Mirror
/
acmed
mirror of https://github.com/breard-r/acmed.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
597 Commits
13 Branches
28 Tags
2.5 MiB
Tree: 523032a214
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '523032a214'
${ noResults }
acmed/CHANGELOG.md

455 lines
12 KiB
Raw Normal View History

ACMEd v0.7.0
5 years ago
Add man pages Documentation is a crucial point for every project, and the most effective and traditional way to document a program is to write man page. Here, the mdoc is used because it is simple. Because the documentation is quite different from the project itself, the man pages and others helpful files are distributed under a different license. For this usage, the GNU All-Permissive License is adequate. https://www.gnu.org/prep/maintain/html_node/License-Notices-for-Other-Files.html man 7 groff_mdoc
6 years ago
Allow to reuse a key pair instead of creating a new one at each renewal The default behavior of most ACME clients is to generate a new key pair at each renewal. While this choice is respectable and perfectly justified in most configuration, it is also quite incompatible with the use of HTTP Public Key Pinning (HPKP). Although HPKP is not wildly supported and sometimes deprecated, users wishing to use it should not be blocked. https://tools.ietf.org/html/rfc7469 https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
6 years ago
Load the configuration
1 month ago
Allow to reuse a key pair instead of creating a new one at each renewal The default behavior of most ACME clients is to generate a new key pair at each renewal. While this choice is respectable and perfectly justified in most configuration, it is also quite incompatible with the use of HTTP Public Key Pinning (HPKP). Although HPKP is not wildly supported and sometimes deprecated, users wishing to use it should not be blocked. https://tools.ietf.org/html/rfc7469 https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
6 years ago
Load the configuration
1 month ago
Allow to reuse a key pair instead of creating a new one at each renewal The default behavior of most ACME clients is to generate a new key pair at each renewal. While this choice is respectable and perfectly justified in most configuration, it is also quite incompatible with the use of HTTP Public Key Pinning (HPKP). Although HPKP is not wildly supported and sometimes deprecated, users wishing to use it should not be blocked. https://tools.ietf.org/html/rfc7469 https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
6 years ago
Load the configuration
1 month ago
Format the change log
1 month ago
Use a table of table for the hooks and groups
1 month ago
Update the change log
1 month ago
Load the configuration
1 month ago
Remove support for OpenSSL
1 month ago
Load the configuration
1 month ago
ACMEd v0.24.0
1 month ago
Remove OpenSSL 1.0 for tacd
3 months ago
Update the change log
1 month ago
Load the configuration
1 month ago
Update the change log
1 month ago
Remove OpenSSL 1.0 for tacd
3 months ago
Load the configuration
1 month ago
Remove OpenSSL 1.0 for tacd
3 months ago
ACMEd v0.23.0
12 months ago
Update dependencies
1 year ago
Add the raw_proof variable to the challenge-tls-alpn-01 hook fixes #129
1 year ago
Load the configuration
1 month ago
Format the change log
1 month ago
Add the raw_proof variable to the challenge-tls-alpn-01 hook fixes #129
1 year ago
Update dependencies
1 year ago
Load the configuration
1 month ago
Update dependencies
12 months ago
Update dependencies
1 year ago
ACMEd v0.22.2
1 year ago
Fix the default hooks
1 year ago
Load the configuration
1 month ago
Format the change log
1 month ago
Fix the default hooks
1 year ago
ACMEd v0.22.1
1 year ago
Update the lockfile during release fix #103
1 year ago
Load the configuration
1 month ago
Format the change log
1 month ago
Update the lockfile during release fix #103
1 year ago
ACMEd v0.22.0
1 year ago
Update the MSRV
2 years ago
Update the change log
1 year ago
Load the configuration
1 month ago
Format the change log
1 month ago
Update the change log
1 year ago
Update the MSRV
2 years ago
Load the configuration
1 month ago
Update the MSRV
1 year ago
Update the change log
2 years ago
Format the change log
1 month ago
Change the template engine to MiniJinja
2 years ago
Format the change log
1 month ago
Update the MSRV
2 years ago
Update the change log
2 years ago
Update the change log
2 years ago
Load the configuration
1 month ago
Update the change log
2 years ago
Load the configuration
1 month ago
Update the change log
2 years ago
ACMEd v0.19.0
3 years ago
Fix an invalid reference in the command line arguments
3 years ago
Add the `--no-pid-file` argument Fixes #60
3 years ago
Load the configuration
1 month ago
Add the `--no-pid-file` argument Fixes #60
3 years ago
Fix an invalid reference in the command line arguments
3 years ago
Load the configuration
1 month ago
Fix an invalid reference in the command line arguments
3 years ago
Add some missing file path in log messages Rel #24
3 years ago
Format the change log
1 month ago
Fix an invalid reference in the command line arguments
3 years ago
ACMEd v0.19.0
3 years ago
Update the minimal required Rust version
3 years ago
Add the acmed@user.service systemd unit configuration
3 years ago
Load the configuration
1 month ago
Format the change log
1 month ago
Add the acmed@user.service systemd unit configuration
3 years ago
Update the minimal required Rust version
3 years ago
Load the configuration
1 month ago
Fix the changelog
3 years ago
Update the minimal required Rust version
3 years ago
ACMEd v0.18.0
4 years ago
Add new verbs to the polkit rule
4 years ago
Load the configuration
1 month ago
Add support for Ed25519 and Ed448 account keys and certificates Fixes #36
4 years ago
Format the change log
1 month ago
Add new verbs to the polkit rule
4 years ago
ACMEd v0.18.0
4 years ago
Allow the configuration of some default values at compile time using environment variables
4 years ago
Load the configuration
1 month ago
Format the change log
1 month ago
Allow the configuration of some default values at compile time using environment variables
4 years ago
Move the account and certificate default directories Those directories were located in /etc/acmed/, which is not the best choice. According to the Filesystem Hierarchy Standard, they should be located in /var/lib/acmed/. Because systems may have different conventions, those values are now configuration at build time. https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard
4 years ago
Load the configuration
1 month ago
Format the change log
1 month ago
Move the account and certificate default directories Those directories were located in /etc/acmed/, which is not the best choice. According to the Filesystem Hierarchy Standard, they should be located in /var/lib/acmed/. Because systems may have different conventions, those values are now configuration at build time. https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard
4 years ago
Format the change log
1 month ago
update LFS compliance volatile runtime data * the former /var/run is depreciated -> using /run * update rust build scripts sources to use the new path * update CHANGELOG to reflect the changes Signed-off-by: Ralf Zerres <ralf.zerres@networkx.de>
4 years ago
Move the account and certificate default directories Those directories were located in /etc/acmed/, which is not the best choice. According to the Filesystem Hierarchy Standard, they should be located in /var/lib/acmed/. Because systems may have different conventions, those values are now configuration at build time. https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard
4 years ago
Allow the configuration of some default values at compile time using environment variables
4 years ago
ACMEd v0.16.0
4 years ago
Update the certificate's subject attributes
4 years ago
Load the configuration
1 month ago
Format the change log
1 month ago
Update the certificate's subject attributes
4 years ago
Load the configuration
1 month ago
Update the certificate's subject attributes
4 years ago
ACMEd v0.15.0
4 years ago
Update the nom dependency
4 years ago
Add the file_name_format config directive
4 years ago
Load the configuration
1 month ago
Format the change log
1 month ago
Add the file_name_format config directive
4 years ago
Include config files only once
4 years ago
Load the configuration
1 month ago
Format the change log
1 month ago
Include config files only once
4 years ago
Allow certificates to have the same name but different key type
4 years ago
Load the configuration
1 month ago
Format the change log
1 month ago
Allow certificates to have the same name but different key type
4 years ago
Update the nom dependency
4 years ago
ACMEd v0.14.0
4 years ago
Add the `root_certificates` parameter Being able to define root certificates in the command line is not enough for two reasons: 1. It is always global, you cannot define a root certificate for a specific endpoint. 2. Daemon scripts and unit files are not meant to be changed every time you need to add a root certificate. For those reasons, it is now to possible to define root certificates in the configuration. Those defined in the `global` section will be used on every endpoint, just like those added via the command line. Those defined in an endpoint will be used in this endpoint only.
4 years ago
Load the configuration
1 month ago
Format the change log
1 month ago
Allow to specify a unique name for each certificate
4 years ago
Update the attohttpc dependency Finishes the job initiated in #39
4 years ago
Load the configuration
1 month ago
Update the attohttpc dependency Finishes the job initiated in #39
4 years ago
Add the `root_certificates` parameter Being able to define root certificates in the command line is not enough for two reasons: 1. It is always global, you cannot define a root certificate for a specific endpoint. 2. Daemon scripts and unit files are not meant to be changed every time you need to add a root certificate. For those reasons, it is now to possible to define root certificates in the configuration. Those defined in the `global` section will be used on every endpoint, just like those added via the command line. Those defined in an endpoint will be used in this endpoint only.
4 years ago
Fix the CHANGELOG
4 years ago
Load the configuration
1 month ago
Format the change log
1 month ago
Fix the CHANGELOG
4 years ago
ACMEd v0.12.0
4 years ago
Allow to specify subject attributes for certificates
4 years ago
Load the configuration
1 month ago
Allow to specify subject attributes for certificates
4 years ago
Add support for NIST P-521 curve and ES512 signatures
4 years ago
Allow to specify subject attributes for certificates
4 years ago
Stop to require the `orders` field on account creation RFC 8555 states that: - when an account is successfully created, the server "returns this account object" (section 7.3); - the `orders` field in account objects is mandatory (section 7.1.2). Despite that, Boulder does not returns the `orders` field when an account is created. This non-standard behavior prevented ACMEd from creating account and testing them for existence. In order to allow ACMEd to retrieve certificates from CAs using Boulder, the `orders` field is no longer mandatory and the account existence is tested when the order is requested. https://github.com/letsencrypt/boulder/issues/3335
4 years ago
Load the configuration
1 month ago
Stop to require the `orders` field on account creation RFC 8555 states that: - when an account is successfully created, the server "returns this account object" (section 7.3); - the `orders` field in account objects is mandatory (section 7.1.2). Despite that, Boulder does not returns the `orders` field when an account is created. This non-standard behavior prevented ACMEd from creating account and testing them for existence. In order to allow ACMEd to retrieve certificates from CAs using Boulder, the `orders` field is no longer mandatory and the account existence is tested when the order is requested. https://github.com/letsencrypt/boulder/issues/3335
4 years ago
Allow to specify subject attributes for certificates
4 years ago
ACMEd v0.11.0
4 years ago
Refactor the account management Until now, the account management was archaic and it was impossible to improve it without this heavy refactoring. Accounts are now disjoint from both certificates and endpoints. They have their own hooks and their own environment variables. They are stored in a binary file instead of the PEM exports of the private and public keys. This refactoring will allow account management to evolve into something more serious, with real key rollover, contact information update and so on.
4 years ago
Load the configuration
1 month ago
Refactor the account management Until now, the account management was archaic and it was impossible to improve it without this heavy refactoring. Accounts are now disjoint from both certificates and endpoints. They have their own hooks and their own environment variables. They are stored in a binary file instead of the PEM exports of the private and public keys. This refactoring will allow account management to evolve into something more serious, with real key rollover, contact information update and so on.
4 years ago
Add external account binding
4 years ago
Refactor the account management Until now, the account management was archaic and it was impossible to improve it without this heavy refactoring. Accounts are now disjoint from both certificates and endpoints. They have their own hooks and their own environment variables. They are stored in a binary file instead of the PEM exports of the private and public keys. This refactoring will allow account management to evolve into something more serious, with real key rollover, contact information update and so on.
4 years ago
Load the configuration
1 month ago
Format the change log
1 month ago
Refactor the account management Until now, the account management was archaic and it was impossible to improve it without this heavy refactoring. Accounts are now disjoint from both certificates and endpoints. They have their own hooks and their own environment variables. They are stored in a binary file instead of the PEM exports of the private and public keys. This refactoring will allow account management to evolve into something more serious, with real key rollover, contact information update and so on.
4 years ago
Update the CHANGELOG
4 years ago
Load the configuration
1 month ago
Update the CHANGELOG
4 years ago
Refactor the account management Until now, the account management was archaic and it was impossible to improve it without this heavy refactoring. Accounts are now disjoint from both certificates and endpoints. They have their own hooks and their own environment variables. They are stored in a binary file instead of the PEM exports of the private and public keys. This refactoring will allow account management to evolve into something more serious, with real key rollover, contact information update and so on.
4 years ago
ACMEd v0.10.0
4 years ago
Refactor the Makefile The previous version of the Makefile used features which are specific to GNU Make and therefore does not works on BSD systems. This new version, which is much more simpler, works both on GNU Make and BSD Make (tested on FreeBSD 12.1).
5 years ago
Allow to specify the account key type and signature alg in the config
5 years ago
Load the configuration
1 month ago
Format the change log
1 month ago
Add Unix style globing for config file inclusion Close #6
5 years ago
Format the change log
1 month ago
Implement IP identifiers RFC 8738: https://tools.ietf.org/html/rfc8738
5 years ago
Load the configuration
1 month ago
Format the change log
1 month ago
Refactor the certificate key type management The previous system used a duplicated enum (`acmed::certificate::Algorithm`) and an imprecise identifier name (algorithm) for both the certificate configuration and post operation hook variable. The first one has been replaced by the `acme_common::crypto::KeyType` enum and the second renames `key_type`.
5 years ago
Implement IP identifiers RFC 8738: https://tools.ietf.org/html/rfc8738
5 years ago
Allow to specify the account key type and signature alg in the config
5 years ago
Refactor the Makefile The previous version of the Makefile used features which are specific to GNU Make and therefore does not works on BSD systems. This new version, which is much more simpler, works both on GNU Make and BSD Make (tested on FreeBSD 12.1).
5 years ago
Load the configuration
1 month ago
Format the change log
1 month ago
Refactor the Makefile The previous version of the Makefile used features which are specific to GNU Make and therefore does not works on BSD systems. This new version, which is much more simpler, works both on GNU Make and BSD Make (tested on FreeBSD 12.1).
5 years ago
ACMEd v0.9.0
5 years ago
Add support for user and groups names
5 years ago
Load the configuration
1 month ago
Add support for user and groups names
5 years ago
Replace `reqwest` by `attohttpc` `reqwest` is a very good crate, however ACMEd does not require most of its functionalities. For this job, `attohttpc` is also great and comes with much less dependencies. rel #1
5 years ago
Load the configuration
1 month ago
Replace `reqwest` by `attohttpc` `reqwest` is a very good crate, however ACMEd does not require most of its functionalities. For this job, `attohttpc` is also great and comes with much less dependencies. rel #1
5 years ago
Update the change log
5 years ago
Load the configuration
1 month ago
Format the change log
1 month ago
Update the change log
5 years ago
Add support for user and groups names
5 years ago
ACMEd v0.8.0
5 years ago
Refactor the HTTP back-end The previous HTTP back-end was tightly coupled with the threads, which was very inconvenient. It is now completely decoupled so a new threading model may be implemented.
5 years ago
Load the configuration
1 month ago
Refactor the HTTP back-end The previous HTTP back-end was tightly coupled with the threads, which was very inconvenient. It is now completely decoupled so a new threading model may be implemented.
5 years ago
Load the configuration
1 month ago
`Make install` now work with the busybox toolchain.
5 years ago
Refactor the HTTP back-end The previous HTTP back-end was tightly coupled with the threads, which was very inconvenient. It is now completely decoupled so a new threading model may be implemented.
5 years ago
ACMEd v0.7.0
5 years ago
Replace * by _ in file names
5 years ago
Load the configuration
1 month ago
Format the change log
1 month ago
Add internationalized domain names support
5 years ago
Replace * by _ in file names
5 years ago
Allow --pid-file to be used with --foreground The PID file is now always written whether or not ACMEd is running in the foreground. Previously, it was written only when running in the background. Fix #7
5 years ago
Load the configuration
1 month ago
Format the change log
1 month ago
Allow --pid-file to be used with --foreground The PID file is now always written whether or not ACMEd is running in the foreground. Previously, it was written only when running in the background. Fix #7
5 years ago
Fix the type of the externalAccountRequired field
5 years ago
Load the configuration
1 month ago
Format the change log
1 month ago
Fix the type of the externalAccountRequired field
5 years ago
Add internationalized domain names support
5 years ago
ACMEd v0.6.1
5 years ago
Update the change log
6 years ago
Load the configuration
1 month ago
Format the change log
1 month ago
Fix the "foregroung" typo I made the typo once and then copy/pasted it everywhere.
5 years ago
Update the change log
6 years ago
ACMEd 0.6.0
6 years ago
Add an option to stop or continue after a failed hook
6 years ago
Load the configuration
1 month ago
Add an option to stop or continue after a failed hook
6 years ago
Format the change log
1 month ago
Add rate limits for HTTPS requests
6 years ago
Add an option to stop or continue after a failed hook
6 years ago
Clean the hooks right after the current challenge has been validated Cleaning hooks after the certificate has been retrieved is a mistake since a failure somewhere in the process will prevent all called hook to be cleaned. With the current implementation, only the currently failed hook is left without being cleaned.
6 years ago
Load the configuration
1 month ago
Renew certificates in parallel
6 years ago
Format the change log
1 month ago
Improve the logging format In order to renew different certificate at the same time, log messages must display which certificate they are referring to.
6 years ago
Clean the hooks right after the current challenge has been validated Cleaning hooks after the certificate has been retrieved is a mistake since a failure somewhere in the process will prevent all called hook to be cleaned. With the current implementation, only the currently failed hook is left without being cleaned.
6 years ago
Fix the http-01-echo default hook
6 years ago
Load the configuration
1 month ago
Fix the http-01-echo default hook
6 years ago
Add an option to stop or continue after a failed hook
6 years ago
ACMEd 0.5.0
6 years ago
Display a warning when fetching order or an authorization Orders and authorization can both contain an error which can, for example, help an user to fix a broken hook. It is therefore very useful to display it. Plus, when pooling one of those objects, having an error does not mean we should stop pooling since the error may be temporary.
6 years ago
Load the configuration
1 month ago
Format the change log
1 month ago
Allow the config file to include other files
6 years ago
Add environment variables to hook templates
6 years ago
Format the change log
1 month ago
Allow tacd to listen on a unix socket
6 years ago
Display a warning when fetching order or an authorization Orders and authorization can both contain an error which can, for example, help an user to fix a broken hook. It is therefore very useful to display it. Plus, when pooling one of those objects, having an error does not mean we should stop pooling since the error may be temporary.
6 years ago
ACMEd 0.4.0
6 years ago
Add man pages Documentation is a crucial point for every project, and the most effective and traditional way to document a program is to write man page. Here, the mdoc is used because it is simple. Because the documentation is quite different from the project itself, the man pages and others helpful files are distributed under a different license. For this usage, the GNU All-Permissive License is adequate. https://www.gnu.org/prep/maintain/html_node/License-Notices-for-Other-Files.html man 7 groff_mdoc
6 years ago
Load the configuration
1 month ago
Add man pages Documentation is a crucial point for every project, and the most effective and traditional way to document a program is to write man page. Here, the mdoc is used because it is simple. Because the documentation is quite different from the project itself, the man pages and others helpful files are distributed under a different license. For this usage, the GNU All-Permissive License is adequate. https://www.gnu.org/prep/maintain/html_node/License-Notices-for-Other-Files.html man 7 groff_mdoc
6 years ago
Update the changelog
6 years ago
Format the change log
1 month ago
Add the is_clean_hook variable to challenge hooks
6 years ago
Format the change log
1 month ago
Update the changelog
6 years ago
Load the configuration
1 month ago
Update the changelog
6 years ago
Load the configuration
1 month ago
Update the changelog
6 years ago
Add man pages Documentation is a crucial point for every project, and the most effective and traditional way to document a program is to write man page. Here, the mdoc is used because it is simple. Because the documentation is quite different from the project itself, the man pages and others helpful files are distributed under a different license. For this usage, the GNU All-Permissive License is adequate. https://www.gnu.org/prep/maintain/html_node/License-Notices-for-Other-Files.html man 7 groff_mdoc
6 years ago
Fix the OpenSSL time parsing ACMEd was not able to parse some possible time representation, which could cause a certificate not being renewed at all. This commit support all current known outputs. https://github.com/openssl/openssl/blob/master/crypto/asn1/a_time.c
6 years ago
Load the configuration
1 month ago
Fix the OpenSSL time parsing ACMEd was not able to parse some possible time representation, which could cause a certificate not being renewed at all. This commit support all current known outputs. https://github.com/openssl/openssl/blob/master/crypto/asn1/a_time.c
6 years ago
Add man pages Documentation is a crucial point for every project, and the most effective and traditional way to document a program is to write man page. Here, the mdoc is used because it is simple. Because the documentation is quite different from the project itself, the man pages and others helpful files are distributed under a different license. For this usage, the GNU All-Permissive License is adequate. https://www.gnu.org/prep/maintain/html_node/License-Notices-for-Other-Files.html man 7 groff_mdoc
6 years ago
v0.3.0
6 years ago
Remove the `acme-lib` dependency Although the `acme-lib` crate comes very handy when creating a simple ACME client, a more advanced one may not want to use it. First of all, `acme-lib` does not support all of the ACME specification, some very interesting one are not implemented. Also, it does not store the account public key, which does not allow to revoke certificates. In addition to those two critical points, I would also add `acme-lib` has some troubles with its own dependencies: it uses both `openssl` and `ring`, which is redundant and contribute to inflate the size of the binary. Some of the dependencies also makes an excessive use of logging: even if logging is very useful, in some cases it really is too much and debugging becomes a nightmare. ref #1
6 years ago
Use account objects instead of an email field Defining an account solely by an email address is not the best strategy since the ACME protocol does not require it and also allows for more contacts information. Although this commit does not change the "one email" policy, it sets the bases so it could evolve in the future.
6 years ago
Load the configuration
1 month ago
Add tacd to the CHANGELOG
6 years ago
Use account objects instead of an email field Defining an account solely by an email address is not the best strategy since the ACME protocol does not require it and also allows for more contacts information. Although this commit does not change the "one email" policy, it sets the bases so it could evolve in the future.
6 years ago
Change the hook and domains definitions The previous system was too limited when it comes to flexibility using hooks. This limitation came from the false idea that, for a given certificate, all challenges must be validated with the same method. In order to prove that false, domains in a certificate can now make use of any challenge type available. In order to be more flexible, hooks are now given a type and are defined in the same registry (instead of 6). Each one will be called when considered relevant based on its type.
6 years ago
Format the change log
1 month ago
Update the CHANGELOG
6 years ago
Format the change log
1 month ago
Use account objects instead of an email field Defining an account solely by an email address is not the best strategy since the ACME protocol does not require it and also allows for more contacts information. Although this commit does not change the "one email" policy, it sets the bases so it could evolve in the future.
6 years ago
Remove the `acme-lib` dependency Although the `acme-lib` crate comes very handy when creating a simple ACME client, a more advanced one may not want to use it. First of all, `acme-lib` does not support all of the ACME specification, some very interesting one are not implemented. Also, it does not store the account public key, which does not allow to revoke certificates. In addition to those two critical points, I would also add `acme-lib` has some troubles with its own dependencies: it uses both `openssl` and `ring`, which is redundant and contribute to inflate the size of the binary. Some of the dependencies also makes an excessive use of logging: even if logging is very useful, in some cases it really is too much and debugging becomes a nightmare. ref #1
6 years ago
Load the configuration
1 month ago
Format the change log
1 month ago
Remove the `acme-lib` dependency Although the `acme-lib` crate comes very handy when creating a simple ACME client, a more advanced one may not want to use it. First of all, `acme-lib` does not support all of the ACME specification, some very interesting one are not implemented. Also, it does not store the account public key, which does not allow to revoke certificates. In addition to those two critical points, I would also add `acme-lib` has some troubles with its own dependencies: it uses both `openssl` and `ring`, which is redundant and contribute to inflate the size of the binary. Some of the dependencies also makes an excessive use of logging: even if logging is very useful, in some cases it really is too much and debugging becomes a nightmare. ref #1
6 years ago
Format the change log
1 month ago
Remove the `acme-lib` dependency Although the `acme-lib` crate comes very handy when creating a simple ACME client, a more advanced one may not want to use it. First of all, `acme-lib` does not support all of the ACME specification, some very interesting one are not implemented. Also, it does not store the account public key, which does not allow to revoke certificates. In addition to those two critical points, I would also add `acme-lib` has some troubles with its own dependencies: it uses both `openssl` and `ring`, which is redundant and contribute to inflate the size of the binary. Some of the dependencies also makes an excessive use of logging: even if logging is very useful, in some cases it really is too much and debugging becomes a nightmare. ref #1
6 years ago
Load the configuration
1 month ago
Remove the `acme-lib` dependency Although the `acme-lib` crate comes very handy when creating a simple ACME client, a more advanced one may not want to use it. First of all, `acme-lib` does not support all of the ACME specification, some very interesting one are not implemented. Also, it does not store the account public key, which does not allow to revoke certificates. In addition to those two critical points, I would also add `acme-lib` has some troubles with its own dependencies: it uses both `openssl` and `ring`, which is redundant and contribute to inflate the size of the binary. Some of the dependencies also makes an excessive use of logging: even if logging is very useful, in some cases it really is too much and debugging becomes a nightmare. ref #1
6 years ago
Change the hook and domains definitions The previous system was too limited when it comes to flexibility using hooks. This limitation came from the false idea that, for a given certificate, all challenges must be validated with the same method. In order to prove that false, domains in a certificate can now make use of any challenge type available. In order to be more flexible, hooks are now given a type and are defined in the same registry (instead of 6). Each one will be called when considered relevant based on its type.
6 years ago
Remove the `acme-lib` dependency Although the `acme-lib` crate comes very handy when creating a simple ACME client, a more advanced one may not want to use it. First of all, `acme-lib` does not support all of the ACME specification, some very interesting one are not implemented. Also, it does not store the account public key, which does not allow to revoke certificates. In addition to those two critical points, I would also add `acme-lib` has some troubles with its own dependencies: it uses both `openssl` and `ring`, which is redundant and contribute to inflate the size of the binary. Some of the dependencies also makes an excessive use of logging: even if logging is very useful, in some cases it really is too much and debugging becomes a nightmare. ref #1
6 years ago
v0.2.1
6 years ago
Load the configuration
1 month ago
Format the change log
1 month ago
v0.2.1
6 years ago
Allow to reuse a key pair instead of creating a new one at each renewal The default behavior of most ACME clients is to generate a new key pair at each renewal. While this choice is respectable and perfectly justified in most configuration, it is also quite incompatible with the use of HTTP Public Key Pinning (HPKP). Although HPKP is not wildly supported and sometimes deprecated, users wishing to use it should not be blocked. https://tools.ietf.org/html/rfc7469 https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
6 years ago
Load the configuration
1 month ago
Format the change log
1 month ago
Rename post_operation_hook to post_operation_hooks
6 years ago
Load the configuration
1 month ago
Rename post_operation_hook to post_operation_hooks
6 years ago
Send logs to syslog
6 years ago
Format the change log
1 month ago
  1. [//]: # (Copyright 2019-2020 Rodolphe Bréard <rodolphe@breard.tf>)
  3. [//]: # (Copying and distribution of this file, with or without modification,)
  4. [//]: # (are permitted in any medium without royalty provided the copyright)
  5. [//]: # (notice and this notice are preserved. This file is offered as-is,)
  6. [//]: # (without any warranty.)
  8. # Changelog
  10. All notable changes to this project will be documented in this file.
  12. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
  13. and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
  16. ## [Unreleased]
  18. ### Changed
  20. - Instead of loading a default configuration file, ACMEd now loads all the
  21. files from a default configuration directory (by default,
  22. `/etc/acmed/conf-enabled`).
  23. - The configuration arrays for accounts, endpoints, rate limits, hooks and
  24. groups has been replaced by tables.
  25. - The name of user-defined hooks and groups cannot start with `internal:`,
  26. which is now reserved for internal hooks.
  28. ### Removed
  30. - OpenSSL support has been removed.
  31. - tacd has been removed.
  32. - The `include` directive has been removed from the configuration.
  35. ## [0.24.0] - 2024-12-21
  37. ### Added
  39. - The file extension can now be customized.
  41. ### Changed
  43. - tacd does no longer supports OpenSSL 1.0.
  46. ## [0.23.0] - 2024-02-10
  48. ### Added
  50. - The `challenge-tls-alpn-01` hook now exposes the `raw_proof` variable, which
  51. contains the SHA-256 digest of the key authorization, encoded using Base64
  52. URL scheme without padding.
  54. ### Changed
  56. - The minimum supported Rust version (MSRV) is now 1.74.
  59. ## [0.22.2] - 2024-01-09
  61. ### Fixed
  63. - The default hooks were not properly updated during the 0.22.0 release, which
  64. causes the certificate renewal to fail.
  67. ## [0.22.1] - 2023-12-20
  69. ### Fixed
  71. - The `Cargo.lock` file is now updated before a new version is released (GitHub
  72. bug #103).
  75. ## [0.22.0] - 2023-12-20
  77. ### Fixed
  79. - ACMEd no longer crashes when the `random_early_renew` parameter is set to
  80. zero (GitHub bug #102).
  82. ### Changed
  84. - The minimum supported Rust version (MSRV) is now 1.70.
  85. - Manual (and badly designed) threads have been replaced by async.
  86. - Randomized early delay, for spacing out renewals when dealing with a lot of
  87. certificates.
  88. - Replaced the template engine TinyTemplate with MiniJinja.
  89. - The default period of time between the certificate renewal and its expiration
  90. date (`renew_delay`) has been changed from 3 weeks to 30 days.
  93. ## [0.21.0] - 2022-12-19
  95. ### Fixed
  97. - The JWK representation of ECDSA keys now have their coordinates padded.
  99. ### Changed
  101. - The minimal required Rust version is now 1.60.
  104. ## [0.20.0] - 2022-05-08
  106. ### Added
  108. - The `--no-pid-file` argument has been added to ACMEd and tacd.
  110. ### Fixed
  112. - An invalid reference in the command line arguments has been fixed.
  113. - Some missing file path in log messages has been added.
  114. - The calculation of the certificate's expiration delay does no longer break
  115. compilation on some systems.
  118. ## [0.19.0] - 2022-04-17
  120. ### Added
  122. - The `acmed@user.service` systemd unit configuration has been added as an
  123. alternative to the `acmed.service` unit.
  125. ### Changed
  127. - The minimal required Rust version is now 1.54.
  129. ## [0.18.0] - 2021-06-13
  131. ### Added
  133. - Add support for Ed25519 and Ed448 account keys and certificates.
  134. - In addition to `restart`, the Polkit rule also allows the `reload`,
  135. `try-restart`, `reload-or-restart` and `try-reload-or-restart` verbs.
  138. ## [0.17.0] - 2021-05-04
  140. ### Added
  142. - Allow the configuration of some default values at compile time using
  143. environment variables.
  145. ### Changed
  147. - The template engine has been changed in favor of TinyTemplate, which has a
  148. different syntax than the previous one.
  149. - The default account directory now is `/var/lib/acmed/accounts`.
  150. - The default certificates and private keys directory now is
  151. `/var/lib/acmed/certs`.
  152. - The default for volatile runtime data now is `/run`.
  155. ## [0.16.0] - 2020-11-11
  157. ### Added
  159. - The `pkcs9_email_address`, `postal_address` and `postal_code` subject
  160. attributes has been added.
  162. ### Changed
  164. - The `friendly_name` and `pseudonym` subject attributes has been removed.
  165. - The `street_address` subject attribute has been renamed `street`.
  168. ## [0.15.0] - 2020-11-03
  170. ### Added
  172. - The names of both the certificate file and the associated private key can now
  173. be configured.
  175. ### Fixed
  177. - Configuration files cannot be loaded more than one time, which prevents
  178. infinite recursion.
  180. ### Changed
  182. - Certificates are now allowed to share the same name if their respective key
  183. type is different.
  186. ## [0.14.0] - 2020-10-27
  188. ### Added
  190. - Add proxy support through the `HTTP_PROXY`, `HTTPS_PROXY` and `NO_PROXY`
  191. environment variables.
  192. - Allow to specify a unique name for each certificate.
  194. ### Changed
  196. - The minimal required Rust version is 1.42.0.
  199. ## [0.13.0] - 2020-10-10
  201. ### Added
  203. - In the configuration, `root_certificates` has been added to the `global` and
  204. `endpoint` sections as an array of strings representing the path to root
  205. certificate files.
  206. - At compilation, it is now possible to statically link OpenSSL using the
  207. `openssl_vendored` feature.
  208. - In the Makefile, it is now possible to specify which target triple to build
  209. for.
  212. ## [0.12.0] - 2020-09-26
  214. ### Added
  216. - Some subject attributes can now be specified.
  217. - Support for NIST P-521 certificates and account keys.
  219. ### Fixed
  221. - Support for Let's Encrypt non-standard account creation object.
  224. ## [0.11.0] - 2020-09-19
  226. ### Added
  228. - The `contacts` account configuration field has been added.
  229. - External account binding.
  231. ### Changed
  233. - The `email` account configuration field has been removed. In replacement, use
  234. the `contacts` field.
  235. - Accounts now have their own hooks and environment.
  236. - Accounts are now stored in a single binary file.
  238. ### Fixed
  240. - ACMEd can now build on platforms with a `time_t` not defined as an `i64`.
  241. - The Makefile is now fully works on FreeBSD.
  244. ## [0.10.0] - 2020-08-27
  246. ### Added
  248. - The account key type and signature algorithm can now be specified in the
  249. configuration using the `key_type` and `signature_algorithm` parameters.
  250. - The delay to renew a certificate before its expiration date can be specified
  251. in the configuration using the `renew_delay` parameter at either the
  252. certificate, endpoint and global level.
  253. - It is now possible to specify IP identifiers (RFC 8738) using the `ip`
  254. parameter instead of the `dns` one.
  255. - The hook templates of type `challenge-*` have a new `identifier_tls_alpn`
  256. field which contains, if available, the identifier in a form that is suitable
  257. to the TLS ALPN challenge.
  258. - Globing is now supported for configuration files inclusion.
  259. - The CSR's digest algorithm can now be specified using the `csr_digest`
  260. parameter.
  262. ### Changed
  264. - In the certificate configuration, the `domains` field has been renamed
  265. `identifiers`.
  266. - The `algorithm` certificate configuration field has been renamed `key_type`.
  267. - The `algorithm` hook template variable has been renamed `key_type`.
  268. - The `domain` hook template variable has been renamed `identifier`.
  269. - The default hooks have been updated.
  271. ### Fixed
  273. - The Makefile now works on FreeBSD. It should also work on other BSD although
  274. it has not been tested.
  277. ## [0.9.0] - 2020-08-01
  279. ### Added
  281. - System users and groups can now be specified by name in addition to uid/gid.
  283. ### Changed
  285. - The HTTP(S) part is now handled by `attohttpc` instead of `reqwest`.
  287. ### Fixed
  289. - In tacd, the `--acme-ext-file` parameter is now in conflict with `acme-ext`
  290. instead of itself.
  293. ## [0.8.0] - 2020-06-12
  295. ### Changed
  297. - The HTTP(S) part is now handled by `reqwest` instead of `http_req`.
  299. ### Fixed
  301. - `make install` now work with the busybox toolchain.
  304. ## [0.7.0] - 2020-03-12
  306. ### Added
  308. - Wildcard certificates are now supported. In the file name, the `*` is
  309. replaced by `_`.
  310. - Internationalized domain names are now supported.
  312. ### Changed
  314. - The PID file is now always written whether or not ACMEd is running in the
  315. foreground. Previously, it was written only when running in the background.
  317. ### Fixed
  319. - In the directory, the `externalAccountRequired` field is now a boolean
  320. instead of a string.
  323. ## [0.6.1] - 2019-09-13
  325. ### Fixed
  327. - A race condition when requesting multiple certificates on the same
  328. non-existent account has been fixed.
  329. - The `foregroung` option has been renamed `foreground`.
  332. ## [0.6.0] - 2019-06-05
  334. ### Added
  336. - Hooks now have the optional `allow_failure` field.
  337. - In hooks, the `stdin_str` has been added in replacement of the previous
  338. `stdin` behavior.
  339. - HTTPS request rate limits.
  341. ### Changed
  343. - Certificates are renewed in parallel.
  344. - Hooks are now cleaned right after the current challenge has been validated
  345. instead of after the certificate's retrieval.
  346. - In hooks, the `stdin` field now refers to the path of the file that should be
  347. written into the hook's standard input.
  348. - The logging format has been re-written.
  350. ### Fixed
  352. - The http-01-echo hook now correctly sets the file's access rights
  355. ## [0.5.0] - 2019-05-09
  357. ### Added
  359. - ACMEd now displays a warning when the server indicates an error in an order
  360. or an authorization.
  361. - A configuration file can now include several other files.
  362. - Hooks have access to environment variables.
  363. - In the configuration, the global section, certificates and domains can define
  364. environment variables for the hooks.
  365. - tacd is now able to listen on a unix socket.
  368. ## [0.4.0] - 2019-05-08
  370. ### Added
  372. - Man pages.
  373. - The project can now be built and installed using `make`.
  374. - The post-operation hooks now have access to the `is_success` template
  375. variable.
  376. - Challenge hooks now have the `is_clean_hook` template variable.
  377. - An existing certificate will be renewed if more domains have been added in
  378. the configuration.
  380. ### Changed
  382. - Unknown configuration fields are no longer tolerated.
  384. ### Removed
  386. - In challenge hooks, the `algorithm` template variable has been removed.
  388. ### Fixed
  390. - In some cases, ACMEd was unable to parse a certificate's expiration date.
  393. ## [0.3.0] - 2019-04-30
  395. ### Added
  397. - tacd, the TLS-ALPN-01 validation daemon.
  398. - An account object has been added in the configuration.
  399. - In the configuration, hooks now have a mandatory `type` variable.
  400. - It is now possible to declare hooks to clean after the challenge validation
  401. hooks.
  402. - The CLI `--root-cert` option has been added.
  403. - Failure recovery: HTTPS requests rejected by the server that are recoverable,
  404. like the badNonce error, are now retried several times before being
  405. considered a hard failure.
  406. - The TLS-ALPN-01 challenge is now supported. The proof is a string
  407. representation of the acmeIdentifier extension. The self-signed certificate
  408. itself has to be built by a hook.
  410. ### Changed
  412. - In the configuration, the `email` certificate field has been replaced by the
  413. `account` field which matches an account object.
  414. - The format of the `domain` configuration variable has changed and now
  415. includes the challenge type.
  416. - The `token` challenge hook variable has been renamed `file_name`.
  417. - The `challenge_hooks`, `post_operation_hooks`, `file_pre_create_hooks`,
  418. `file_post_create_hooks`, `file_pre_edit_hooks` and `file_post_edit_hooks`
  419. certificate variables has been replaced by `hooks`.
  420. - The logs has been purged from many useless debug and trace entries.
  422. ### Removed
  424. - The DER storage format has been removed.
  425. - The `challenge` certificate variables has been removed.
  428. ## [0.2.1] - 2019-03-30
  430. ### Fixed
  432. - The bug that prevented from requesting more than two certificates has been
  433. fixed.
  436. ## [0.2.0] - 2019-03-27
  438. ### Added
  440. - The `kp_reuse` flag allow to reuse a key pair instead of creating a new one
  441. at each renewal.
  442. - It is now possible to define hook groups that can reference either hooks or
  443. other hook groups.
  444. - Hooks can be defined when before and after a file is created or edited
  445. (`file_pre_create_hooks`, `file_post_create_hooks`, `file_pre_edit_hooks` and
  446. `file_post_edit_hooks`).
  447. - It is now possible to send logs either to syslog or stderr using the
  448. `--to-syslog` and `--to-stderr` arguments.
  450. ### Changed
  452. - `post_operation_hook` has been renamed `post_operation_hooks`.
  453. - By default, logs are now sent to syslog instead of stderr.
  454. - The process is now daemonized by default. It is possible to still run it in
  455. the foreground using the `--foregroung` flag.