~graywolf/acme-client-portable

Add more things to .gitignore
Use macro in tests

That tests the macro support which should work properly now.
Add build manifests

Currently, the tests run on alpine and archlinux.
Add --enable-test-build option to the configure

While libressl is fairly close to the openssl, in few areas it differs.
They say that for "security reasons". One of the differences is that
SSL_CERT_FILE environment variable is not use automatically.

We do not necessarily want it in a production build, but for the tests
it is very useful. So if the test-build is enabled, try to use it.

On openssl, there are no changes necessary for the test build.
Fix implementation of reallocarray

It was *not* close enough. Sadly, I no longer recall what my original
thinking was. So, let's just not speak of this again.
Fix checks for HAVE_x

According to the documentation, the defines created are HAVE_x where x
is the function name in upper case. So fix that everywhere.
Port it again on clean OpenBSD version

It looks like I've managed to fuck up the CVS syncing a bit, so files
were not getting updated. Luckily, there is now a git mirror we can use
instead.

So this commit reimplements the port on top of clean git mirror version.
It also adds some tests and sticks closer to original code if libressl
is used.
Initial import of openbsd's source code
Add update script

Original syncing from CVS was not working properly (very likely since I
do not know basically anything about CVS), but openbsd now have a github
mirror, so we can use that.

No patch mangling is performed, the build will be done from
/usr.sbin/acme-client. Meaning the original code will not be touched at
all (expect the patching necessary).
4c2aee9f — kn@openbsd.org 2 months ago
Remove unneeded calls to tls_init(3)

As per the manual and lib/libtls/tls.c revision 1.79 from 2018
"Automatically handle library initialisation for libtls." initialisation
is handled automatically by other tls_*(3) functions.

Remove explicit tls_init() calls from base to not give the impression of
it being needed.

Feedback tb
OK Tests mestre
Change the error reporting pattern throughout the tree when unveil fails to report the path that the failure occured on. Suggested by deraadt@ after some tech discussion.

Work done and verified by Ashton Fagg <ashton@fagg.id.au>

ok deraadt@ semarie@ claudio@
b91dae65 — tb@openbsd.org 4 months ago
acme-client: use EC_POINT_{get,set}_affine_cooordinates()

The versions with _GFp() suffix only exist for historical reasons.
Now that we have EC_POINT_{get,set}_affine_coordinates(), we should
stop using the old ones as they provide no benefit.

ok florian
Xr to ssl(8) which has clues about EC key generation that are still useful to acme-client users.
document how to specify multiple alternative names; modified version of diff from wolf on misc, improved by and ok florian benno sthen
79566901 — florian 8 months ago
Create .1 backup files when acme-client is going to overwrite a certificate file. These files are not terribly big and they might become helpful if one re-creates a certificate with additional or removed domains and whishes to revoke the old cert (this part needs a bit of work to make it convenient to do). OK sthen
If acme-client detects an added or removed SAN in the config file compared to the existing certificate on disk, automatically request a new certificate without requiring -F.

(Previously the code using -F only coped with added SANs; if one was
removed in config then the certificate needed manual removal vefore
acme-client would work).

Name checks for -r (revocation) are kept as-is for now.
05d34383 — florian 8 months ago
First fulfil all challenges then tell the CA that it should check.

For http-01 this doesn't matter but I think this will be nicer for
dns-01 because there are propagation delays to consider and it will be
better to just put everything in DNS and then wait then wait after
each challenge.

Testing & OK sthen
498c3c6f — tb@openbsd.org 9 months ago
remove extra s
18246e0c — solene 9 months ago
Add details to -F flag

If you add alternatives domain names to
acme-client.conf, using -F is required to
renew the certificate with the new names.

ok jmc@
Do not check the list of SAN's in the cert when -F is specified to force renewal

This allows you to add a SAN DNS name to a cert, and request a forced renewal
to get the new name added immediately

ok florian@
Next