Those directories were located in /etc/acmed/, which is not the best
choice. According to the Filesystem Hierarchy Standard, they should be
located in /var/lib/acmed/.
Because systems may have different conventions, those values are now
configuration at build time.
https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard
Being able to define root certificates in the command line is not enough
for two reasons:
1. It is always global, you cannot define a root certificate for a
specific endpoint.
2. Daemon scripts and unit files are not meant to be changed every time
you need to add a root certificate.
For those reasons, it is now to possible to define root certificates in
the configuration. Those defined in the `global` section will be used on
every endpoint, just like those added via the command line. Those
defined in an endpoint will be used in this endpoint only.
RFC 8555 states that:
- when an account is successfully created, the server "returns this
account object" (section 7.3);
- the `orders` field in account objects is mandatory (section 7.1.2).
Despite that, Boulder does not returns the `orders` field when an
account is created. This non-standard behavior prevented ACMEd from
creating account and testing them for existence.
In order to allow ACMEd to retrieve certificates from CAs using Boulder,
the `orders` field is no longer mandatory and the account existence is
tested when the order is requested.
https://github.com/letsencrypt/boulder/issues/3335
Until now, the account management was archaic and it was impossible to
improve it without this heavy refactoring. Accounts are now disjoint
from both certificates and endpoints. They have their own hooks and
their own environment variables. They are stored in a binary file
instead of the PEM exports of the private and public keys.
This refactoring will allow account management to evolve into something
more serious, with real key rollover, contact information update and so
on.
The previous system used a duplicated enum
(`acmed::certificate::Algorithm`) and an imprecise identifier name
(algorithm) for both the certificate configuration and post operation
hook variable. The first one has been replaced by the
`acme_common::crypto::KeyType` enum and the second renames `key_type`.
The previous version of the Makefile used features which are specific to
GNU Make and therefore does not works on BSD systems. This new version,
which is much more simpler, works both on GNU Make and BSD Make (tested
on FreeBSD 12.1).
`reqwest` is a very good crate, however ACMEd does not require most of
its functionalities. For this job, `attohttpc` is also great and comes
with much less dependencies.
rel #1
The previous HTTP back-end was tightly coupled with the threads, which
was very inconvenient. It is now completely decoupled so a new threading
model may be implemented.
The PID file is now always written whether or not ACMEd is running in
the foreground. Previously, it was written only when running in the
background.
Fix#7