-
Notifications
You must be signed in to change notification settings - Fork 377
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixes for http-01 stray tokens, dns-01 CNAMEs, contact e-mail format and updates; account security operations; misc #841
base: master
Are you sure you want to change the base?
Commits on Apr 12, 2024
-
Configuration menu - View commit details
-
Copy full SHA for def924c - Browse repository at this point
Copy the full SHA def924cView commit details -
Fixes for stray http01 tokens with *ftp*
FTP_PORT not used by ftp. No code for sftp, davfs, ftpes, or ftps. Needs tests, but at least this won't fall thru to attempting to delete from local file system.
Configuration menu - View commit details
-
Copy full SHA for 31168a0 - Browse repository at this point
Copy the full SHA 31168a0View commit details -
This is useful for debugging; it leaves any tokens in the DNS & records its environment. It's only meaningful for debuggers (and some problem reports for which ask for them.
Configuration menu - View commit details
-
Copy full SHA for 90ddc4c - Browse repository at this point
Copy the full SHA 90ddc4cView commit details -
Configuration menu - View commit details
-
Copy full SHA for 49bb400 - Browse repository at this point
Copy the full SHA 49bb400View commit details -
Automatically update ACCOUNT_EMAIL (contact) in registration
Also fixes bug that caused previous registrations to be invalid.
Configuration menu - View commit details
-
Copy full SHA for 1c6ad12 - Browse repository at this point
Copy the full SHA 1c6ad12View commit details -
Implement --new-account-key and --DEACTIVATE-account
RFC operations for account security: --new-account-key replaces the account key with a new one. Can modify the type or size as well. (update .cfg first) Does not affect certificate validity or pending operations. --DEACTIVATE-account permanently deactivates the account on the server. Per RFC, can not be revived. Should not revoke existing certificates. (Server's choice.)
Configuration menu - View commit details
-
Copy full SHA for 0d68989 - Browse repository at this point
Copy the full SHA 0d68989View commit details -
Implement token substitution in ACLs
Idea from srvrco#267 Fixes typos in template domain.cfg
Configuration menu - View commit details
-
Copy full SHA for fe50d15 - Browse repository at this point
Copy the full SHA fe50d15View commit details -
Configuration menu - View commit details
-
Copy full SHA for 6aef05b - Browse repository at this point
Copy the full SHA 6aef05bView commit details -
Configuration menu - View commit details
-
Copy full SHA for 426f557 - Browse repository at this point
Copy the full SHA 426f557View commit details -
Relax restriction on dns-01 CNAMEs
It's OK for the target of a CNAME not to include the source domain. It's handy for debug and for system management. But some people prefer a hash. We can handle that.
Configuration menu - View commit details
-
Copy full SHA for 80bc3d4 - Browse repository at this point
Copy the full SHA 80bc3d4View commit details -
Ensure that --all doesn't run --new-account-key or --DEACTIVATE-accou…
…nt more than once.
Configuration menu - View commit details
-
Copy full SHA for e897d17 - Browse repository at this point
Copy the full SHA e897d17View commit details -
Avoid domain processing for account-management commands.
Skip everything having to do with domains & certificates when doing --account-id, --new-account-key, --DEACTIVATE-account This avoids the need to specify a domain name, creating directories, trying to check the remote - and other unnecessary (and sometimes harmful) work. Most of the diffs in this commit are white space.
Configuration menu - View commit details
-
Copy full SHA for 78d8d51 - Browse repository at this point
Copy the full SHA 78d8d51View commit details -
Handle multiple contact e-mail addresses
Handle e-mail update with buggy 409 responses from registration. Improve contact parsing by replacing call to json_get, which doesn't seem to handle string array values well. (It's also easier to parse the values at the same time.) No reason to save register response JSON in TEMP_DIR, so don't. Appears to be stale debugging code. Exit after deactivating account.
Configuration menu - View commit details
-
Copy full SHA for 94f43ac - Browse repository at this point
Copy the full SHA 94f43acView commit details -
Export LC_ALL to solve date (and future) issues
FIXES srvrco#818 (I hope). in srvrco#818, @mslavkov reported that date fails in the BG.UTF-8 locale, but that LC_ALL=C resolved the issue. Since we already export LANG=C, that would seem to indicate that LC_TIME is overriding it. LC_ALL is the safer (stronger) choice.
Configuration menu - View commit details
-
Copy full SHA for a0f1b76 - Browse repository at this point
Copy the full SHA a0f1b76View commit details -
Use /etc/services (or local equivalent" to translate port names.
SERVER_TYPE implies a port number (and possibly s_client options). Previously, these were hard-coded, requiring a code change for any new/unique services. Now, /etc/services is used, so every assigned name is available, and new services "just work". The old alias names (and renames) are supported. And the old hardcoded defaults will be used if /etc/services is not available. SERVICES_FILE can be defined to local taste - e.g. on windows, C:\Windows\System32\drivers\etc\services is equivalent.
Configuration menu - View commit details
-
Copy full SHA for 26f20c5 - Browse repository at this point
Copy the full SHA 26f20c5View commit details -
Document that service names can be uset for SERVER_TYPE.
Also make constant arrays in find_service_port() read-only
Configuration menu - View commit details
-
Copy full SHA for ff43afc - Browse repository at this point
Copy the full SHA ff43afcView commit details -
Use DOMAIN accounts for account operations. Add some guardrails.
Prompt for confirmation of account deactivation. If a domain is specified, allow its getssl.cfg to specify the account key & type. Don't create an account key for rotation or deactivate if none exists.
Configuration menu - View commit details
-
Copy full SHA for c89e578 - Browse repository at this point
Copy the full SHA c89e578View commit details -
Make file deletion with ftp use the correct port.
Score 1 for the tests.
Configuration menu - View commit details
-
Copy full SHA for d57ca78 - Browse repository at this point
Copy the full SHA d57ca78View commit details -
Fix curl not using path when deleting challenge tokens
curl isn't changing directory to the specified directory. Make it explicit in the DELE command.
Configuration menu - View commit details
-
Copy full SHA for 5750aaa - Browse repository at this point
Copy the full SHA 5750aaaView commit details -
Fix test failures from curl warnings that --ftp-ssl is insecure
Replaced with --ssl-reqd. Note that --ftp-ssl-reqd is an old alias for --ssl-reqd. --ftp-ssl-reqd is equivalent, but could eventually go away. -ssl-reqd has been supported since curl version 7.20.0 - in 2010 (though a related CVE was fixed in 7.79.0 in 2021...) So this change shouldn't inconvenience any getssl users.
Configuration menu - View commit details
-
Copy full SHA for 4f1e240 - Browse repository at this point
Copy the full SHA 4f1e240View commit details -
Apparently centos6 is stuck on curl version 7.19, just before --ssl-reqd turned up in 7.20. Wow! Check curl version and select --ssl-reqd for version 7.20+.
Configuration menu - View commit details
-
Copy full SHA for 0cf8fe3 - Browse repository at this point
Copy the full SHA 0cf8fe3View commit details -
Add all starttls protocols supported by openssl.
Adds -starttls for all protocols currently documented by openssl s_client (their master branch). Also allows REMOTE_EXTRA in config files to override built-in usage. Reordered extra_cmds to match openssl documentation so it's easier to see when openssl adds new protocols.
Configuration menu - View commit details
-
Copy full SHA for f29c91a - Browse repository at this point
Copy the full SHA f29c91aView commit details