This change will make sure that dehydrated will continue if (re-)issuing
one or more certificate fails.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update from version 0.7.0 to 0.7.1
- Update of rootfile not required
- Changelog
## [0.7.1] - 2022-10-31
## Changed
- `--force` no longer forces domain name revalidation by default, a new argument `--force-validation` has been added for that
- Added support for EC secp521r1 algorithm (works with e.g. zerossl)
- `EC PARAMETERS` are no longer written to privkey.pem (didn't seem necessary and was causing issues with various software)
## Fixed
- Requests resulting in `badNonce` errors are now automatically retried (fixes operation with LE staging servers)
- Deprecated `egrep` usage has been removed
## Added
- Implemented EC for account keys
- Domain list now also read from domains.txt.d subdirectory (behaviour might change, see docs)
- Implemented RFC 8738 (validating/signing certificates for IP addresses instead of domain names) support (this will not work with most public CAs, if any!)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Historically, the MD5 checksums in our LFS files serve as a protection
against broken downloads, or accidentally corrupted source files.
While the sources are nowadays downloaded via HTTPS, it make sense to
beef up integrity protection for them, since transparently intercepting
TLS is believed to be feasible for more powerful actors, and the state
of the public PKI ecosystem is clearly not helping.
Therefore, this patch switches from MD5 to BLAKE2, updating all LFS
files as well as make.sh to deal with this checksum algorithm. BLAKE2 is
notably faster (and more secure) than SHA2, so the performance penalty
introduced by this patch is negligible, if noticeable at all.
In preparation of this patch, the toolchain files currently used have
been supplied with BLAKE2 checksums as well on
https://source.ipfire.org/.
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremeripfire.org>
Bumping across one of our scripts with very long trailing whitespaces, I
thought it might be a good idea to clean these up. Doing so, some
missing or inconsistent licence headers were fixed.
There is no need in shipping all these files en bloc, as their
functionality won't change.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
* Add a Summary and Services field to all pak lfs files
* Replace occurances of INSTALL_INITSCRIPT with new INSTALL_INITSCRIPTS
macro in all pak lfs files.
Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update dehydrated from 0.6.5 to 0.7.0
- No changes to the rootfiles
- This update patch also addresses bug #12425
The changes from the interim patch mentioned in bug #12425 are included into this update
- Changes for all releases can be found at https://github.com/dehydrated-io/dehydrated/releases
- Changes for this version update
Added
Support for external account bindings
Special support for ZeroSSL
Support presets for some CAs instead of requiring URLs
Allow requesting preferred chain (--preferred-chain)
Added method to show CAs current terms of service (--display-terms)
Allow setting path to domains.txt using cli arguments (--domains-txt)
Added new cli command --cleanupdelete which deletes old files instead of archiving them
Fixed
No more silent failures on broken hook-scripts
Better error-handling with KEEP_GOING enabled
Check actual order status instead of assuming it's valid
Don't include keyAuthorization in challenge validation (RFC compliance)
Changed
Using EC secp384r1 as default certificate type
Use JSON.sh to parse JSON
Use account URL instead of account ID (RFC compliance)
Dehydrated now has a new home: https://github.com/dehydrated-io/dehydrated
Added OCSP_FETCH and OCSP_DAYS to per-certificate configurable options
Cleanup now also removes dangling symlinks
Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Not sure why this has ever been there. This simply makes it
nicer to read and edit because we can have line-breaks now.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
* The backup include file was missing a leading slash
which caused no files to be backed up.
* The shell escaping was broken so a new configuration file
was useless.
Fixes: #12297
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This is a light client for Let's Encrypt which is implemented
in bash and does not have any other dependencies apart from
openssl and curl.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
