systemd unit configuration has been added as an
  122. alternative to the `acmed.service` unit.
  124. ### Changed
  126. - The minimal required Rust version is now 1.54.
  128. ## [0.18.0] - 2021-06-13
  130. ### Added
  132. - Add support for Ed25519 and Ed448 account keys and certificates.
  133. - In addition to `restart`, the Polkit rule also allows the `reload`,
  134. `try-restart`, `reload-or-restart` and `try-reload-or-restart` verbs.
  137. ## [0.17.0] - 2021-05-04
  139. ### Added
  141. - Allow the configuration of some default values at compile time using
  142. environment variables.
  144. ### Changed
  146. - The template engine has been changed in favor of TinyTemplate, which has a
  147. different syntax than the previous one.
  148. - The default account directory now is `/var/lib/acmed/accounts`.
  149. - The default certificates and private keys directory now is
  150. `/var/lib/acmed/certs`.
  151. - The default for volatile runtime data now is `/run`.
  154. ## [0.16.0] - 2020-11-11
  156. ### Added
  158. - The `pkcs9_email_address`, `postal_address` and `postal_code` subject
  159. attributes has been added.
  161. ### Changed
  163. - The `friendly_name` and `pseudonym` subject attributes has been removed.
  164. - The `street_address` subject attribute has been renamed `street`.
  167. ## [0.15.0] - 2020-11-03
  169. ### Added
  171. - The names of both the certificate file and the associated private key can now
  172. be configured.
  174. ### Fixed
  176. - Configuration files cannot be loaded more than one time, which prevents
  177. infinite recursion.
  179. ### Changed
  181. - Certificates are now allowed to share the same name if their respective key
  182. type is different.
  185. ## [0.14.0] - 2020-10-27
  187. ### Added
  189. - Add proxy support through the `HTTP_PROXY`, `HTTPS_PROXY` and `NO_PROXY`
  190. environment variables.
  191. - Allow to specify a unique name for each certificate.
  193. ### Changed
  195. - The minimal required Rust version is 1.42.0.
  198. ## [0.13.0] - 2020-10-10
  200. ### Added
  202. - In the configuration, `root_certificates` has been added to the `global` and
  203. `endpoint` sections as an array of strings representing the path to root
  204. certificate files.
  205. - At compilation, it is now possible to statically link OpenSSL using the
  206. `openssl_vendored` feature.
  207. - In the Makefile, it is now possible to specify which target triple to build
  208. for.
  211. ## [0.12.0] - 2020-09-26
  213. ### Added
  215. - Some subject attributes can now be specified.
  216. - Support for NIST P-521 certificates and account keys.
  218. ### Fixed
  220. - Support for Let's Encrypt non-standard account creation object.
  223. ## [0.11.0] - 2020-09-19
  225. ### Added
  227. - The `contacts` account configuration field has been added.
  228. - External account binding.
  230. ### Changed
  232. - The `email` account configuration field has been removed. In replacement, use
  233. the `contacts` field.
  234. - Accounts now have their own hooks and environment.
  235. - Accounts are now stored in a single binary file.
  237. ### Fixed
  239. - ACMEd can now build on platforms with a `time_t` not defined as an `i64`.
  240. - The Makefile is now fully works on FreeBSD.
  243. ## [0.10.0] - 2020-08-27
  245. ### Added
  247. - The account key type and signature algorithm can now be specified in the
  248. configuration using the `key_type` and `signature_algorithm` parameters.
  249. - The delay to renew a certificate before its expiration date can be specified
  250. in the configuration using the `renew_delay` parameter at either the
  251. certificate, endpoint and global level.
  252. - It is now possible to specify IP identifiers (RFC 8738) using the `ip`
  253. parameter instead of the `dns` one.
  254. - The hook templates of type `challenge-*` have a new `identifier_tls_alpn`
  255. field which contains, if available, the identifier in a form that is suitable
  256. to the TLS ALPN challenge.
  257. - Globing is now supported for configuration files inclusion.
  258. - The CSR's digest algorithm can now be specified using the `csr_digest`
  259. parameter.
  261. ### Changed
  263. - In the certificate configuration, the `domains` field has been renamed
  264. `identifiers`.
  265. - The `algorithm` certificate configuration field has been renamed `key_type`.
  266. - The `algorithm` hook template variable has been renamed `key_type`.
  267. - The `domain` hook template variable has been renamed `identifier`.
  268. - The default hooks have been updated.
  270. ### Fixed
  272. - The Makefile now works on FreeBSD. It should also work on other BSD although
  273. it has not been tested.
  276. ## [0.9.0] - 2020-08-01
  278. ### Added
  280. - System users and groups can now be specified by name in addition to uid/gid.
  282. ### Changed
  284. - The HTTP(S) part is now handled by `attohttpc` instead of `reqwest`.
  286. ### Fixed
  288. - In tacd, the `--acme-ext-file` parameter is now in conflict with `acme-ext`
  289. instead of itself.
  292. ## [0.8.0] - 2020-06-12
  294. ### Changed
  296. - The HTTP(S) part is now handled by `reqwest` instead of `http_req`.
  298. ### Fixed
  300. - `make install` now work with the busybox toolchain.
  303. ## [0.7.0] - 2020-03-12
  305. ### Added
  307. - Wildcard certificates are now supported. In the file name, the `*` is
  308. replaced by `_`.
  309. - Internationalized domain names are now supported.
  311. ### Changed
  313. - The PID file is now always written whether or not ACMEd is running in the
  314. foreground. Previously, it was written only when running in the background.
  316. ### Fixed
  318. - In the directory, the `externalAccountRequired` field is now a boolean
  319. instead of a string.
  322. ## [0.6.1] - 2019-09-13
  324. ### Fixed
  326. - A race condition when requesting multiple certificates on the same
  327. non-existent account has been fixed.
  328. - The `foregroung` option has been renamed `foreground`.
  331. ## [0.6.0] - 2019-06-05
  333. ### Added
  335. - Hooks now have the optional `allow_failure` field.
  336. - In hooks, the `stdin_str` has been added in replacement of the previous
  337. `stdin` behavior.
  338. - HTTPS request rate limits.
  340. ### Changed
  342. - Certificates are renewed in parallel.
  343. - Hooks are now cleaned right after the current challenge has been validated
  344. instead of after the certificate's retrieval.
  345. - In hooks, the `stdin` field now refers to the path of the file that should be
  346. written into the hook's standard input.
  347. - The logging format has been re-written.
  349. ### Fixed
  351. - The http-01-echo hook now correctly sets the file's access rights
  354. ## [0.5.0] - 2019-05-09
  356. ### Added
  358. - ACMEd now displays a warning when the server indicates an error in an order
  359. or an authorization.
  360. - A configuration file can now include several other files.
  361. - Hooks have access to environment variables.
  362. - In the configuration, the global section, certificates and domains can define
  363. environment variables for the hooks.
  364. - tacd is now able to listen on a unix socket.
  367. ## [0.4.0] - 2019-05-08
  369. ### Added
  371. - Man pages.
  372. - The project can now be built and installed using `make`.
  373. - The post-operation hooks now have access to the `is_success` template
  374. variable.
  375. - Challenge hooks now have the `is_clean_hook` template variable.
  376. - An existing certificate will be renewed if more domains have been added in
  377. the configuration.
  379. ### Changed
  381. - Unknown configuration fields are no longer tolerated.
  383. ### Removed
  385. - In challenge hooks, the `algorithm` template variable has been removed.
  387. ### Fixed
  389. - In some cases, ACMEd was unable to parse a certificate's expiration date.
  392. ## [0.3.0] - 2019-04-30
  394. ### Added
  396. - tacd, the TLS-ALPN-01 validation daemon.
  397. - An account object has been added in the configuration.
  398. - In the configuration, hooks now have a mandatory `type` variable.
  399. - It is now possible to declare hooks to clean after the challenge validation
  400. hooks.
  401. - The CLI `--root-cert` option has been added.
  402. - Failure recovery: HTTPS requests rejected by the server that are recoverable,
  403. like the badNonce error, are now retried several times before being
  404. considered a hard failure.
  405. - The TLS-ALPN-01 challenge is now supported. The proof is a string
  406. representation of the acmeIdentifier extension. The self-signed certificate
  407. itself has to be built by a hook.
  409. ### Changed
  411. - In the configuration, the `email` certificate field has been replaced by the
  412. `account` field which matches an account object.
  413. - The format of the `domain` configuration variable has changed and now
  414. includes the challenge type.
  415. - The `token` challenge hook variable has been renamed `file_name`.
  416. - The `challenge_hooks`, `post_operation_hooks`, `file_pre_create_hooks`,
  417. `file_post_create_hooks`, `file_pre_edit_hooks` and `file_post_edit_hooks`
  418. certificate variables has been replaced by `hooks`.
  419. - The logs has been purged from many useless debug and trace entries.
  421. ### Removed
  423. - The DER storage format has been removed.
  424. - The `challenge` certificate variables has been removed.
  427. ## [0.2.1] - 2019-03-30
  429. ### Fixed
  431. - The bug that prevented from requesting more than two certificates has been
  432. fixed.
  435. ## [0.2.0] - 2019-03-27
  437. ### Added
  439. - The `kp_reuse` flag allow to reuse a key pair instead of creating a new one
  440. at each renewal.
  441. - It is now possible to define hook groups that can reference either hooks or
  442. other hook groups.
  443. - Hooks can be defined when before and after a file is created or edited
  444. (`file_pre_create_hooks`, `file_post_create_hooks`, `file_pre_edit_hooks` and
  445. `file_post_edit_hooks`).
  446. - It is now possible to send logs either to syslog or stderr using the
  447. `--to-syslog` and `--to-stderr` arguments.
  449. ### Changed
  451. - `post_operation_hook` has been renamed `post_operation_hooks`.
  452. - By default, logs are now sent to syslog instead of stderr.
  453. - The process is now daemonized by default. It is possible to still run it in
  454. the foreground using the `--foregroung` flag.