Tags: letsencrypt/pebble
Tags
add overriding of ARI response (#501) Fixes #486 This moves the GetCertificateBySerial call earlier, which means that call needs to succeed even for revoked certificates. So this also follows up on #252 by keeping revoked certs in the primary certificatesByID map (while still adding them to the revokedCertificatesByID map).
Document exposing API and management ports when not using docker-comp… …ose.yaml (#465) #444 removed exposing the API and management ports directly in the `Dockerfile` in favor of the `docker-compose.yml`. Not everyone will be using `docker compose` so let's document how it should be done. Fixes #452
Require HS256, HS384, or HS512 for EAB (#459) During the go-jose/v4 upgrade, I accidentally required the same signature sets for EAB as for the account keys, which is incorrect. This allows the correct MAC-based algorithms. It drops the custom algorithm checks, which are now unreachable as go-jose will enforce the algorithms. This also adds a new EAB key to Pebble's test config which explicitly has base64url characters, from #428 Fixes #455 --------- Co-authored-by: Folke Gleumes <folke@gleumes.org>
CI: Travis -> GitHub Actions; Create Release Binaries and Container I… …mages (#444) [](https://github.com/fastly/pebble/actions/workflows/checks.yml) [](https://github.com/fastly/pebble/actions/workflows/tests.yml) As a follow-on to #439 this change request implements the first step of building a new CI system for Pebble. As this is a testbed environment for Boulder, some of these changes may prove to be useful in the latter context. Per #434 (comment), GitHub Actions is a reasonable choice for a new CI implementation to supersede Travis. Much, but not all, of the existing functionality is present in this initial set of changes. Items currently implemented include: - Binary production of `pebble` and `challtestsrv` for platforms: - AMD64 - darwin - linux - windows - ARM64 - darwin - linux - windows - Multiplatform docker images published on the GitHub Container Registry for platforms: - linux/amd64 - linux/arm64 - windows/amd64 - Golang linting. - Golang coverage. - Local test scripts for Go and Docker: - `./build.sh` - `./docker.sh` - `./test.sh` This PR also adds a `-version` flag to Pebble, which is set during release build to the Git commit ref. This change builds on earlier work done in #379 and #442.
CI: Travis -> GitHub Actions; Create Release Binaries and Container I… …mages (#444) [](https://github.com/fastly/pebble/actions/workflows/checks.yml) [](https://github.com/fastly/pebble/actions/workflows/tests.yml) As a follow-on to #439 this change request implements the first step of building a new CI system for Pebble. As this is a testbed environment for Boulder, some of these changes may prove to be useful in the latter context. Per #434 (comment), GitHub Actions is a reasonable choice for a new CI implementation to supersede Travis. Much, but not all, of the existing functionality is present in this initial set of changes. Items currently implemented include: - Binary production of `pebble` and `challtestsrv` for platforms: - AMD64 - darwin - linux - windows - ARM64 - darwin - linux - windows - Multiplatform docker images published on the GitHub Container Registry for platforms: - linux/amd64 - linux/arm64 - windows/amd64 - Golang linting. - Golang coverage. - Local test scripts for Go and Docker: - `./build.sh` - `./docker.sh` - `./test.sh` This PR also adds a `-version` flag to Pebble, which is set during release build to the Git commit ref. This change builds on earlier work done in #379 and #442.
Pebble v2.3.1 Features: * Add CORS support to the frontend * Add ability to control the length of Pebble's issuance chains (i.e. add or remove intermediates between the root and the end-entity certificate). * Add support for honoring NotBefore/NotAfter in issuance requests. Fixes: * Seed PRNG with current time to prevent predictable nonce rejection patterns. Our heartfelt thanks to @ldez, @alexzorin, @szepeviktor, @cpu, and @meyskens for their contributions to this release.
Pebble v2.3.0 Features: * Added an ACME account "orders list" endpoint for finding order URLs associated with an account. See RFC 8555 §7.1.2.1. * Updated pebble-challtestsrv with an API for mocking DNS `SERVFAIL` responses for a hostname. * Added support for ACME external account binding (EAB) for new account requests. See RFC 8555 §7.3.4. Bug-fixes: * The `pebble-challtestsrv`'s mock CNAME delete API is fixed to remove the CNAME mock record instead of the CAA mock record for the given hostname. * Changed `PEBBLE_ALTERNATE_ROOTS` intermediate certificates to have the same subject, matching the issuer of issued leaf certificate's. * Fixed key rollover request handling for requests that fail inner JWS verification. * Finalize requests that include a CSR that specifies a certificate public key already used by an ACME account now receive a `badCSR` type problem. See RFC 8555 §11.1. * Authorizations for ACME-IP identifiers are fixed to only contain HTTP-01 and TLS-ALPN-01 challenges, not DNS-01. See draft-ietf-acme-ip §7. * Added support for POST-as-GET requests in addition to GET/HEAD for directory and newNonce endpoints. See RFC §6.3 * Fixed handling of HTTP-01 validation requests that are redirected to a different port (e.g. `443`). Misc: * A Subject Key Identifier value is now included in all issued certificates. See RFC 5280 §4.2.1.2. * The Pebble ACME API and management API ports (`14000` and `15000`) are now marked exposed in Dockerfile metadata. * TLS 1.3 for Pebble's validation requests is explicitly enabled by env var in the Docker environment. * The project and CI now use Go 1.13 and `golangci-lint` v1.21.0 New configuration options: * The `PEBBLE_WFE_ORDERS_PER_PAGE` env var can be used to control the account orders list endpoint's pagination. By default up to 15 order URLs are returned per response. * The `"externalAccountBindingRequired"` config file boolean field can be used to control whether all `newAccount` requests must use external account binding. * The `"externalAccountMACKeys"` config file key/value object field can be used to specify external account binding key IDs and encoded MAC keys See `test/config/pebble-config-external-account-binding.json` for an example. Heartfelt thanks to @felixfontein, @sergioaugrod, @0pq76r, @Drakezul, @JoshVanL and @munnerz for their contributions to this release.
Pebble v2.2.2 Bug-fixes: * fix TLS-ALPN-01 with custom -dnsserver (thanks @adferrand) Misc: * updated project .gitignore (thanks @eggsampler)
PreviousNext