summaryrefslogtreecommitdiffstats
path: root/usr.sbin/acme-client (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Xr to ssl(8) which has clues about EC key generation that are still usefulsthen2021-02-121-3/+4
| | | | to acme-client users.
* document how to specify multiple alternative names;jmc2021-01-111-3/+5
| | | | | modified version of diff from wolf on misc, improved by and ok florian benno sthen
* Create .1 backup files when acme-client is going to overwrite aflorian2021-01-032-3/+31
| | | | | | | | | certificate file. These files are not terribly big and they might become helpful if one re-creates a certificate with additional or removed domains and whishes to revoke the old cert (this part needs a bit of work to make it convenient to do). OK sthen
* If acme-client detects an added or removed SAN in the config filesthen2021-01-022-16/+26
| | | | | | | | | | | compared to the existing certificate on disk, automatically request a new certificate without requiring -F. (Previously the code using -F only coped with added SANs; if one was removed in config then the certificate needed manual removal vefore acme-client would work). Name checks for -r (revocation) are kept as-is for now.
* First fulfil all challenges then tell the CA that it should check.florian2020-12-241-2/+7
| | | | | | | | | For http-01 this doesn't matter but I think this will be nicer for dns-01 because there are propagation delays to consider and it will be better to just put everything in DNS and then wait then wait after each challenge. Testing & OK sthen
* remove extra stb2020-12-191-3/+3
|
* Add details to -F flagsolene2020-12-181-2/+5
| | | | | | | | If you add alternatives domain names to acme-client.conf, using -F is required to renew the certificate with the new names. ok jmc@
* Do not check the list of SAN's in the cert when -F is specified to force renewalbeck2020-11-181-2/+2
| | | | | | | This allows you to add a SAN DNS name to a cert, and request a forced renewal to get the new name added immediately ok florian@
* mention that acme-client generates a 4096-bit or secp384r1 key if the keysthen2020-11-061-2/+8
| | | | file doesn't exist; ok florian jmc
* Back out last commit.denis2020-11-041-3/+3
| | | | Some devs are not convinced.
* acme response challenge location to issue better error codedenis2020-11-021-3/+3
| | | | | | Notified to me by jmc@ Diff by Matthias Pressfreund <mpfr @ fn de>, thanks
* We need to be able to provide contact information to use theflorian2020-09-146-17/+44
| | | | | | buypass.com acme api. From Bartosz Kuzma (bartosz.kuzma AT release11.com), thanks! OK beck, deraadt
* Relax parsing of pem files a bit. Apparently there are CAs that useflorian2020-09-141-5/+12
| | | | | | | \r\n line endings. From Bartosz Kuzma (bartosz.kuzma AT release11.com) as part of a larger diff. OK beck
* Report what's wrong when account creation fails instead of a genericflorian2020-09-143-6/+19
| | | | | http error. OK beck
* whitespaceflorian2020-06-071-3/+3
|
* Swap arguments of calloc(3).florian2020-06-071-2/+2
| | | | | | While it doesn't matter for calloc, it's easier on the eyes to always list the number of elements first and then the size. From Donovan Watteau ( contrib AT dwatteau.fr), Thanks!
* somehow yacc pieces got missed from the "domain name" commit; add them.sthen2020-05-161-2/+3
| | | | ok florian@
* list example files in FILES with a short description: generally, "Examplejmc2020-05-161-4/+4
| | | | | | | configuration file.", but occasionally something else fit better; at the same time, try to make the format for FILES more consistent; original diff from clematis
* new sentence, new line;jmc2020-05-121-3/+4
|
* In case the order fails print the human readable reason from theflorian2020-05-103-9/+26
| | | | | | challenge objects that the server hopefully provides. input & OK deraadt OK beck, benno
* remove noisy and useless debug lineflorian2020-05-101-2/+1
|
* Allow to have multiple domain ... {} sextions with the same domainbenno2020-05-105-22/+48
| | | | | | | | | | | name, by adding a new (optional) config option "domain name". This can be used to create a rsa and an ecdsa key for the same domain name. The old domain name in the 'title' line continues to be used as domain name in the abscence of the domain name argument, i.e. the change is backward compatible with current config files. tested by sthen@ ok florian@ sthen@
* Use the new random interval support in cron instead of a random sleep.millert2020-04-151-4/+4
| | | | The random intervals used can be adjusted as needed. OK deraadt@
* briefly mention /etc/examples/ in the FILES section of all theschwarze2020-02-101-3/+5
| | | | | manual pages that document the corresponding configuration files; OK jmc@, and general direction discussed with many
* Do not define variables in extern.h since this will lead to duplicateflorian2020-02-072-6/+7
| | | | | | definitions in every source file that includes extern.h. From Michael Forney (mforney AT mforney DOT org), thanks! OK jca
* use the correct length to allocate the right amount, broken by previous.tedu2020-01-221-2/+2
| | | | | noticed by Matthew Martin ok deraadt
* set array length after allocation succeeds so free path doesn't deref null.tedu2020-01-221-2/+3
| | | | ok deraadt
* Remove the tls_close warnx in acme-client. Currently it very often reportssthen2020-01-201-5/+1
| | | | | | | | | | | | | | | | | a spurious "acme-client: tls_close: EOF without close notify" warning which is plain confusing - it is a warning only, doesn't block anything, but when people have some other failure (network problems, bad acme-challenge path in webserver, etc) they often see this message and think that it's relevant. The libtls warning is there to detect truncation attacks in protocols that don't have their own way to do so (e.g. HTTP/0.9). HTTP/1.0 or newer have methods to do this (Content-Length or chunked transfer encoding); acme-client doesn't check them yet and perhaps should. But that's a separate issue, the warnx doesn't really help with this anyway, and it's unlikely that a truncated json payload would be valid for acme-client parsing anyway. OK florian@ benno@
* make -n stop after parsing the config.benno2019-12-271-3/+7
| | | | | make -nv print the parsed configuration, then stop. ok sthen@, seems better deraadt@
* Give acme-client a chance to work on IPv6 only hosts by using theflorian2019-11-061-2/+2
| | | | | | | | | | | | AI_ADDRCONFIG flag for getaddrinfo to only return addresses for a configured address family. Implementing a loop over all IPs is left as an exercise to the reader. Reported some time ago by kasimov.an AT gmail on bugs@, thanks! oh boy deraadt@ OK benno@
* Do not exit with error if the challenge file already exists, instead truncate it andbenno2019-08-121-2/+2
| | | | | | write the challenge again. We can get asked to supply the same challenge multiple times. bug found and patch tested by jmc@ patch discussed with, mangled and okayed by florian@
* In let's encrypt v1 we had to track a challenge for every domain inflorian2019-08-111-2/+2
| | | | | | | | | the certificate we were requesting. This is no longer true in v2 and we have to free the amount of challenges the server told us to fullfill. OK benno
* According to RFC 8555 we MUST send an User-Agent.florian2019-07-121-1/+4
| | | | | | Pointed out and diff by Wolf, thanks! Tweaked by me. OK benno
* Use v02 let's encrypt API key as in the example filesolene2019-07-041-3/+3
| | | | ok deraadt@
* When system calls indicate an error they return -1, not some arbitraryderaadt2019-06-282-12/+12
| | | | | | value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
* When the parser detects that it needs more tokens it returnsflorian2019-06-181-8/+12
| | | | | | | | | | | JSMN_ERROR_NOMEM. We then need to allocate more tokens and call the parser with its current state again. It will continue where it left of. For this to work we also need to pass in the old tokens from the previous run and not just more space. Found the hard way by Renaud Allard. OK millert
* It's enough to allocate the EC key once.florian2019-06-171-6/+3
| | | | OK tb
* One NULL-check before EVP_MD_CTX_free() was left in previous.tb2019-06-171-4/+2
|
* Use non-deprecated API; from Renaud Allard, thanks!florian2019-06-171-9/+7
| | | | OK tb
* Implement elliptic curve account keys.florian2019-06-177-39/+259
| | | | | OK benno Input & OK tb
* s/get1/get0/ in commentsflorian2019-06-171-3/+3
|
* Trade unveil(2) for chroot(2).florian2019-06-165-91/+70
| | | | | | | | | | | This uses less code and unveil(2) seems to be the better tool here. The directory one chroots into needs to be carefully setup (they are not) and comon wisedom is that root can break out of chroots. There is probably nothing wrong with the chroot code because of pledge but it still makes me feel uneasy. input & OK on previous version mestre OK on previous version deraadt bug found, input & OK benno
* Do not leak rsa keys; nobody is messing with the reference behind ourflorian2019-06-161-3/+3
| | | | | back so there is no need to get a copy. Clue & probably OK tb
* acctkey indirection is unnecessary, just pass authority->accountflorian2019-06-161-5/+2
|
* Remove bugs section.florian2019-06-151-9/+2
| | | | | | | | It is missleading to call (parts of) acme-client staying root a bug. Discussed with deraadt@ Non-RSA account keys are (probably) coming, so remove that as well while here.
* Now that we have different key types (rsa and ecdsa) we probablyflorian2019-06-151-1/+2
| | | | | | should do something if the key type on disk differes from the configured keytype. Mark this XXX for now.
* Print domain key type in config test mode (-n).florian2019-06-151-2/+17
|
* Track key type (RSA or ECDSA) in an enum and clean up a bit while here.florian2019-06-145-37/+35
| | | | | Originaly from Renaud Allard following input from benno, tweaked by me. OK benno
* tweak previous;jmc2019-06-121-2/+7
|
* these were moved to key.[ch] in previous commitgilles2019-06-122-0/+0
|
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.