Let's Encrypt suggests in the integration guide, that for spacing out
renewals after issueing a lot of new certificates in a batch, you renew
a few of them a bit early until it's evened out. This adds a config
option that allows to set a timeframe in which early random delays are
attempted.
* the former /var/run is depreciated -> using /run
* update rust build scripts sources to use the new path
* update CHANGELOG to reflect the changes
Signed-off-by: Ralf Zerres <ralf.zerres@networkx.de>
Those directories were located in /etc/acmed/, which is not the best
choice. According to the Filesystem Hierarchy Standard, they should be
located in /var/lib/acmed/.
Because systems may have different conventions, those values are now
configuration at build time.
https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard
Being able to define root certificates in the command line is not enough
for two reasons:
1. It is always global, you cannot define a root certificate for a
specific endpoint.
2. Daemon scripts and unit files are not meant to be changed every time
you need to add a root certificate.
For those reasons, it is now to possible to define root certificates in
the configuration. Those defined in the `global` section will be used on
every endpoint, just like those added via the command line. Those
defined in an endpoint will be used in this endpoint only.
RFC 8555 states that:
- when an account is successfully created, the server "returns this
account object" (section 7.3);
- the `orders` field in account objects is mandatory (section 7.1.2).
Despite that, Boulder does not returns the `orders` field when an
account is created. This non-standard behavior prevented ACMEd from
creating account and testing them for existence.
In order to allow ACMEd to retrieve certificates from CAs using Boulder,
the `orders` field is no longer mandatory and the account existence is
tested when the order is requested.
https://github.com/letsencrypt/boulder/issues/3335
Until now, the account management was archaic and it was impossible to
improve it without this heavy refactoring. Accounts are now disjoint
from both certificates and endpoints. They have their own hooks and
their own environment variables. They are stored in a binary file
instead of the PEM exports of the private and public keys.
This refactoring will allow account management to evolve into something
more serious, with real key rollover, contact information update and so
on.