summaryrefslogtreecommitdiff
path: root/usr.sbin/acme-client
AgeCommit message (Collapse)Author
2019-07-12According to RFC 8555 we MUST send an User-Agent.Florian Obser
Pointed out and diff by Wolf, thanks! Tweaked by me. OK benno
2019-07-04Use v02 let's encrypt API key as in the example filesolene
ok deraadt@
2019-06-28When system calls indicate an error they return -1, not some arbitraryTheo de Raadt
value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
2019-06-18When the parser detects that it needs more tokens it returnsFlorian Obser
JSMN_ERROR_NOMEM. We then need to allocate more tokens and call the parser with its current state again. It will continue where it left of. For this to work we also need to pass in the old tokens from the previous run and not just more space. Found the hard way by Renaud Allard. OK millert
2019-06-17It's enough to allocate the EC key once.Florian Obser
OK tb
2019-06-17One NULL-check before EVP_MD_CTX_free() was left in previous.Theo Buehler
2019-06-17 Use non-deprecated API; from Renaud Allard, thanks!Florian Obser
OK tb
2019-06-17 Implement elliptic curve account keys.Florian Obser
OK benno Input & OK tb
2019-06-17s/get1/get0/ in commentsFlorian Obser
2019-06-16Trade unveil(2) for chroot(2).Florian Obser
This uses less code and unveil(2) seems to be the better tool here. The directory one chroots into needs to be carefully setup (they are not) and comon wisedom is that root can break out of chroots. There is probably nothing wrong with the chroot code because of pledge but it still makes me feel uneasy. input & OK on previous version mestre OK on previous version deraadt bug found, input & OK benno
2019-06-16 Do not leak rsa keys; nobody is messing with the reference behind ourFlorian Obser
back so there is no need to get a copy. Clue & probably OK tb
2019-06-16acctkey indirection is unnecessary, just pass authority->accountFlorian Obser
2019-06-15Remove bugs section.Florian Obser
It is missleading to call (parts of) acme-client staying root a bug. Discussed with deraadt@ Non-RSA account keys are (probably) coming, so remove that as well while here.
2019-06-15 Now that we have different key types (rsa and ecdsa) we probablyFlorian Obser
should do something if the key type on disk differes from the configured keytype. Mark this XXX for now.
2019-06-15Print domain key type in config test mode (-n).Florian Obser
2019-06-14Track key type (RSA or ECDSA) in an enum and clean up a bit while here.Florian Obser
Originaly from Renaud Allard following input from benno, tweaked by me. OK benno
2019-06-12tweak previous;Jason McIntyre
2019-06-12these were moved to key.[ch] in previous commitGilles Chehade
2019-06-12use acme-client to sign certificated with ecdsa keysGilles Chehade
diff from Renaud Allard <renaud@allard.it>, ok to get in from florian@
2019-06-08remove unused variableFlorian Obser
2019-06-08 Remove A and D flag, they are superfluous.Florian Obser
One could always use them on the command line and acme-client would do the right thing.
2019-06-07Implement RFC 8555 "Automatic Certificate Management EnvironmentFlorian Obser
(ACME)" to be able to talk to the v02 Let's Encrypt API. With this acme-client(1) will no longer be able to talk to the v01 API. Users must change the api url in /etc/acme-client.conf to https://acme-v02.api.letsencrypt.org/directory Existing accounts (and certs of course) stay valid and after the url change acme-client will be able to renew certs. Tested by Renaud Allard and benno Input & OK benno
2019-04-01repair confusing "} if"; from florian@Christian Weisgerber
2019-03-09remove free() before exit() from main(), in ongoing work to makeSebastian Benoit
things more readable. otto notes that free() does some checks, but in this case readability is better than complete cleanup. ok florian@ deraadt@
2019-03-09use temporary strings for calls to basename(), because it may changeSebastian Benoit
the contents of its argument (on other platforms). Also strdup() the result, because basename returns a pointer to static memory. ok florian@
2019-03-08fix dirname usage in acme-client: dirname() can modify its argumentSebastian Benoit
(it does not on OpenBSD) so we need to us a copy of the string. In addition, copy the result of dirname() as well, because it's static storage and if we call dirname() again it will be overwritten. Original problem noted and fix suggested by Wolf (wolf AT wolfsden DOT cz) ok florian@
2019-03-04According to RFC 7230 Section 3.2 header field names areFlorian Obser
case-insensitive. Pointed out by "Wolf" ( wolf at wolfsden.cz ), thanks! OK benno
2019-02-13(unsigned) means (unsigned int) which on ptrdiff_t or size_t or otherTheo de Raadt
larger types really is a range reduction... Almost any cast to (unsigned) is a bug. ok millert tb benno
2019-02-03flesh this page out a bit to (hopefully) make it more helpful;Jason McIntyre
sthen suggested adding a random sleep (like we do with spamd) for the example cron job; help/ok sthen benno florian
2019-02-01fix comments and clean up whitespaceSebastian Benoit
ok florian@
2019-02-01if not all challenges were validated, retry again.Sebastian Benoit
Found and fix suggested by "Thomas L.", tom AT longshine AT web DOT de, Thanks! ok florian@
2019-01-31make struct chng.status a enum for readability.Sebastian Benoit
ok florian@
2019-01-30consistently talk about domain key; ok bennoJason McIntyre
2019-01-29add an extra check for existing "api ..." line in the config.Sebastian Benoit
move the check of existing "account ..." line from main.c to the parser. ok deraadt@
2019-01-08With the change to httpd the workflow got much simpler.Florian Obser
2019-01-08Remove missleading and outdated examples from man page.Florian Obser
/etc/examples/httpd.conf and /etc/examples/acme-client.conf (comming soon) are better places. Pointed out by & OK deraadt, OK benno
2018-11-29update for libtls default cert changes.Ted Unangst
bonus: this exposed a few missing const qualifiers.
2018-11-06Use TLS_CA_CERT_FILE instead of a separate define.Joel Sing
ok beck@ bluhm@ tb@
2018-11-01- odd condition/test in PF lexerAlexandr Nedvedicky
(and other lexers too) This commit rectifies earlier change: in the lex... even inside quotes, a \ followed by space or tab should expand to space or tab, and a \ followed by newline should be ignored (as a line continuation). compatible with the needs of hoststated (which has the most strict quoted string requirements), and ifstated (where one commonly does line continuations in strings). OK deraadt@, OK millert@
2018-09-07replace malloc()+strlcpy() with strndup() in cmdline_symset().miko
"looks good" gilles@ halex@
2018-08-08In netproc process, unveil to only expose the CA file.Theo de Raadt
ok florian
2018-08-03return is not a function and if (x) -> if (x != NULL)Sebastian Benoit
From Ross L Richardson, thanks ok millert@
2018-08-03fix error messages from earlier syntax changeSebastian Benoit
From Ross L Richardson ok millert@
2018-08-03correct an error message, from Ross L RichardsonSebastian Benoit
ok millert@
2018-08-03document the default in the abscence of a certificate authority.Sebastian Benoit
From Ross L Richardson
2018-08-03Document that domain certificate is optional.Sebastian Benoit
From Ross L Richardson
2018-08-02According to code (and testing), each is optional but at leastSebastian Benoit
one must be present. From Ross L Richardson, thanks ok sthen@
2018-08-02It's an "X.509 certificate" rather than a "TLS certificate".Sebastian Benoit
As pointed out by sthen@, TLS isn't the only possible use. From Ross L Richardson ok shten@
2018-08-02its a X.509 certificate, consistency with acme-client.conf.5Sebastian Benoit
From Ross L Richardson ok sthen@
2018-07-30cleanup initialization of chngdir. inspired by Ross L Richardson.Sebastian Benoit
ok tb@
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-11 11:01:11 +0000