summaryrefslogtreecommitdiff
path: root/usr.sbin/acme-client
AgeCommit message (Collapse)Author
2021-12-13Let dnsproc pass multiple addresses to netprocJeremie Courreges-Anglas
The loop was exited prematurely because of a stray break statement. In case of a failure to connect to the first address returned by getaddrinfo(3), acme-client can now try to connect using another address or address family if available. ok florian@
2021-11-22acme-client: use BIO_number_written(bio) instead of bio->num_write.Theo Buehler
Avoid awkward line wrapping by removing awkward else if chaining. ok claudio florian
2021-11-18acme-client: use EVP_PKEY_base_id()Theo Buehler
In an upcoming libcrypto bump, EVP_PKEY will become opaque. In order to stop reaching inside EVP_PKEY, we must replace EVP_PKEY_type(pkey->type) with the equivalent EVP_PKEY_base_Id(pkey) in various places. ok florian
2021-10-15Don't declare variables as "unsigned char *" that are passed toChristian Weisgerber
functions that take "char *" arguments. Where such chars are assigned to int or passed to ctype functions, explicitly cast them to unsigned char. For OpenBSD's clang, -Wpointer-sign has been disabled by default, but when the parse.y code was built elsewhere, the compiler would complain. With help from millert@ ok benno@ deraadt@
2021-10-13acme-client: stop reaching into X509Theo Buehler
Prepare for an upcoming change in libcrypto and retrieve the stack of extensions via X509_get0_extensions(). Simplify the for loop by relying on the fact that empty or NULL stacks have an sk_num() of 0 and -1, respectively, so the loop won't be entered and the extsz dance is unnecessary. ok florian
2021-09-17Fix subjectAlternativeName (SAN) generation for CSRs. CA/B Forum baselineStuart Henderson
requirements require that it's used in certificates so it makes sense to generate a CSR compliant with this, additionally it replaces rather than adds to the name in the certificate's subject which we weren't handling correctly. Diff from wolf at wolfsden/cz, ok florian@
2021-09-14Add missing void to definition of http_init().Theo Buehler
ok deraadt florian
2021-08-24fix outdated comments, from Emil Engler, thanks.Sebastian Benoit
2021-07-14Remove unneeded calls to tls_init(3)kn
As per the manual and lib/libtls/tls.c revision 1.79 from 2018 "Automatically handle library initialisation for libtls." initialisation is handled automatically by other tls_*(3) functions. Remove explicit tls_init() calls from base to not give the impression of it being needed. Feedback tb OK Tests mestre
2021-07-12Change the error reporting pattern throughout the tree when unveilBob Beck
fails to report the path that the failure occured on. Suggested by deraadt@ after some tech discussion. Work done and verified by Ashton Fagg <ashton@fagg.id.au> ok deraadt@ semarie@ claudio@
2021-05-13acme-client: use EC_POINT_{get,set}_affine_cooordinates()Theo Buehler
The versions with _GFp() suffix only exist for historical reasons. Now that we have EC_POINT_{get,set}_affine_coordinates(), we should stop using the old ones as they provide no benefit. ok florian
2021-02-12Xr to ssl(8) which has clues about EC key generation that are still usefulStuart Henderson
to acme-client users.
2021-01-11document how to specify multiple alternative names;Jason McIntyre
modified version of diff from wolf on misc, improved by and ok florian benno sthen
2021-01-03Create .1 backup files when acme-client is going to overwrite aFlorian Obser
certificate file. These files are not terribly big and they might become helpful if one re-creates a certificate with additional or removed domains and whishes to revoke the old cert (this part needs a bit of work to make it convenient to do). OK sthen
2021-01-02If acme-client detects an added or removed SAN in the config fileStuart Henderson
compared to the existing certificate on disk, automatically request a new certificate without requiring -F. (Previously the code using -F only coped with added SANs; if one was removed in config then the certificate needed manual removal vefore acme-client would work). Name checks for -r (revocation) are kept as-is for now.
2020-12-24First fulfil all challenges then tell the CA that it should check.Florian Obser
For http-01 this doesn't matter but I think this will be nicer for dns-01 because there are propagation delays to consider and it will be better to just put everything in DNS and then wait then wait after each challenge. Testing & OK sthen
2020-12-19remove extra sTheo Buehler
2020-12-18Add details to -F flagsolene
If you add alternatives domain names to acme-client.conf, using -F is required to renew the certificate with the new names. ok jmc@
2020-11-18Do not check the list of SAN's in the cert when -F is specified to force renewalBob Beck
This allows you to add a SAN DNS name to a cert, and request a forced renewal to get the new name added immediately ok florian@
2020-11-06mention that acme-client generates a 4096-bit or secp384r1 key if the keyStuart Henderson
file doesn't exist; ok florian jmc
2020-11-04Back out last commit.denis
Some devs are not convinced.
2020-11-02acme response challenge location to issue better error codedenis
Notified to me by jmc@ Diff by Matthias Pressfreund <mpfr @ fn de>, thanks
2020-09-14We need to be able to provide contact information to use theFlorian Obser
buypass.com acme api. From Bartosz Kuzma (bartosz.kuzma AT release11.com), thanks! OK beck, deraadt
2020-09-14Relax parsing of pem files a bit. Apparently there are CAs that useFlorian Obser
\r\n line endings. From Bartosz Kuzma (bartosz.kuzma AT release11.com) as part of a larger diff. OK beck
2020-09-14Report what's wrong when account creation fails instead of a genericFlorian Obser
http error. OK beck
2020-06-07whitespaceFlorian Obser
2020-06-07Swap arguments of calloc(3).Florian Obser
While it doesn't matter for calloc, it's easier on the eyes to always list the number of elements first and then the size. From Donovan Watteau ( contrib AT dwatteau.fr), Thanks!
2020-05-16somehow yacc pieces got missed from the "domain name" commit; add them.Stuart Henderson
ok florian@
2020-05-16list example files in FILES with a short description: generally, "ExampleJason McIntyre
configuration file.", but occasionally something else fit better; at the same time, try to make the format for FILES more consistent; original diff from clematis
2020-05-12new sentence, new line;Jason McIntyre
2020-05-10In case the order fails print the human readable reason from theFlorian Obser
challenge objects that the server hopefully provides. input & OK deraadt OK beck, benno
2020-05-10remove noisy and useless debug lineFlorian Obser
2020-05-10Allow to have multiple domain ... {} sextions with the same domainSebastian Benoit
name, by adding a new (optional) config option "domain name". This can be used to create a rsa and an ecdsa key for the same domain name. The old domain name in the 'title' line continues to be used as domain name in the abscence of the domain name argument, i.e. the change is backward compatible with current config files. tested by sthen@ ok florian@ sthen@
2020-04-15Use the new random interval support in cron instead of a random sleep.Todd C. Miller
The random intervals used can be adjusted as needed. OK deraadt@
2020-02-10briefly mention /etc/examples/ in the FILES section of all theIngo Schwarze
manual pages that document the corresponding configuration files; OK jmc@, and general direction discussed with many
2020-02-07Do not define variables in extern.h since this will lead to duplicateFlorian Obser
definitions in every source file that includes extern.h. From Michael Forney (mforney AT mforney DOT org), thanks! OK jca
2020-01-22use the correct length to allocate the right amount, broken by previous.Ted Unangst
noticed by Matthew Martin ok deraadt
2020-01-22set array length after allocation succeeds so free path doesn't deref null.Ted Unangst
ok deraadt
2020-01-20Remove the tls_close warnx in acme-client. Currently it very often reportsStuart Henderson
a spurious "acme-client: tls_close: EOF without close notify" warning which is plain confusing - it is a warning only, doesn't block anything, but when people have some other failure (network problems, bad acme-challenge path in webserver, etc) they often see this message and think that it's relevant. The libtls warning is there to detect truncation attacks in protocols that don't have their own way to do so (e.g. HTTP/0.9). HTTP/1.0 or newer have methods to do this (Content-Length or chunked transfer encoding); acme-client doesn't check them yet and perhaps should. But that's a separate issue, the warnx doesn't really help with this anyway, and it's unlikely that a truncated json payload would be valid for acme-client parsing anyway. OK florian@ benno@
2019-12-27make -n stop after parsing the config.Sebastian Benoit
make -nv print the parsed configuration, then stop. ok sthen@, seems better deraadt@
2019-11-06Give acme-client a chance to work on IPv6 only hosts by using theFlorian Obser
AI_ADDRCONFIG flag for getaddrinfo to only return addresses for a configured address family. Implementing a loop over all IPs is left as an exercise to the reader. Reported some time ago by kasimov.an AT gmail on bugs@, thanks! oh boy deraadt@ OK benno@
2019-08-12Do not exit with error if the challenge file already exists, instead ↵Sebastian Benoit
truncate it and write the challenge again. We can get asked to supply the same challenge multiple times. bug found and patch tested by jmc@ patch discussed with, mangled and okayed by florian@
2019-08-11In let's encrypt v1 we had to track a challenge for every domain inFlorian Obser
the certificate we were requesting. This is no longer true in v2 and we have to free the amount of challenges the server told us to fullfill. OK benno
2019-07-12According to RFC 8555 we MUST send an User-Agent.Florian Obser
Pointed out and diff by Wolf, thanks! Tweaked by me. OK benno
2019-07-04Use v02 let's encrypt API key as in the example filesolene
ok deraadt@
2019-06-28When system calls indicate an error they return -1, not some arbitraryTheo de Raadt
value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
2019-06-18When the parser detects that it needs more tokens it returnsFlorian Obser
JSMN_ERROR_NOMEM. We then need to allocate more tokens and call the parser with its current state again. It will continue where it left of. For this to work we also need to pass in the old tokens from the previous run and not just more space. Found the hard way by Renaud Allard. OK millert
2019-06-17It's enough to allocate the EC key once.Florian Obser
OK tb
2019-06-17One NULL-check before EVP_MD_CTX_free() was left in previous.Theo Buehler
2019-06-17 Use non-deprecated API; from Renaud Allard, thanks!Florian Obser
OK tb