chiark / gitweb /
summary |
shortlog | log |
commit |
commitdiff |
tree
first ⋅ prev ⋅ next
Mark Wooding [Sat, 2 Oct 2021 10:39:05 +0000 (11:39 +0100)]
bin/make-cert, bin/fix-cert-chain: Hack certificate chains for compatiblity.
Oh, this is a mess.
https://community.letsencrypt.org/t/openssl-client-compatibility-changes-for-let-s-encrypt-certificates/143816
Old versions of Android don't recognize the new Let's Encrypt issuer.
So LE deployed a kludge: their certificate chains include a reference to
their old issuer, which /is/ recognized by old Android versions. But
there's a problem: this issuer /expired/ yesterday, and old versions of
OpenSSL and GnuTLS reject certificate bundles involving expired issuers,
even if (a) the expired certificate is in the cert store, not provided
by the server, and (b) there's a perfectly fine trust path which doesn't
involve the duff certificate.
Introduce a new script `fix-cert-chain' to generally tidy up certificate
chains by (a) deleting duplicate certificates and (b) removing
certificates from `bad' issuers.
Mark Wooding [Wed, 4 Mar 2020 12:02:37 +0000 (12:02 +0000)]
dehydrated-config.sh: Set contact email address.
Mark Wooding [Tue, 26 Jun 2018 01:19:01 +0000 (02:19 +0100)]
bin/setup: Fix now that we use `dehydrated'.
Mark Wooding [Fri, 22 Sep 2017 09:39:29 +0000 (10:39 +0100)]
Inhibit IPv6, in an attempt to prevent `urn:acme:error:badNonce' reports.
Mark Wooding [Wed, 12 Jul 2017 22:02:16 +0000 (23:02 +0100)]
Switch to running dehydrated.
It's packaged by Debian and seems much less disastrous. Simplify much
of the machinery.
Mark Wooding [Wed, 12 Jul 2017 22:00:56 +0000 (23:00 +0100)]
bin/reissue: Fix swallowing of nonzero exit status.
Mark Wooding [Tue, 23 Feb 2016 10:10:35 +0000 (10:10 +0000)]
bin/: Fix preamble to handle invocation through a symlink.
This depends on GNU coreutils readlink(1), but I think we can live
with that.
Mark Wooding [Tue, 23 Feb 2016 09:57:01 +0000 (09:57 +0000)]
bin/reissue: New script to reissue certificates before they expire.
Mark Wooding [Tue, 22 Dec 2015 21:32:14 +0000 (21:32 +0000)]
bin/setup: Install the necessary Debian packages.
Mark Wooding [Tue, 22 Dec 2015 21:25:25 +0000 (21:25 +0000)]
bin/make-cert, le-root.cert: Actually make certificates.
Amazingly, it all works.
Mark Wooding [Tue, 22 Dec 2015 21:24:23 +0000 (21:24 +0000)]
lib/lib.sh: Sanitize the tag when making a temporary directory.
The configuration-file reader is terrible and doesn't cope with values
which contain `#'.
Mark Wooding [Tue, 22 Dec 2015 21:23:33 +0000 (21:23 +0000)]
bin/setup: The `cert' directory doesn't need to be group-writable.
The administrator makes directories within it, which should be mode 2775.
Mark Wooding [Tue, 22 Dec 2015 21:22:23 +0000 (21:22 +0000)]
lib/lib.sh, bin/make-cert: Fix usage message handling.
Make the separating space be the script's responsibility. Actually
include a usage message in `make-cert'.
Mark Wooding [Tue, 22 Dec 2015 18:39:14 +0000 (18:39 +0000)]
move more config into the script
Mark Wooding [Mon, 21 Dec 2015 02:45:28 +0000 (02:45 +0000)]
Early commit for testing elsewhere.
~mdw / distorted-letsencrypt / log