summaryrefslogtreecommitdiffstats
path: root/usr.sbin/acme-client (follow)
Commit message (Collapse)AuthorAgeFilesLines
* whitespaceflorian2020-06-071-3/+3
|
* Swap arguments of calloc(3).florian2020-06-071-2/+2
| | | | | | While it doesn't matter for calloc, it's easier on the eyes to always list the number of elements first and then the size. From Donovan Watteau ( contrib AT dwatteau.fr), Thanks!
* somehow yacc pieces got missed from the "domain name" commit; add them.sthen2020-05-161-2/+3
| | | | ok florian@
* list example files in FILES with a short description: generally, "Examplejmc2020-05-161-4/+4
| | | | | | | configuration file.", but occasionally something else fit better; at the same time, try to make the format for FILES more consistent; original diff from clematis
* new sentence, new line;jmc2020-05-121-3/+4
|
* In case the order fails print the human readable reason from theflorian2020-05-103-9/+26
| | | | | | challenge objects that the server hopefully provides. input & OK deraadt OK beck, benno
* remove noisy and useless debug lineflorian2020-05-101-2/+1
|
* Allow to have multiple domain ... {} sextions with the same domainbenno2020-05-105-22/+48
| | | | | | | | | | | name, by adding a new (optional) config option "domain name". This can be used to create a rsa and an ecdsa key for the same domain name. The old domain name in the 'title' line continues to be used as domain name in the abscence of the domain name argument, i.e. the change is backward compatible with current config files. tested by sthen@ ok florian@ sthen@
* Use the new random interval support in cron instead of a random sleep.millert2020-04-151-4/+4
| | | | The random intervals used can be adjusted as needed. OK deraadt@
* briefly mention /etc/examples/ in the FILES section of all theschwarze2020-02-101-3/+5
| | | | | manual pages that document the corresponding configuration files; OK jmc@, and general direction discussed with many
* Do not define variables in extern.h since this will lead to duplicateflorian2020-02-072-6/+7
| | | | | | definitions in every source file that includes extern.h. From Michael Forney (mforney AT mforney DOT org), thanks! OK jca
* use the correct length to allocate the right amount, broken by previous.tedu2020-01-221-2/+2
| | | | | noticed by Matthew Martin ok deraadt
* set array length after allocation succeeds so free path doesn't deref null.tedu2020-01-221-2/+3
| | | | ok deraadt
* Remove the tls_close warnx in acme-client. Currently it very often reportssthen2020-01-201-5/+1
| | | | | | | | | | | | | | | | | a spurious "acme-client: tls_close: EOF without close notify" warning which is plain confusing - it is a warning only, doesn't block anything, but when people have some other failure (network problems, bad acme-challenge path in webserver, etc) they often see this message and think that it's relevant. The libtls warning is there to detect truncation attacks in protocols that don't have their own way to do so (e.g. HTTP/0.9). HTTP/1.0 or newer have methods to do this (Content-Length or chunked transfer encoding); acme-client doesn't check them yet and perhaps should. But that's a separate issue, the warnx doesn't really help with this anyway, and it's unlikely that a truncated json payload would be valid for acme-client parsing anyway. OK florian@ benno@
* make -n stop after parsing the config.benno2019-12-271-3/+7
| | | | | make -nv print the parsed configuration, then stop. ok sthen@, seems better deraadt@
* Give acme-client a chance to work on IPv6 only hosts by using theflorian2019-11-061-2/+2
| | | | | | | | | | | | AI_ADDRCONFIG flag for getaddrinfo to only return addresses for a configured address family. Implementing a loop over all IPs is left as an exercise to the reader. Reported some time ago by kasimov.an AT gmail on bugs@, thanks! oh boy deraadt@ OK benno@
* Do not exit with error if the challenge file already exists, instead truncate it andbenno2019-08-121-2/+2
| | | | | | write the challenge again. We can get asked to supply the same challenge multiple times. bug found and patch tested by jmc@ patch discussed with, mangled and okayed by florian@
* In let's encrypt v1 we had to track a challenge for every domain inflorian2019-08-111-2/+2
| | | | | | | | | the certificate we were requesting. This is no longer true in v2 and we have to free the amount of challenges the server told us to fullfill. OK benno
* According to RFC 8555 we MUST send an User-Agent.florian2019-07-121-1/+4
| | | | | | Pointed out and diff by Wolf, thanks! Tweaked by me. OK benno
* Use v02 let's encrypt API key as in the example filesolene2019-07-041-3/+3
| | | | ok deraadt@
* When system calls indicate an error they return -1, not some arbitraryderaadt2019-06-282-12/+12
| | | | | | value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
* When the parser detects that it needs more tokens it returnsflorian2019-06-181-8/+12
| | | | | | | | | | | JSMN_ERROR_NOMEM. We then need to allocate more tokens and call the parser with its current state again. It will continue where it left of. For this to work we also need to pass in the old tokens from the previous run and not just more space. Found the hard way by Renaud Allard. OK millert
* It's enough to allocate the EC key once.florian2019-06-171-6/+3
| | | | OK tb
* One NULL-check before EVP_MD_CTX_free() was left in previous.tb2019-06-171-4/+2
|
* Use non-deprecated API; from Renaud Allard, thanks!florian2019-06-171-9/+7
| | | | OK tb
* Implement elliptic curve account keys.florian2019-06-177-39/+259
| | | | | OK benno Input & OK tb
* s/get1/get0/ in commentsflorian2019-06-171-3/+3
|
* Trade unveil(2) for chroot(2).florian2019-06-165-91/+70
| | | | | | | | | | | This uses less code and unveil(2) seems to be the better tool here. The directory one chroots into needs to be carefully setup (they are not) and comon wisedom is that root can break out of chroots. There is probably nothing wrong with the chroot code because of pledge but it still makes me feel uneasy. input & OK on previous version mestre OK on previous version deraadt bug found, input & OK benno
* Do not leak rsa keys; nobody is messing with the reference behind ourflorian2019-06-161-3/+3
| | | | | back so there is no need to get a copy. Clue & probably OK tb
* acctkey indirection is unnecessary, just pass authority->accountflorian2019-06-161-5/+2
|
* Remove bugs section.florian2019-06-151-9/+2
| | | | | | | | It is missleading to call (parts of) acme-client staying root a bug. Discussed with deraadt@ Non-RSA account keys are (probably) coming, so remove that as well while here.
* Now that we have different key types (rsa and ecdsa) we probablyflorian2019-06-151-1/+2
| | | | | | should do something if the key type on disk differes from the configured keytype. Mark this XXX for now.
* Print domain key type in config test mode (-n).florian2019-06-151-2/+17
|
* Track key type (RSA or ECDSA) in an enum and clean up a bit while here.florian2019-06-145-37/+35
| | | | | Originaly from Renaud Allard following input from benno, tweaked by me. OK benno
* tweak previous;jmc2019-06-121-2/+7
|
* these were moved to key.[ch] in previous commitgilles2019-06-122-0/+0
|
* use acme-client to sign certificated with ecdsa keysgilles2019-06-1212-132/+229
| | | | diff from Renaud Allard <renaud@allard.it>, ok to get in from florian@
* remove unused variableflorian2019-06-081-3/+2
|
* Remove A and D flag, they are superfluous.florian2019-06-087-69/+35
| | | | | One could always use them on the command line and acme-client would do the right thing.
* Implement RFC 8555 "Automatic Certificate Management Environmentflorian2019-06-079-443/+576
| | | | | | | | | | | | | (ACME)" to be able to talk to the v02 Let's Encrypt API. With this acme-client(1) will no longer be able to talk to the v01 API. Users must change the api url in /etc/acme-client.conf to https://acme-v02.api.letsencrypt.org/directory Existing accounts (and certs of course) stay valid and after the url change acme-client will be able to renew certs. Tested by Renaud Allard and benno Input & OK benno
* repair confusing "} if"; from florian@naddy2019-04-011-3/+5
|
* remove free() before exit() from main(), in ongoing work to makebenno2019-03-091-22/+1
| | | | | | things more readable. otto notes that free() does some checks, but in this case readability is better than complete cleanup. ok florian@ deraadt@
* use temporary strings for calls to basename(), because it may changebenno2019-03-091-13/+20
| | | | | | the contents of its argument (on other platforms). Also strdup() the result, because basename returns a pointer to static memory. ok florian@
* fix dirname usage in acme-client: dirname() can modify its argumentbenno2019-03-081-16/+20
| | | | | | | | | (it does not on OpenBSD) so we need to us a copy of the string. In addition, copy the result of dirname() as well, because it's static storage and if we call dirname() again it will be overwritten. Original problem noted and fix suggested by Wolf (wolf AT wolfsden DOT cz) ok florian@
* According to RFC 7230 Section 3.2 header field names areflorian2019-03-041-4/+3
| | | | | | case-insensitive. Pointed out by "Wolf" ( wolf at wolfsden.cz ), thanks! OK benno
* (unsigned) means (unsigned int) which on ptrdiff_t or size_t or otherderaadt2019-02-131-3/+3
| | | | | | larger types really is a range reduction... Almost any cast to (unsigned) is a bug. ok millert tb benno
* flesh this page out a bit to (hopefully) make it more helpful;jmc2019-02-031-47/+69
| | | | | | | sthen suggested adding a random sleep (like we do with spamd) for the example cron job; help/ok sthen benno florian
* fix comments and clean up whitespacebenno2019-02-011-38/+12
| | | | ok florian@
* if not all challenges were validated, retry again.benno2019-02-011-14/+25
| | | | | Found and fix suggested by "Thomas L.", tom AT longshine AT web DOT de, Thanks! ok florian@
* make struct chng.status a enum for readability.benno2019-01-313-14/+20
| | | | ok florian@
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.