aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--Changes5
-rw-r--r--Makefile.PL4
-rw-r--r--lib/App/Acmeman.pm19
-rw-r--r--lib/App/Acmeman/Source/Apache.pm4
4 files changed, 25 insertions, 7 deletions
diff --git a/Changes b/Changes
index 0e02669..4f60bcf 100644
--- a/Changes
+++ b/Changes
@@ -1,3 +1,8 @@
+3.07 2021-01-12
+
+ - Change bugtracker address.
+ - Change root certificate URL and make it configurable.
+
3.06 2020-06-15
- Improve error reporting
diff --git a/Makefile.PL b/Makefile.PL
index 28bbee2..8ad492a 100644
--- a/Makefile.PL
+++ b/Makefile.PL
@@ -45,6 +45,10 @@ my %makefile_args = (
url => 'git://git.gnu.org.ua/acmeman.git',
web => 'http://git.gnu.org.ua/cgit/acmeman.git/',
},
+ bugtracker => {
+ web => 'https://puszcza.gnu.org.ua/bugs/?group=acmeman',
+ mailto => 'gray+acmeman@gnu.org.ua'
+ }
},
provides => Module::Metadata->provides(version => '1.4',
dir => 'lib')
diff --git a/lib/App/Acmeman.pm b/lib/App/Acmeman.pm
index 65aac4f..cbafc05 100644
--- a/lib/App/Acmeman.pm
+++ b/lib/App/Acmeman.pm
@@ -8,6 +8,7 @@ use Crypt::OpenSSL::RSA;
use Crypt::OpenSSL::X509;
use File::Basename;
use File::Path qw(make_path);
+use File::Spec;
use DateTime::Format::Strptime;
use LWP::UserAgent;
use LWP::Protocol::https;
@@ -24,12 +25,14 @@ use Text::ParseWords;
use App::Acmeman::Log qw(:all :sysexits);
use feature 'state';
-our $VERSION = '3.06';
+our $VERSION = '3.07';
my $progdescr = "manages ACME certificates";
-my $letsencrypt_root_cert_url =
- 'https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem';
+our $acme_dir = '/etc/ssl/acme';
+our $letsencrypt_root_cert_basename = 'lets-encrypt-root.pem';
+our $letsencrypt_root_cert_url =
+ 'https://letsencrypt.org/certs/lets-encrypt-r3-cross-signed.pem';
sub new {
my $class = shift;
@@ -151,6 +154,7 @@ sub host_ns_ok {
foreach my $ip ($self->resolve($host)) {
return 1 if $self->myip($ip);
}
+ error("$host does not resolve to our IP");
return 0
}
@@ -203,7 +207,8 @@ sub setup {
$self->prep_dir($self->cf->get(qw(core rootdir)).'/file');
- $self->get_root_cert('/etc/ssl/acme/lets-encrypt-x3-cross-signed.pem');
+ $self->get_root_cert(File::Spec->catfile($acme_dir,
+ $letsencrypt_root_cert_basename));
foreach my $src ($self->cf->get(qw(core source))) {
unless ($src->setup(dry_run => $self->dry_run_option,
@@ -228,7 +233,11 @@ sub collect {
|| $self->host_ns_ok($_) }
($k, ($v->{alt} ? @{$v->{alt}} : ()))];
if (@$alt) {
- $k = shift @$alt;
+ my $name = shift @$alt;
+ if ($name ne $k) {
+ error("$k: CN changed to $name, update your configuration");
+ }
+ $k = $name;
$alt = undef unless @$alt;
} else {
error("ignoring $k: none of its names resolves to our IP");
diff --git a/lib/App/Acmeman/Source/Apache.pm b/lib/App/Acmeman/Source/Apache.pm
index 8497e00..1f5f7ac 100644
--- a/lib/App/Acmeman/Source/Apache.pm
+++ b/lib/App/Acmeman/Source/Apache.pm
@@ -170,7 +170,7 @@ sub setup {
debug(2, "writing $filename");
unless ($args{dry_run}) {
my $challenge_dir = "$www_root/.well-known/acme-challenge";
- my $acme_dir = "/etc/ssl/acme";
+ my $acme_dir = $App::Acmeman::acme_dir;
foreach my $dir ($self->layout->incdir(), $challenge_dir, $acme_dir) {
unless ($self->mkpath($dir)) {
@@ -207,7 +207,7 @@ sub setup {
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:!DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLCertificateFile $acme_dir/\$domain/cert.pem
SSLCertificateKeyFile $acme_dir/\$domain/privkey.pem
- SSLCACertificateFile $acme_dir/lets-encrypt-x3-cross-signed.pem
+ SSLCACertificateFile $acme_dir/$App::Acmeman::letsencrypt_root_cert_basename
</Macro>
<Macro LetsEncryptServer \$domain>

Return to:

Send suggestions and report system problems to the System administrator.