Mirror
/
acmed
mirror of https://github.com/breard-r/acmed.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
169 Commits
12 Branches
27 Tags
2.2 MiB
Tree: 9a436fc35f
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '9a436fc35f'
${ noResults }
acmed/CHANGELOG.md

117 lines
4.8 KiB
Raw Normal View History

Add man pages Documentation is a crucial point for every project, and the most effective and traditional way to document a program is to write man page. Here, the mdoc is used because it is simple. Because the documentation is quite different from the project itself, the man pages and others helpful files are distributed under a different license. For this usage, the GNU All-Permissive License is adequate. https://www.gnu.org/prep/maintain/html_node/License-Notices-for-Other-Files.html man 7 groff_mdoc
6 years ago
Allow to reuse a key pair instead of creating a new one at each renewal The default behavior of most ACME clients is to generate a new key pair at each renewal. While this choice is respectable and perfectly justified in most configuration, it is also quite incompatible with the use of HTTP Public Key Pinning (HPKP). Although HPKP is not wildly supported and sometimes deprecated, users wishing to use it should not be blocked. https://tools.ietf.org/html/rfc7469 https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
6 years ago
Replace * by _ in file names
5 years ago
Fix the type of the externalAccountRequired field
5 years ago
ACMEd v0.6.1
5 years ago
Update the change log
5 years ago
Fix the "foregroung" typo I made the typo once and then copy/pasted it everywhere.
5 years ago
Update the change log
5 years ago
ACMEd 0.6.0
6 years ago
Add an option to stop or continue after a failed hook
6 years ago
Allow to give a file path in a hook's stdin There is use-cases where a command's standard input should be filled with a file's content. In order to stay consistent with the names of the other fields, `stdin` is now the field which accepts such a path. `stdin_str` has been created in order to also support the use of a raw string.
6 years ago
Add rate limits for HTTPS requests
6 years ago
Add an option to stop or continue after a failed hook
6 years ago
Clean the hooks right after the current challenge has been validated Cleaning hooks after the certificate has been retrieved is a mistake since a failure somewhere in the process will prevent all called hook to be cleaned. With the current implementation, only the currently failed hook is left without being cleaned.
6 years ago
Renew certificates in parallel
6 years ago
Clean the hooks right after the current challenge has been validated Cleaning hooks after the certificate has been retrieved is a mistake since a failure somewhere in the process will prevent all called hook to be cleaned. With the current implementation, only the currently failed hook is left without being cleaned.
6 years ago
Allow to give a file path in a hook's stdin There is use-cases where a command's standard input should be filled with a file's content. In order to stay consistent with the names of the other fields, `stdin` is now the field which accepts such a path. `stdin_str` has been created in order to also support the use of a raw string.
6 years ago
Improve the logging format In order to renew different certificate at the same time, log messages must display which certificate they are referring to.
6 years ago
Clean the hooks right after the current challenge has been validated Cleaning hooks after the certificate has been retrieved is a mistake since a failure somewhere in the process will prevent all called hook to be cleaned. With the current implementation, only the currently failed hook is left without being cleaned.
6 years ago
Fix the http-01-echo default hook
6 years ago
Add an option to stop or continue after a failed hook
6 years ago
ACMEd 0.5.0
6 years ago
Display a warning when fetching order or an authorization Orders and authorization can both contain an error which can, for example, help an user to fix a broken hook. It is therefore very useful to display it. Plus, when pooling one of those objects, having an error does not mean we should stop pooling since the error may be temporary.
6 years ago
Allow the config file to include other files
6 years ago
Add environment variables to hook templates
6 years ago
Add env variable definition in the global section
6 years ago
Allow tacd to listen on a unix socket
6 years ago
Display a warning when fetching order or an authorization Orders and authorization can both contain an error which can, for example, help an user to fix a broken hook. It is therefore very useful to display it. Plus, when pooling one of those objects, having an error does not mean we should stop pooling since the error may be temporary.
6 years ago
ACMEd 0.4.0
6 years ago
Add man pages Documentation is a crucial point for every project, and the most effective and traditional way to document a program is to write man page. Here, the mdoc is used because it is simple. Because the documentation is quite different from the project itself, the man pages and others helpful files are distributed under a different license. For this usage, the GNU All-Permissive License is adequate. https://www.gnu.org/prep/maintain/html_node/License-Notices-for-Other-Files.html man 7 groff_mdoc
6 years ago
Update the changelog
6 years ago
Add the is_success variable to post-operation hooks
6 years ago
Add the is_clean_hook variable to challenge hooks
6 years ago
Renew a certificate that does not include all domains At some point, someone may add new domains to an existing certificate. In such case, this certificate should be renewed as soon as possible instead of upon expiration.
6 years ago
Update the changelog
6 years ago
Add man pages Documentation is a crucial point for every project, and the most effective and traditional way to document a program is to write man page. Here, the mdoc is used because it is simple. Because the documentation is quite different from the project itself, the man pages and others helpful files are distributed under a different license. For this usage, the GNU All-Permissive License is adequate. https://www.gnu.org/prep/maintain/html_node/License-Notices-for-Other-Files.html man 7 groff_mdoc
6 years ago
Fix the OpenSSL time parsing ACMEd was not able to parse some possible time representation, which could cause a certificate not being renewed at all. This commit support all current known outputs. https://github.com/openssl/openssl/blob/master/crypto/asn1/a_time.c
6 years ago
Add man pages Documentation is a crucial point for every project, and the most effective and traditional way to document a program is to write man page. Here, the mdoc is used because it is simple. Because the documentation is quite different from the project itself, the man pages and others helpful files are distributed under a different license. For this usage, the GNU All-Permissive License is adequate. https://www.gnu.org/prep/maintain/html_node/License-Notices-for-Other-Files.html man 7 groff_mdoc
6 years ago
v0.3.0
6 years ago
Remove the `acme-lib` dependency Although the `acme-lib` crate comes very handy when creating a simple ACME client, a more advanced one may not want to use it. First of all, `acme-lib` does not support all of the ACME specification, some very interesting one are not implemented. Also, it does not store the account public key, which does not allow to revoke certificates. In addition to those two critical points, I would also add `acme-lib` has some troubles with its own dependencies: it uses both `openssl` and `ring`, which is redundant and contribute to inflate the size of the binary. Some of the dependencies also makes an excessive use of logging: even if logging is very useful, in some cases it really is too much and debugging becomes a nightmare. ref #1
6 years ago
Use account objects instead of an email field Defining an account solely by an email address is not the best strategy since the ACME protocol does not require it and also allows for more contacts information. Although this commit does not change the "one email" policy, it sets the bases so it could evolve in the future.
6 years ago
Add tacd to the CHANGELOG
6 years ago
Use account objects instead of an email field Defining an account solely by an email address is not the best strategy since the ACME protocol does not require it and also allows for more contacts information. Although this commit does not change the "one email" policy, it sets the bases so it could evolve in the future.
6 years ago
Change the hook and domains definitions The previous system was too limited when it comes to flexibility using hooks. This limitation came from the false idea that, for a given certificate, all challenges must be validated with the same method. In order to prove that false, domains in a certificate can now make use of any challenge type available. In order to be more flexible, hooks are now given a type and are defined in the same registry (instead of 6). Each one will be called when considered relevant based on its type.
6 years ago
Update the CHANGELOG
6 years ago
Retry request rejected with a recoverable error Some errors, like the badNonce one, are recoverable. Hence, the client is expected to retry. ACMEd will now re-send the associated request until it succeed or the max retries number is reached. Each retry is preceded by a small waiting time in order to let the server recover in case it was faulty.
6 years ago
Add tls-alpn-01 challenge support Although the standardization is still a draft, this challenge is already supported by Let's Encrypt. https://datatracker.ietf.org/doc/draft-ietf-acme-tls-alpn/
6 years ago
Use account objects instead of an email field Defining an account solely by an email address is not the best strategy since the ACME protocol does not require it and also allows for more contacts information. Although this commit does not change the "one email" policy, it sets the bases so it could evolve in the future.
6 years ago
Remove the `acme-lib` dependency Although the `acme-lib` crate comes very handy when creating a simple ACME client, a more advanced one may not want to use it. First of all, `acme-lib` does not support all of the ACME specification, some very interesting one are not implemented. Also, it does not store the account public key, which does not allow to revoke certificates. In addition to those two critical points, I would also add `acme-lib` has some troubles with its own dependencies: it uses both `openssl` and `ring`, which is redundant and contribute to inflate the size of the binary. Some of the dependencies also makes an excessive use of logging: even if logging is very useful, in some cases it really is too much and debugging becomes a nightmare. ref #1
6 years ago
Use account objects instead of an email field Defining an account solely by an email address is not the best strategy since the ACME protocol does not require it and also allows for more contacts information. Although this commit does not change the "one email" policy, it sets the bases so it could evolve in the future.
6 years ago
Change the hook and domains definitions The previous system was too limited when it comes to flexibility using hooks. This limitation came from the false idea that, for a given certificate, all challenges must be validated with the same method. In order to prove that false, domains in a certificate can now make use of any challenge type available. In order to be more flexible, hooks are now given a type and are defined in the same registry (instead of 6). Each one will be called when considered relevant based on its type.
6 years ago
Remove the `acme-lib` dependency Although the `acme-lib` crate comes very handy when creating a simple ACME client, a more advanced one may not want to use it. First of all, `acme-lib` does not support all of the ACME specification, some very interesting one are not implemented. Also, it does not store the account public key, which does not allow to revoke certificates. In addition to those two critical points, I would also add `acme-lib` has some troubles with its own dependencies: it uses both `openssl` and `ring`, which is redundant and contribute to inflate the size of the binary. Some of the dependencies also makes an excessive use of logging: even if logging is very useful, in some cases it really is too much and debugging becomes a nightmare. ref #1
6 years ago
Change the hook and domains definitions The previous system was too limited when it comes to flexibility using hooks. This limitation came from the false idea that, for a given certificate, all challenges must be validated with the same method. In order to prove that false, domains in a certificate can now make use of any challenge type available. In order to be more flexible, hooks are now given a type and are defined in the same registry (instead of 6). Each one will be called when considered relevant based on its type.
6 years ago
Remove the `acme-lib` dependency Although the `acme-lib` crate comes very handy when creating a simple ACME client, a more advanced one may not want to use it. First of all, `acme-lib` does not support all of the ACME specification, some very interesting one are not implemented. Also, it does not store the account public key, which does not allow to revoke certificates. In addition to those two critical points, I would also add `acme-lib` has some troubles with its own dependencies: it uses both `openssl` and `ring`, which is redundant and contribute to inflate the size of the binary. Some of the dependencies also makes an excessive use of logging: even if logging is very useful, in some cases it really is too much and debugging becomes a nightmare. ref #1
6 years ago
Change the hook and domains definitions The previous system was too limited when it comes to flexibility using hooks. This limitation came from the false idea that, for a given certificate, all challenges must be validated with the same method. In order to prove that false, domains in a certificate can now make use of any challenge type available. In order to be more flexible, hooks are now given a type and are defined in the same registry (instead of 6). Each one will be called when considered relevant based on its type.
6 years ago
Remove the `acme-lib` dependency Although the `acme-lib` crate comes very handy when creating a simple ACME client, a more advanced one may not want to use it. First of all, `acme-lib` does not support all of the ACME specification, some very interesting one are not implemented. Also, it does not store the account public key, which does not allow to revoke certificates. In addition to those two critical points, I would also add `acme-lib` has some troubles with its own dependencies: it uses both `openssl` and `ring`, which is redundant and contribute to inflate the size of the binary. Some of the dependencies also makes an excessive use of logging: even if logging is very useful, in some cases it really is too much and debugging becomes a nightmare. ref #1
6 years ago
v0.2.1
6 years ago
Allow to reuse a key pair instead of creating a new one at each renewal The default behavior of most ACME clients is to generate a new key pair at each renewal. While this choice is respectable and perfectly justified in most configuration, it is also quite incompatible with the use of HTTP Public Key Pinning (HPKP). Although HPKP is not wildly supported and sometimes deprecated, users wishing to use it should not be blocked. https://tools.ietf.org/html/rfc7469 https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
6 years ago
Add hook groups Some configurations may require to run the same bunch of hooks for several domains. In order to limit repetition, it is now possible to create a group that will reference to hooks or hook groups.
6 years ago
Add hooks before and after a file is created or edited It is considered a good practice to archive old certificates and private keys instead of simply dropping them away. Because ACMEd should not impose a way of doing things to system administrators, hooks are the way to go.
6 years ago
Send logs to syslog
6 years ago
Rename post_operation_hook to post_operation_hooks
6 years ago
Send logs to syslog
6 years ago
Daemonize the process
6 years ago
  2. [//]: # (Copyright 2019 Rodolphe Bréard <rodolphe@breard.tf>)
  4. [//]: # (Copying and distribution of this file, with or without modification,)
  5. [//]: # (are permitted in any medium without royalty provided the copyright)
  6. [//]: # (notice and this notice are preserved. This file is offered as-is,)
  7. [//]: # (without any warranty.)
  9. # Changelog
  10. All notable changes to this project will be documented in this file.
  12. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
  13. and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
  16. ## [Unreleased]
  18. ### Added
  19. - Wildcard certificates are now supported. In the file name, the `*` is replaced by `_`.
  21. ### Fixed
  22. - In the directory, the `externalAccountRequired` field is now a boolean instead of a string.
  24. ## [0.6.1] - 2019-09-13
  26. ### Fixed
  27. - A race condition when requesting multiple certificates on the same non-existent account has been fixed.
  28. - The `foregroung` option has been renamed `foreground`.
  31. ## [0.6.0] - 2019-06-05
  33. ### Added
  34. - Hooks now have the optional `allow_failure` field.
  35. - In hooks, the `stdin_str` has been added in replacement of the previous `stdin` behavior.
  36. - HTTPS request rate limits.
  38. ### Changed
  39. - Certificates are renewed in parallel.
  40. - Hooks are now cleaned right after the current challenge has been validated instead of after the certificate's retrieval.
  41. - In hooks, the `stdin` field now refers to the path of the file that should be written into the hook's standard input.
  42. - The logging format has been re-written.
  44. ### Fixed
  45. - The http-01-echo hook now correctly sets the file's access rights
  48. ## [0.5.0] - 2019-05-09
  50. ### Added
  51. - ACMEd now displays a warning when the server indicates an error in an order or an authorization.
  52. - A configuration file can now include several other files.
  53. - Hooks have access to environment variables.
  54. - In the configuration, the global section, certificates and domains can define environment variables for the hooks.
  55. - tacd is now able to listen on a unix socket.
  58. ## [0.4.0] - 2019-05-08
  60. ### Added
  61. - Man pages.
  62. - The project can now be built and installed using `make`.
  63. - The post-operation hooks now have access to the `is_success` template variable.
  64. - Challenge hooks now have the `is_clean_hook` template variable.
  65. - An existing certificate will be renewed if more domains have been added in the configuration.
  67. ### Changed
  68. - Unknown configuration fields are no longer tolerated.
  70. ### Removed
  71. - In challenge hooks, the `algorithm` template variable has been removed.
  73. ### Fixed
  74. - In some cases, ACMEd was unable to parse a certificate's expiration date.
  77. ## [0.3.0] - 2019-04-30
  79. ### Added
  80. - tacd, the TLS-ALPN-01 validation daemon.
  81. - An account object has been added in the configuration.
  82. - In the configuration, hooks now have a mandatory `type` variable.
  83. - It is now possible to declare hooks to clean after the challenge validation hooks.
  84. - The CLI `--root-cert` option has been added.
  85. - Failure recovery: HTTPS requests rejected by the server that are recoverable, like the badNonce error, are now retried several times before being considered a hard failure.
  86. - The TLS-ALPN-01 challenge is now supported. The proof is a string representation of the acmeIdentifier extension. The self-signed certificate itself has to be built by a hook.
  88. ### Changed
  89. - In the configuration, the `email` certificate field has been replaced by the `account` field which matches an account object.
  90. - The format of the `domain` configuration variable has changed and now includes the challenge type.
  91. - The `token` challenge hook variable has been renamed `file_name`.
  92. - The `challenge_hooks`, `post_operation_hooks`, `file_pre_create_hooks`, `file_post_create_hooks`, `file_pre_edit_hooks` and `file_post_edit_hooks` certificate variables has been replaced by `hooks`.
  93. - The logs has been purged from many useless debug and trace entries.
  95. ### Removed
  96. - The DER storage format has been removed.
  97. - The `challenge` certificate variables has been removed.
  100. ## [0.2.1] - 2019-03-30
  102. ### Changed
  103. - The bug that prevented from requesting more than two certificates has been fixed.
  106. ## [0.2.0] - 2019-03-27
  108. ### Added
  109. - The `kp_reuse` flag allow to reuse a key pair instead of creating a new one at each renewal.
  110. - It is now possible to define hook groups that can reference either hooks or other hook groups.
  111. - Hooks can be defined when before and after a file is created or edited (`file_pre_create_hooks`, `file_post_create_hooks`, `file_pre_edit_hooks` and `file_post_edit_hooks`).
  112. - It is now possible to send logs either to syslog or stderr using the `--to-syslog` and `--to-stderr` arguments.
  114. ### Changed
  115. - `post_operation_hook` has been renamed `post_operation_hooks`.
  116. - By default, logs are now sent to syslog instead of stderr.
  117. - The process is now daemonized by default. It is possible to still run it in the foreground using the `--foregroung` flag.