| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
| |
While it doesn't matter for calloc, it's easier on the eyes to always
list the number of elements first and then the size.
From Donovan Watteau ( contrib AT dwatteau.fr), Thanks!
|
|
|
|
| |
ok florian@
|
|
|
|
|
|
|
| |
configuration file.", but occasionally something else fit better; at the
same time, try to make the format for FILES more consistent;
original diff from clematis
|
| |
|
|
|
|
|
|
| |
challenge objects that the server hopefully provides.
input & OK deraadt
OK beck, benno
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
name, by adding a new (optional) config option "domain name".
This can be used to create a rsa and an ecdsa key for the same domain
name.
The old domain name in the 'title' line continues to be used as domain
name in the abscence of the domain name argument, i.e. the change is
backward compatible with current config files.
tested by sthen@
ok florian@ sthen@
|
|
|
|
| |
The random intervals used can be adjusted as needed. OK deraadt@
|
|
|
|
|
| |
manual pages that document the corresponding configuration files;
OK jmc@, and general direction discussed with many
|
|
|
|
|
|
| |
definitions in every source file that includes extern.h.
From Michael Forney (mforney AT mforney DOT org), thanks!
OK jca
|
|
|
|
|
| |
noticed by Matthew Martin
ok deraadt
|
|
|
|
| |
ok deraadt
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
a spurious "acme-client: tls_close: EOF without close notify" warning which
is plain confusing - it is a warning only, doesn't block anything, but when
people have some other failure (network problems, bad acme-challenge
path in webserver, etc) they often see this message and think that it's
relevant.
The libtls warning is there to detect truncation attacks in protocols
that don't have their own way to do so (e.g. HTTP/0.9). HTTP/1.0 or newer
have methods to do this (Content-Length or chunked transfer encoding);
acme-client doesn't check them yet and perhaps should. But that's a separate
issue, the warnx doesn't really help with this anyway, and it's unlikely
that a truncated json payload would be valid for acme-client parsing anyway.
OK florian@ benno@
|
|
|
|
|
| |
make -nv print the parsed configuration, then stop.
ok sthen@, seems better deraadt@
|
|
|
|
|
|
|
|
|
|
|
|
| |
AI_ADDRCONFIG flag for getaddrinfo to only return addresses for a
configured address family.
Implementing a loop over all IPs is left as an exercise to the reader.
Reported some time ago by kasimov.an AT gmail on bugs@, thanks!
oh boy deraadt@
OK benno@
|
|
|
|
|
|
| |
write the challenge again. We can get asked to supply the same challenge multiple times.
bug found and patch tested by jmc@
patch discussed with, mangled and okayed by florian@
|
|
|
|
|
|
|
|
|
| |
the certificate we were requesting.
This is no longer true in v2 and we have to free the amount of
challenges the server told us to fullfill.
OK benno
|
|
|
|
|
|
| |
Pointed out and diff by Wolf, thanks!
Tweaked by me.
OK benno
|
|
|
|
| |
ok deraadt@
|
|
|
|
|
|
| |
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.
|
|
|
|
|
|
|
|
|
|
|
| |
JSMN_ERROR_NOMEM.
We then need to allocate more tokens and call the parser with its
current state again. It will continue where it left of.
For this to work we also need to pass in the old tokens from the
previous run and not just more space.
Found the hard way by Renaud Allard.
OK millert
|
|
|
|
| |
OK tb
|
| |
|
|
|
|
| |
OK tb
|
|
|
|
|
| |
OK benno
Input & OK tb
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This uses less code and unveil(2) seems to be the better tool here.
The directory one chroots into needs to be carefully setup (they are
not) and comon wisedom is that root can break out of chroots.
There is probably nothing wrong with the chroot code because of pledge
but it still makes me feel uneasy.
input & OK on previous version mestre
OK on previous version deraadt
bug found, input & OK benno
|
|
|
|
|
| |
back so there is no need to get a copy.
Clue & probably OK tb
|
| |
|
|
|
|
|
|
|
|
| |
It is missleading to call (parts of) acme-client staying root a bug.
Discussed with deraadt@
Non-RSA account keys are (probably) coming, so remove that as well
while here.
|
|
|
|
|
|
| |
should do something if the key type on disk differes from the
configured keytype.
Mark this XXX for now.
|
| |
|
|
|
|
|
| |
Originaly from Renaud Allard following input from benno, tweaked by me.
OK benno
|
| |
|
| |
|
|
|
|
| |
diff from Renaud Allard <renaud@allard.it>, ok to get in from florian@
|
| |
|
|
|
|
|
| |
One could always use them on the command line and acme-client would do
the right thing.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(ACME)" to be able to talk to the v02 Let's Encrypt API.
With this acme-client(1) will no longer be able to talk to the v01
API. Users must change the api url in /etc/acme-client.conf to
https://acme-v02.api.letsencrypt.org/directory
Existing accounts (and certs of course) stay valid and after the url
change acme-client will be able to renew certs.
Tested by Renaud Allard and benno
Input & OK benno
|
| |
|
|
|
|
|
|
| |
things more readable. otto notes that free() does some checks, but
in this case readability is better than complete cleanup.
ok florian@ deraadt@
|
|
|
|
|
|
| |
the contents of its argument (on other platforms). Also strdup() the result,
because basename returns a pointer to static memory.
ok florian@
|
|
|
|
|
|
|
|
|
| |
(it does not on OpenBSD) so we need to us a copy of the string. In
addition, copy the result of dirname() as well, because it's static
storage and if we call dirname() again it will be overwritten.
Original problem noted and fix suggested by Wolf (wolf AT wolfsden DOT
cz)
ok florian@
|
|
|
|
|
|
| |
case-insensitive.
Pointed out by "Wolf" ( wolf at wolfsden.cz ), thanks!
OK benno
|
|
|
|
|
|
| |
larger types really is a range reduction...
Almost any cast to (unsigned) is a bug.
ok millert tb benno
|
|
|
|
|
|
|
| |
sthen suggested adding a random sleep (like we do with spamd) for the
example cron job;
help/ok sthen benno florian
|
|
|
|
| |
ok florian@
|
|
|
|
|
| |
Found and fix suggested by "Thomas L.", tom AT longshine AT web DOT de, Thanks!
ok florian@
|
|
|
|
| |
ok florian@
|