Fixes for http-01 stray tokens, dns-01 CNAMEs, contact e-mail format and updates; account security operations; misc #841
Commits on Apr 12, 2024
-
-
Fixes for stray http01 tokens with *ftp*
FTP_PORT not used by ftp. No code for sftp, davfs, ftpes, or ftps. Needs tests, but at least this won't fall thru to attempting to delete from local file system.
-
This is useful for debugging; it leaves any tokens in the DNS & records its environment. It's only meaningful for debuggers (and some problem reports for which ask for them.
-
Automatically update ACCOUNT_EMAIL (contact) in registration
Also fixes bug that caused previous registrations to be invalid.
-
Implement --new-account-key and --DEACTIVATE-account
RFC operations for account security: --new-account-key replaces the account key with a new one. Can modify the type or size as well. (update .cfg first) Does not affect certificate validity or pending operations. --DEACTIVATE-account permanently deactivates the account on the server. Per RFC, can not be revived. Should not revoke existing certificates. (Server's choice.)
-
Implement token substitution in ACLs
Idea from srvrco#267 Fixes typos in template domain.cfg
-
-
Relax restriction on dns-01 CNAMEs
It's OK for the target of a CNAME not to include the source domain. It's handy for debug and for system management. But some people prefer a hash. We can handle that.
-
Ensure that --all doesn't run --new-account-key or --DEACTIVATE-accou…
…nt more than once.
-
Avoid domain processing for account-management commands.
Skip everything having to do with domains & certificates when doing --account-id, --new-account-key, --DEACTIVATE-account This avoids the need to specify a domain name, creating directories, trying to check the remote - and other unnecessary (and sometimes harmful) work. Most of the diffs in this commit are white space.
-
Handle multiple contact e-mail addresses
Handle e-mail update with buggy 409 responses from registration. Improve contact parsing by replacing call to json_get, which doesn't seem to handle string array values well. (It's also easier to parse the values at the same time.) No reason to save register response JSON in TEMP_DIR, so don't. Appears to be stale debugging code. Exit after deactivating account.
-
Export LC_ALL to solve date (and future) issues
FIXES srvrco#818 (I hope). in srvrco#818, @mslavkov reported that date fails in the BG.UTF-8 locale, but that LC_ALL=C resolved the issue. Since we already export LANG=C, that would seem to indicate that LC_TIME is overriding it. LC_ALL is the safer (stronger) choice.
-
Use /etc/services (or local equivalent" to translate port names.
SERVER_TYPE implies a port number (and possibly s_client options). Previously, these were hard-coded, requiring a code change for any new/unique services. Now, /etc/services is used, so every assigned name is available, and new services "just work". The old alias names (and renames) are supported. And the old hardcoded defaults will be used if /etc/services is not available. SERVICES_FILE can be defined to local taste - e.g. on windows, C:\Windows\System32\drivers\etc\services is equivalent.
-
Document that service names can be uset for SERVER_TYPE.
Also make constant arrays in find_service_port() read-only
-
Use DOMAIN accounts for account operations. Add some guardrails.
Prompt for confirmation of account deactivation. If a domain is specified, allow its getssl.cfg to specify the account key & type. Don't create an account key for rotation or deactivate if none exists.
-
Make file deletion with ftp use the correct port.
Score 1 for the tests.
-
Fix curl not using path when deleting challenge tokens
curl isn't changing directory to the specified directory. Make it explicit in the DELE command.
-
Fix test failures from curl warnings that --ftp-ssl is insecure
Replaced with --ssl-reqd. Note that --ftp-ssl-reqd is an old alias for --ssl-reqd. --ftp-ssl-reqd is equivalent, but could eventually go away. -ssl-reqd has been supported since curl version 7.20.0 - in 2010 (though a related CVE was fixed in 7.79.0 in 2021...) So this change shouldn't inconvenience any getssl users.
-
Apparently centos6 is stuck on curl version 7.19, just before --ssl-reqd turned up in 7.20. Wow! Check curl version and select --ssl-reqd for version 7.20+.
-
Add all starttls protocols supported by openssl.
Adds -starttls for all protocols currently documented by openssl s_client (their master branch). Also allows REMOTE_EXTRA in config files to override built-in usage. Reordered extra_cmds to match openssl documentation so it's easier to see when openssl adds new protocols.
