Mirror
/
acmed
mirror of https://github.com/breard-r/acmed.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
266 Commits
12 Branches
27 Tags
2.2 MiB
Tree: 52fe2c60ba
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '52fe2c60ba'
${ noResults }
acmed/CHANGELOG.md

163 lines
6.6 KiB
Raw Normal View History

Add man pages Documentation is a crucial point for every project, and the most effective and traditional way to document a program is to write man page. Here, the mdoc is used because it is simple. Because the documentation is quite different from the project itself, the man pages and others helpful files are distributed under a different license. For this usage, the GNU All-Permissive License is adequate. https://www.gnu.org/prep/maintain/html_node/License-Notices-for-Other-Files.html man 7 groff_mdoc
6 years ago
ACMEd v0.7.0
5 years ago
Add man pages Documentation is a crucial point for every project, and the most effective and traditional way to document a program is to write man page. Here, the mdoc is used because it is simple. Because the documentation is quite different from the project itself, the man pages and others helpful files are distributed under a different license. For this usage, the GNU All-Permissive License is adequate. https://www.gnu.org/prep/maintain/html_node/License-Notices-for-Other-Files.html man 7 groff_mdoc
6 years ago
Allow to reuse a key pair instead of creating a new one at each renewal The default behavior of most ACME clients is to generate a new key pair at each renewal. While this choice is respectable and perfectly justified in most configuration, it is also quite incompatible with the use of HTTP Public Key Pinning (HPKP). Although HPKP is not wildly supported and sometimes deprecated, users wishing to use it should not be blocked. https://tools.ietf.org/html/rfc7469 https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
6 years ago
Refactor the Makefile The previous version of the Makefile used features which are specific to GNU Make and therefore does not works on BSD systems. This new version, which is much more simpler, works both on GNU Make and BSD Make (tested on FreeBSD 12.1).
4 years ago
Allow to specify the account key type and signature alg in the config
4 years ago
Allow to define a custom delay for renewal
4 years ago
Implement IP identifiers RFC 8738: https://tools.ietf.org/html/rfc8738
4 years ago
Add Unix style globing for config file inclusion Close #6
4 years ago
Implement IP identifiers RFC 8738: https://tools.ietf.org/html/rfc8738
4 years ago
Refactor the certificate key type management The previous system used a duplicated enum (`acmed::certificate::Algorithm`) and an imprecise identifier name (algorithm) for both the certificate configuration and post operation hook variable. The first one has been replaced by the `acme_common::crypto::KeyType` enum and the second renames `key_type`.
4 years ago
Implement IP identifiers RFC 8738: https://tools.ietf.org/html/rfc8738
4 years ago
Allow to specify the account key type and signature alg in the config
4 years ago
Refactor the Makefile The previous version of the Makefile used features which are specific to GNU Make and therefore does not works on BSD systems. This new version, which is much more simpler, works both on GNU Make and BSD Make (tested on FreeBSD 12.1).
4 years ago
ACMEd v0.9.0
4 years ago
Add support for user and groups names
4 years ago
Replace `reqwest` by `attohttpc` `reqwest` is a very good crate, however ACMEd does not require most of its functionalities. For this job, `attohttpc` is also great and comes with much less dependencies. rel #1
4 years ago
Update the change log
4 years ago
Add support for user and groups names
4 years ago
ACMEd v0.8.0
4 years ago
Refactor the HTTP back-end The previous HTTP back-end was tightly coupled with the threads, which was very inconvenient. It is now completely decoupled so a new threading model may be implemented.
4 years ago
`Make install` now work with the busybox toolchain.
5 years ago
Refactor the HTTP back-end The previous HTTP back-end was tightly coupled with the threads, which was very inconvenient. It is now completely decoupled so a new threading model may be implemented.
4 years ago
ACMEd v0.7.0
5 years ago
Replace * by _ in file names
5 years ago
Add internationalized domain names support
5 years ago
Replace * by _ in file names
5 years ago
Allow --pid-file to be used with --foreground The PID file is now always written whether or not ACMEd is running in the foreground. Previously, it was written only when running in the background. Fix #7
5 years ago
Fix the type of the externalAccountRequired field
5 years ago
Add internationalized domain names support
5 years ago
ACMEd v0.6.1
5 years ago
Update the change log
5 years ago
Fix the "foregroung" typo I made the typo once and then copy/pasted it everywhere.
5 years ago
Update the change log
5 years ago
ACMEd 0.6.0
6 years ago
Add an option to stop or continue after a failed hook
6 years ago
Allow to give a file path in a hook's stdin There is use-cases where a command's standard input should be filled with a file's content. In order to stay consistent with the names of the other fields, `stdin` is now the field which accepts such a path. `stdin_str` has been created in order to also support the use of a raw string.
6 years ago
Add rate limits for HTTPS requests
6 years ago
Add an option to stop or continue after a failed hook
6 years ago
Clean the hooks right after the current challenge has been validated Cleaning hooks after the certificate has been retrieved is a mistake since a failure somewhere in the process will prevent all called hook to be cleaned. With the current implementation, only the currently failed hook is left without being cleaned.
6 years ago
Renew certificates in parallel
6 years ago
Clean the hooks right after the current challenge has been validated Cleaning hooks after the certificate has been retrieved is a mistake since a failure somewhere in the process will prevent all called hook to be cleaned. With the current implementation, only the currently failed hook is left without being cleaned.
6 years ago
Allow to give a file path in a hook's stdin There is use-cases where a command's standard input should be filled with a file's content. In order to stay consistent with the names of the other fields, `stdin` is now the field which accepts such a path. `stdin_str` has been created in order to also support the use of a raw string.
6 years ago
Improve the logging format In order to renew different certificate at the same time, log messages must display which certificate they are referring to.
6 years ago
Clean the hooks right after the current challenge has been validated Cleaning hooks after the certificate has been retrieved is a mistake since a failure somewhere in the process will prevent all called hook to be cleaned. With the current implementation, only the currently failed hook is left without being cleaned.
6 years ago
Fix the http-01-echo default hook
6 years ago
Add an option to stop or continue after a failed hook
6 years ago
ACMEd 0.5.0
6 years ago
Display a warning when fetching order or an authorization Orders and authorization can both contain an error which can, for example, help an user to fix a broken hook. It is therefore very useful to display it. Plus, when pooling one of those objects, having an error does not mean we should stop pooling since the error may be temporary.
6 years ago
Allow the config file to include other files
6 years ago
Add environment variables to hook templates
6 years ago
Add env variable definition in the global section
6 years ago
Allow tacd to listen on a unix socket
6 years ago
Display a warning when fetching order or an authorization Orders and authorization can both contain an error which can, for example, help an user to fix a broken hook. It is therefore very useful to display it. Plus, when pooling one of those objects, having an error does not mean we should stop pooling since the error may be temporary.
6 years ago
ACMEd 0.4.0
6 years ago
Add man pages Documentation is a crucial point for every project, and the most effective and traditional way to document a program is to write man page. Here, the mdoc is used because it is simple. Because the documentation is quite different from the project itself, the man pages and others helpful files are distributed under a different license. For this usage, the GNU All-Permissive License is adequate. https://www.gnu.org/prep/maintain/html_node/License-Notices-for-Other-Files.html man 7 groff_mdoc
6 years ago
Update the changelog
6 years ago
Add the is_success variable to post-operation hooks
6 years ago
Add the is_clean_hook variable to challenge hooks
6 years ago
Renew a certificate that does not include all domains At some point, someone may add new domains to an existing certificate. In such case, this certificate should be renewed as soon as possible instead of upon expiration.
6 years ago
Update the changelog
6 years ago
Add man pages Documentation is a crucial point for every project, and the most effective and traditional way to document a program is to write man page. Here, the mdoc is used because it is simple. Because the documentation is quite different from the project itself, the man pages and others helpful files are distributed under a different license. For this usage, the GNU All-Permissive License is adequate. https://www.gnu.org/prep/maintain/html_node/License-Notices-for-Other-Files.html man 7 groff_mdoc
6 years ago
Fix the OpenSSL time parsing ACMEd was not able to parse some possible time representation, which could cause a certificate not being renewed at all. This commit support all current known outputs. https://github.com/openssl/openssl/blob/master/crypto/asn1/a_time.c
6 years ago
Add man pages Documentation is a crucial point for every project, and the most effective and traditional way to document a program is to write man page. Here, the mdoc is used because it is simple. Because the documentation is quite different from the project itself, the man pages and others helpful files are distributed under a different license. For this usage, the GNU All-Permissive License is adequate. https://www.gnu.org/prep/maintain/html_node/License-Notices-for-Other-Files.html man 7 groff_mdoc
6 years ago
v0.3.0
6 years ago
Remove the `acme-lib` dependency Although the `acme-lib` crate comes very handy when creating a simple ACME client, a more advanced one may not want to use it. First of all, `acme-lib` does not support all of the ACME specification, some very interesting one are not implemented. Also, it does not store the account public key, which does not allow to revoke certificates. In addition to those two critical points, I would also add `acme-lib` has some troubles with its own dependencies: it uses both `openssl` and `ring`, which is redundant and contribute to inflate the size of the binary. Some of the dependencies also makes an excessive use of logging: even if logging is very useful, in some cases it really is too much and debugging becomes a nightmare. ref #1
6 years ago
Use account objects instead of an email field Defining an account solely by an email address is not the best strategy since the ACME protocol does not require it and also allows for more contacts information. Although this commit does not change the "one email" policy, it sets the bases so it could evolve in the future.
6 years ago
Add tacd to the CHANGELOG
6 years ago
Use account objects instead of an email field Defining an account solely by an email address is not the best strategy since the ACME protocol does not require it and also allows for more contacts information. Although this commit does not change the "one email" policy, it sets the bases so it could evolve in the future.
6 years ago
Change the hook and domains definitions The previous system was too limited when it comes to flexibility using hooks. This limitation came from the false idea that, for a given certificate, all challenges must be validated with the same method. In order to prove that false, domains in a certificate can now make use of any challenge type available. In order to be more flexible, hooks are now given a type and are defined in the same registry (instead of 6). Each one will be called when considered relevant based on its type.
6 years ago
Update the CHANGELOG
6 years ago
Retry request rejected with a recoverable error Some errors, like the badNonce one, are recoverable. Hence, the client is expected to retry. ACMEd will now re-send the associated request until it succeed or the max retries number is reached. Each retry is preceded by a small waiting time in order to let the server recover in case it was faulty.
6 years ago
Add tls-alpn-01 challenge support Although the standardization is still a draft, this challenge is already supported by Let's Encrypt. https://datatracker.ietf.org/doc/draft-ietf-acme-tls-alpn/
6 years ago
Use account objects instead of an email field Defining an account solely by an email address is not the best strategy since the ACME protocol does not require it and also allows for more contacts information. Although this commit does not change the "one email" policy, it sets the bases so it could evolve in the future.
6 years ago
Remove the `acme-lib` dependency Although the `acme-lib` crate comes very handy when creating a simple ACME client, a more advanced one may not want to use it. First of all, `acme-lib` does not support all of the ACME specification, some very interesting one are not implemented. Also, it does not store the account public key, which does not allow to revoke certificates. In addition to those two critical points, I would also add `acme-lib` has some troubles with its own dependencies: it uses both `openssl` and `ring`, which is redundant and contribute to inflate the size of the binary. Some of the dependencies also makes an excessive use of logging: even if logging is very useful, in some cases it really is too much and debugging becomes a nightmare. ref #1
6 years ago
Use account objects instead of an email field Defining an account solely by an email address is not the best strategy since the ACME protocol does not require it and also allows for more contacts information. Although this commit does not change the "one email" policy, it sets the bases so it could evolve in the future.
6 years ago
Change the hook and domains definitions The previous system was too limited when it comes to flexibility using hooks. This limitation came from the false idea that, for a given certificate, all challenges must be validated with the same method. In order to prove that false, domains in a certificate can now make use of any challenge type available. In order to be more flexible, hooks are now given a type and are defined in the same registry (instead of 6). Each one will be called when considered relevant based on its type.
6 years ago
Remove the `acme-lib` dependency Although the `acme-lib` crate comes very handy when creating a simple ACME client, a more advanced one may not want to use it. First of all, `acme-lib` does not support all of the ACME specification, some very interesting one are not implemented. Also, it does not store the account public key, which does not allow to revoke certificates. In addition to those two critical points, I would also add `acme-lib` has some troubles with its own dependencies: it uses both `openssl` and `ring`, which is redundant and contribute to inflate the size of the binary. Some of the dependencies also makes an excessive use of logging: even if logging is very useful, in some cases it really is too much and debugging becomes a nightmare. ref #1
6 years ago
Change the hook and domains definitions The previous system was too limited when it comes to flexibility using hooks. This limitation came from the false idea that, for a given certificate, all challenges must be validated with the same method. In order to prove that false, domains in a certificate can now make use of any challenge type available. In order to be more flexible, hooks are now given a type and are defined in the same registry (instead of 6). Each one will be called when considered relevant based on its type.
6 years ago
Remove the `acme-lib` dependency Although the `acme-lib` crate comes very handy when creating a simple ACME client, a more advanced one may not want to use it. First of all, `acme-lib` does not support all of the ACME specification, some very interesting one are not implemented. Also, it does not store the account public key, which does not allow to revoke certificates. In addition to those two critical points, I would also add `acme-lib` has some troubles with its own dependencies: it uses both `openssl` and `ring`, which is redundant and contribute to inflate the size of the binary. Some of the dependencies also makes an excessive use of logging: even if logging is very useful, in some cases it really is too much and debugging becomes a nightmare. ref #1
6 years ago
Change the hook and domains definitions The previous system was too limited when it comes to flexibility using hooks. This limitation came from the false idea that, for a given certificate, all challenges must be validated with the same method. In order to prove that false, domains in a certificate can now make use of any challenge type available. In order to be more flexible, hooks are now given a type and are defined in the same registry (instead of 6). Each one will be called when considered relevant based on its type.
6 years ago
Remove the `acme-lib` dependency Although the `acme-lib` crate comes very handy when creating a simple ACME client, a more advanced one may not want to use it. First of all, `acme-lib` does not support all of the ACME specification, some very interesting one are not implemented. Also, it does not store the account public key, which does not allow to revoke certificates. In addition to those two critical points, I would also add `acme-lib` has some troubles with its own dependencies: it uses both `openssl` and `ring`, which is redundant and contribute to inflate the size of the binary. Some of the dependencies also makes an excessive use of logging: even if logging is very useful, in some cases it really is too much and debugging becomes a nightmare. ref #1
6 years ago
v0.2.1
6 years ago
Allow to reuse a key pair instead of creating a new one at each renewal The default behavior of most ACME clients is to generate a new key pair at each renewal. While this choice is respectable and perfectly justified in most configuration, it is also quite incompatible with the use of HTTP Public Key Pinning (HPKP). Although HPKP is not wildly supported and sometimes deprecated, users wishing to use it should not be blocked. https://tools.ietf.org/html/rfc7469 https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
6 years ago
Add hook groups Some configurations may require to run the same bunch of hooks for several domains. In order to limit repetition, it is now possible to create a group that will reference to hooks or hook groups.
6 years ago
Add hooks before and after a file is created or edited It is considered a good practice to archive old certificates and private keys instead of simply dropping them away. Because ACMEd should not impose a way of doing things to system administrators, hooks are the way to go.
6 years ago
Send logs to syslog
6 years ago
Rename post_operation_hook to post_operation_hooks
6 years ago
Send logs to syslog
6 years ago
Daemonize the process
6 years ago
  2. [//]: # (Copyright 2019-2020 Rodolphe Bréard <rodolphe@breard.tf>)
  4. [//]: # (Copying and distribution of this file, with or without modification,)
  5. [//]: # (are permitted in any medium without royalty provided the copyright)
  6. [//]: # (notice and this notice are preserved. This file is offered as-is,)
  7. [//]: # (without any warranty.)
  9. # Changelog
  10. All notable changes to this project will be documented in this file.
  12. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
  13. and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
  16. ## [Unreleased]
  18. ### Added
  19. - The account key type and signature algorithm can now be specified in the configuration.
  20. - The delay to renew a certificate before its expiration date can be specified in the configuration using the `renew_delay` parameter at either the certificate, endpoint and global level.
  21. - It is now possible to specify IP identifiers (RFC 8738).
  22. - The hook templates of type `challenge-*` have a new `identifier_tls_alpn` field which contains, if available, the identifier in a form that is suitable to the TLS ALPN challenge.
  23. - Globing is now supported for configuration files inclusion.
  25. ### Changed
  26. - In the certificate configuration, the `domains` field has been renamed `identifiers`.
  27. - The `algorithm` certificate configuration field has been renamed `key_type`.
  28. - The `algorithm` hook template variable has been renamed `key_type`.
  29. - The `domain` hook template variable has been renamed `identifier`.
  30. - The default hooks have been updated.
  32. ### Fixed
  33. - The Makefile now works on FreeBSD. It should also work on other BSD although it has not been tested.
  36. ## [0.9.0] - 2020-08-01
  38. ### Added
  39. - System users and groups can now be specified by name in addition to uid/gid.
  41. ### Changed
  42. - The HTTP(S) part is now handled by `attohttpc` instead of `reqwest`.
  44. ### Fixed
  45. - In tacd, the `--acme-ext-file` parameter is now in conflict with `acme-ext` instead of itself.
  48. ## [0.8.0] - 2020-06-12
  50. ### Changed
  51. - The HTTP(S) part is now handled by `reqwest` instead of `http_req`.
  53. ## Fixed
  54. - `make install` now work with the busybox toolchain.
  57. ## [0.7.0] - 2020-03-12
  59. ### Added
  60. - Wildcard certificates are now supported. In the file name, the `*` is replaced by `_`.
  61. - Internationalized domain names are now supported.
  63. ### Changed
  64. - The PID file is now always written whether or not ACMEd is running in the foreground. Previously, it was written only when running in the background.
  66. ### Fixed
  67. - In the directory, the `externalAccountRequired` field is now a boolean instead of a string.
  70. ## [0.6.1] - 2019-09-13
  72. ### Fixed
  73. - A race condition when requesting multiple certificates on the same non-existent account has been fixed.
  74. - The `foregroung` option has been renamed `foreground`.
  77. ## [0.6.0] - 2019-06-05
  79. ### Added
  80. - Hooks now have the optional `allow_failure` field.
  81. - In hooks, the `stdin_str` has been added in replacement of the previous `stdin` behavior.
  82. - HTTPS request rate limits.
  84. ### Changed
  85. - Certificates are renewed in parallel.
  86. - Hooks are now cleaned right after the current challenge has been validated instead of after the certificate's retrieval.
  87. - In hooks, the `stdin` field now refers to the path of the file that should be written into the hook's standard input.
  88. - The logging format has been re-written.
  90. ### Fixed
  91. - The http-01-echo hook now correctly sets the file's access rights
  94. ## [0.5.0] - 2019-05-09
  96. ### Added
  97. - ACMEd now displays a warning when the server indicates an error in an order or an authorization.
  98. - A configuration file can now include several other files.
  99. - Hooks have access to environment variables.
  100. - In the configuration, the global section, certificates and domains can define environment variables for the hooks.
  101. - tacd is now able to listen on a unix socket.
  104. ## [0.4.0] - 2019-05-08
  106. ### Added
  107. - Man pages.
  108. - The project can now be built and installed using `make`.
  109. - The post-operation hooks now have access to the `is_success` template variable.
  110. - Challenge hooks now have the `is_clean_hook` template variable.
  111. - An existing certificate will be renewed if more domains have been added in the configuration.
  113. ### Changed
  114. - Unknown configuration fields are no longer tolerated.
  116. ### Removed
  117. - In challenge hooks, the `algorithm` template variable has been removed.
  119. ### Fixed
  120. - In some cases, ACMEd was unable to parse a certificate's expiration date.
  123. ## [0.3.0] - 2019-04-30
  125. ### Added
  126. - tacd, the TLS-ALPN-01 validation daemon.
  127. - An account object has been added in the configuration.
  128. - In the configuration, hooks now have a mandatory `type` variable.
  129. - It is now possible to declare hooks to clean after the challenge validation hooks.
  130. - The CLI `--root-cert` option has been added.
  131. - Failure recovery: HTTPS requests rejected by the server that are recoverable, like the badNonce error, are now retried several times before being considered a hard failure.
  132. - The TLS-ALPN-01 challenge is now supported. The proof is a string representation of the acmeIdentifier extension. The self-signed certificate itself has to be built by a hook.
  134. ### Changed
  135. - In the configuration, the `email` certificate field has been replaced by the `account` field which matches an account object.
  136. - The format of the `domain` configuration variable has changed and now includes the challenge type.
  137. - The `token` challenge hook variable has been renamed `file_name`.
  138. - The `challenge_hooks`, `post_operation_hooks`, `file_pre_create_hooks`, `file_post_create_hooks`, `file_pre_edit_hooks` and `file_post_edit_hooks` certificate variables has been replaced by `hooks`.
  139. - The logs has been purged from many useless debug and trace entries.
  141. ### Removed
  142. - The DER storage format has been removed.
  143. - The `challenge` certificate variables has been removed.
  146. ## [0.2.1] - 2019-03-30
  148. ### Changed
  149. - The bug that prevented from requesting more than two certificates has been fixed.
  152. ## [0.2.0] - 2019-03-27
  154. ### Added
  155. - The `kp_reuse` flag allow to reuse a key pair instead of creating a new one at each renewal.
  156. - It is now possible to define hook groups that can reference either hooks or other hook groups.
  157. - Hooks can be defined when before and after a file is created or edited (`file_pre_create_hooks`, `file_post_create_hooks`, `file_pre_edit_hooks` and `file_post_edit_hooks`).
  158. - It is now possible to send logs either to syslog or stderr using the `--to-syslog` and `--to-stderr` arguments.
  160. ### Changed
  161. - `post_operation_hook` has been renamed `post_operation_hooks`.
  162. - By default, logs are now sent to syslog instead of stderr.
  163. - The process is now daemonized by default. It is possible to still run it in the foreground using the `--foregroung` flag.