ndilieto / uacme Goto Github PK
View Code? Open in Web Editor NEWACMEv2 client written in plain C with minimal dependencies
License: GNU General Public License v3.0
ACMEv2 client written in plain C with minimal dependencies
License: GNU General Public License v3.0
Maybe helpful to add some automated tests of correct functionality, can make pull requests with possible tests that can be used.
Line 39 in 5afdaf0
The externally controlled TOKEN
variable (by the ACME server) is used to construct a path into which an externally controlled value $AUTH
is written. This can be exploited by the ACME server to overwrite arbitrary files with arbitrary content.
Hey @ndilieto, thanks for uacme. I like it.
I wanted to try out master, and found a segfault arising from a null pointer dereference. I bisected to 1809518 and am building it with the following configuration: ./configure --disable-maintainer-mode --with-openssl --disable-docs
(gdb) run -v issue example.com
Starting program: /usr/local/bin/uacme -v issue example.com
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
uacme: version 1.1.2 starting on Sun, 15 Mar 2020 13:00:19 +0000
uacme: loading key from /etc/ssl/uacme/private/key.pem
uacme: loading key from /etc/ssl/uacme/private/example.com/key.pem
uacme: checking existence and expiration of /etc/ssl/uacme/example.com/cert.pem
uacme: /etc/ssl/uacme/example.com/cert.pem does not exist
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7dc08a0 in X509_get0_notAfter ()
from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
(gdb) bt
#0 0x00007ffff7dc08a0 in X509_get0_notAfter ()
from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
#1 0x000055555555ff75 in cert_valid (certdir=0x55555559bf70 "/etc/ssl/uacme/example.com",
names=0x7fffffffeb60, validity=30, status_check=true) at crypto.c:2716
#2 0x000055555555c1bb in main (argc=4, argv=0x7fffffffeb48) at uacme.c:1466
(gdb) break crypto.c:2716
Breakpoint 1 at 0x55555555ff69: file crypto.c, line 2716.
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /usr/local/bin/uacme -v issue example.com
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
uacme: version 1.1.2 starting on Sun, 15 Mar 2020 13:01:24 +0000
uacme: loading key from /etc/ssl/uacme/private/key.pem
uacme: loading key from /etc/ssl/uacme/private/example.com/key.pem
uacme: checking existence and expiration of /etc/ssl/uacme/example.com/cert.pem
uacme: /etc/ssl/uacme/example.com/cert.pem does not exist
Breakpoint 1, cert_valid (certdir=0x55555559bf70 "/etc/ssl/uacme/example.com",
names=0x7fffffffeb60, validity=30, status_check=true) at crypto.c:2716
2716 const ASN1_TIME *tm = X509_get0_notAfter(crt[0]);
(gdb) p crt[0]
$1 = (X509 *) 0x0
(gdb) p ncrt
$2 = 32767
I'm not entirely sure where 32767 is coming from, but I assume the expected behavior is for cert_load
to have returned <= 0. Here's a patch for that, which fixed the issue for me:
diff --git a/crypto.c b/crypto.c
index 00488af..71acfa0 100644
--- a/crypto.c
+++ b/crypto.c
@@ -2371,6 +2371,7 @@ static int cert_load(mbedtls_x509_crt **crt, const char *format, ...)
msg(1, "%s does not exist", certfile);
else
warn("cert_load: failed to open %s", certfile);
+ r = 0;
goto out;
}
for (r = 0; r < (int)crt_size; r++) {
Although, you might want to double check that the patch looks good. I see that r's being reused a lot.
Hi
This is less of an issue than a request for help because I could barely find any documentation for getting uacme to work on OpenWrt.
I successfully compiled and installed the uacme package for OpenWrt from its package source at https://github.com/openwrt/packages/tree/master/net/uacme
Then I tried to create a new account:
# uacme -v -c /etc/acme/ new
uacme: version 1.2.1 starting on Wed, 28 Oct 2020 06:28:46 -0700
uacme: created directory /etc/acme//private
uacme: loading key from /etc/acme//private/key.pem
uacme: /etc/acme//private/key.pem not found
uacme: generating new 2048-bit RSA key
uacme: key saved to /etc/acme//private/key.pem
uacme: fetching directory at https://acme-v02.api.letsencrypt.org/directory
uacme: creating new account at https://acme-v02.api.letsencrypt.org/acme/new-acct
uacme: type 'y' to accept the terms at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
y
uacme: account created at https://acme-v02.api.letsencrypt.org/acme/acct/100577813
uacme -v -c /etc/acme/ new
However, open the link https://acme-v02.api.letsencrypt.org/acme/acct/100577813, I got the following error:
{
"type": "urn:ietf:params:acme:error:malformed",
"detail": "Method not allowed",
"status": 405
}
Could I get any help here?
Thanks!
Wei
Hello ndilieto,
I am trying to build uacme on my router Netgear R7800
which is running busybox on armv7l hardware.
(500 MB ram, and two cores at 1.7 ghz)
I've installed a gcc compiler , and am running the ./configure script.
the script is reporting a error that libcurl dependency cannot be resolved.
<<
checking for pkg-config... /opt/bin/pkg-config
checking pkg-config is at least version 0.28... yes
checking for libcurl >= 7.38.0... no
configure: error: libcurl not found
I have checked if the libcurl i have is meeting this requirement , and
it seems so. Opkg my package manager is listing libcurl as installed.
root@router:/opt/home/frank/uacme$ opkg list-installed | grep libcurl
libcurl - 7.68.0-1
What can i do to make uacme build?
Hi,
would you consider support for an option by which the default "IDENTIFIER" part in determining the storage location for the certificate to be issued can be replaced by a custom, arbitrary value?
While it does probably make not too much sense to have multiple certificates with the same first identifier/common name, it is not strictly invalid and would not work well/at all with the default paths.
I'm in a situation where the actual certificate configuration is outside of my control and I would like to not have to restrict the choice of certificate (subject alternatives) names and at the same time avoid any potential collisions, which I currently do by using a different unique identifier.
PR using "-u" for this: #34
Do you have any plans for supporting ECC certificates?
I have various users on my system that need access to ssl private keys, so I use group ssl-cert for them, but uacme always sets umask such that private/* and key.pem files all end up not group readable. Would be nice if there were an option to allow group reading (setting correct group is handled because I have g+s on private/ in my case)
How do I pass ocsp-must-staple flag to uacme?
I grepped the source code but did not find this flag or the option.
I then looked at go-acme/lego specifically this thinking that I would create a pull request but my C language skills are failing me.
What do you suggest?
Good morning,
I tried installing UACME on my Pi 4 (running Buster). I ran into two installation issues so far when I executed the "./configure --disable-maintainer-mode" command.
According to the GNUTLS installer, version 3.6.7 was installed "Setting up gnutls-bin (3.6.7-4+deb10u6) ..."
Per the UACME installer, "checking for GnuTLS >= 3.3.30... no" followed by "configure: error: gnutls not found"
I must be doing something wrong so I wonder if you could make a suggestion re: GNUTLS or the version of LIBCURL that should be installed as a pre-requisite to installing UACME. I would also like to make the suggestion to reference these and any other packages that must be installed before UACME to make the process easier for newbies like me. Thank you for writing UACME!
Constantin
The feature becomes critical when uacme is dockerized, due to need in secret management and certificate sharing.
Hi, uacme looks very interesting to me but i could not find any information in the docs about the lifecycle of the key, I guess its renewed on renew? If so is it possible to a use or create similar option as certbot uses? ie --reuse-key.
CDPATH="${ZSH_VERSION+.}:" && cd . && /bin/sh /home/build.dir/uacme/src/uacme/build-aux/missing aclocal-1.14
/home/build.dir/uacme/src/uacme/build-aux/missing: line 81: aclocal-1.14: command not found
Missing aclocal-1.14
, but installed aclocal-1.16
Let's Encrypt has pushed ACME Renewal Information (ARI) to production.
ARI basically tells the client when to renew a certificate, whether if it's earlier than usual (when certs need to be revoked) or at a specific time (balancing the load on the CA side).
My request is to support that feature, if possible.
I'm confusing about dependencies and would be glad if you can clarify.
On Ubuntu and Debian the uacme package depends on libcurl4.
I didn't found the debian
folder with control file but apt shows these dependencies:
Depends: libc6 (>= 2.33)
Depends: libcurl3-gnutls (>= 7.38)
Depends: libev4 (>= 1:4.04)
Depends: libgnutls30
So here I see that the libcurl3-gnutls
is used directly by the uacme
e.g. not just libcurl3
which may use a different backend by default.
Also the libgnutls30
is used directly by the uacme
itself and the package was compiled with it. That's fine.
The question is why not use the libcurl4
dependency? As far I understood there is no any libcurl4-gnutls
but it will internally pick up an installed backed library, right?
Update yes, it can be dynamically load an available TPS backend https://curl.se/mail/lib-2017-08/0118.html
The things become more weird for OpenWrt. There the uacme
package uses the libcurl4
(not 3!) which itself depends on WolfSSL as it's now the default library for OpenWrt in last releases. But OpenWrt team working on moving back to MbedTLS.
In the same time the uacme
itself depends on libmbedtls12
. This is understandable but still some OpenWrt based firmwares for routers like Turris and Gl.inet are using just OpenSSL. Maybe for them it would be better to create a separate package like uacme-openssl
.
Another strange thing is that the OpenWrt uacme
package doesn't depend on libev
. In the same time I see that the library is just included into sources. Is it statically linked or something like that?
There is some issue that may be related openwrt/packages#19015
I am using a filesystem which does not support hard links.
So the code like here:
Lines 1180 to 1186 in 7f1ffbd
to backup the current file fails and the cert.pem.tmp
is left at its place, so I've to manually move cert.pem.tmp
to cert.pem
.
Similar for...
Lines 745 to 757 in 7f1ffbd
Is it doable to copy the file to backup when link fails?
Like with code from here: https://stackoverflow.com/questions/2180079/how-can-i-copy-a-file-on-unix-using-c
Hi do you supoort acme auto-discovery by DNS CAA Records lookup, to set the CA server url ??
With my current setup every time it renews cert.pem
is readable only by root
. Default umask
on the system is 0022
In the hook script what must i paste into TXT record?
TOKEN
or AUTH
? Or both?
Sorry if question is very silly.
The README instructs to start with running ./configure, but the latest release tarball does not contain one, requiring it to be generated by the user before compiling. Please update the documentation if this is intentional, or bundle a configure script in the source tarball.
It would be nice to have an option to specify which network interface or IP address should be used for ACME requests. When working with a large deployment which uses many certificates it can be helpful to work with several IP addresses to manage the LE rate limits.
I need to issue a certificate from an ACME server whose TLS certificate is not in /etc/ssl/certs/ca-certificates.crt
, the default CABundle of Alpine Linux. This results in this error message:
uacme: curl_get: GET https://acme.***:8443/directory failed: SSL peer certificate or SSH remote key was not OK
I tried setting CURL_CA_BUNDLE, but that didn't work. Is there a way to set which CA Bundle curl_get
uses? For reasons I don't want to get into adding the CA to the default bundle isn't desired.
uacme.sh
uses /bin/sh
in the shebang which often forces shells such as bash
into compatibility mode which interprets echo -n
as literal output and thus creates an invalid challenge:
uacme: the server reported the following error:
{
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "The key authorization file from the server did not match this challenge \"tt[...]Wuo\" != \"-n tt[...]Wuo\"",
"status": 403
}
above example was produced with
$ /bin/sh --version
GNU bash, version 3.2.57(1)-release (arm64-apple-darwin20)
and the echo
behavior can be checked with
$ /bin/sh -c 'echo -n'
-n
The specs say that servers SHOULD accept challenges with trailing whitespace so the easiest fix is to remove -n
. A more advanced fix would be to first check that -n
is safe and not use it if it's not.
uacme's exit codes aren't ideal for use as a systemd oneshot service:
0 Success
1 Certificate not reissued because it is still current
2 Failure (syntax or usage error; configuration error; processing failure; unexpected error).
By default systemd considers a nonzero exit code as a failure:
https://freedesktop.org/software/systemd/man/systemd.exec.html#id-1.20.4
While systemd has facilities to deal with this like SuccessExitStatus= it's far from ideal, as the status code lookup still shows 1/FAILURE. As exit 1 is the standard failure exit code for libc.
Not sure what the take or philosophy is around this, but have seen other implementations and support for encrypting keys with passwords/password-files, is it something that is within the scope of the project to enable usage of passwords/password-files?
Or perhaps there it is an intentional design-choice.
This is a common way to determine whether or not the program is present. However, uacme returns a failure code, non-zero, from this command and from uacme --help.
I would like to have the hooks run parallel. Our DNS provider is quite slow and a change needs up to 20. min. This adds up pro domain.
You haven't considered that having multiple hooks run in parallel will result in very problematic race conditions, for example multiple hooks changing the same webserver or DNS configuration at once.
Actually I have considered this and noticed the scripts currently can run in parallel. Because multiple certs can contain the same domain.
Hooks would need to implement their own locking mechanism to avoid this.
For http and dns challenges this is not a problem, because it's save to assume that the token/auth is different for each challenge.
For tls-alpn ualpn.c might needs some locking, but I would say it's required anyway.
I ran into an issue recently where running this command:
doas -u acme uacme -v www.domain.com
resulted in the somewhat cryptic message:
uacme: failed to stat www.domain.com: Permission denied
This was a result of running uacme as an unprivileged user while in a directory to which it has no read-access (ie /root
), which then causes this call to fail, since uacme doesn't know whether the single argument is for a CSR file or a domain name.
Would it be possible to check if the stat
error is due to permission denied instead of just a missing file, or alternatively add an additional command-line flag to force uacme to treat the input as a domain name instead of a file? I think it would at least be good to have a better error message, since I assumed it was due to uacme not having access to one of the directories it needed for writing the certificates.
Since commit ae483af, build fails if MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
is not enabled on mbedtls.
We can't enable this option on a system-wide mbedtls library as this would be a security risk. So what should we do (especially on buildroot?), should we disable UALPN with mbedtls?
Hi, this is probably two issues in one ;) I need to automate certificate installation for a large network of decentralized clients with static IP addresses but no domain. I came across RFC 8738, I believe uacme is one of the first ACME clients to support this new standard? Let's Encrypt doesn't support it yet (it's in pebble but not boulder), which CA did you test against?
For now I'm trying to use it with ZeroSSL, which supports ACME and IP certificates, but I'm getting the following authentication error (probably unrelated to RFC 8738):
uacme: version 1.5 starting on Sun, 29 Nov 2020 18:11:04 -0800
uacme: loading key from ./private/key.pem
uacme: fetching directory at https://acme.zerossl.com/v2/DV90
uacme: creating new account at https://acme.zerossl.com/v2/DV90/newAccount
uacme: type 'y' to accept the terms at https://secure.trust-provider.com/repository/docs/Legacy/20181101_CertificateSubscriberAgreement_v_2_1_click.html
y
uacme: failed to create account at https://acme.zerossl.com/v2/DV90/newAccount
uacme: the server reported the following error:
{
"type": "urn:ietf:params:acme:error:externalAccountRequired",
"status": 400,
"detail": "The request must include a value for the \"externalAccountBinding\" field"
}
Is it possible to specify an externalAccountBinding
with uacme? Thanks for thoughts on these issues!
You might be interested to know that I wrote a http-01 challenge hook script that is designed for the case when you don’t need/wanna continuously run a (full-blown) web server (e.g. domain for just OpenVPN, PostgreSQL, …). Read more…
It looks like there's currently a hard dependency on aclocal-1.14
. On archlinux, for example, the only version of automake
available is 1.16, which leads to the following build error:
CDPATH="${ZSH_VERSION+.}:" && cd . && /bin/sh /home/halosghost/prj/pkg/uacme-git/src/uacme/build-aux/missing aclocal-1.14
/home/halosghost/prj/pkg/uacme-git/src/uacme/build-aux/missing: line 81: aclocal-1.14: command not found
WARNING: 'aclocal-1.14' is missing on your system.
You should only need it if you modified 'acinclude.m4' or
'configure.ac' or m4 files included by 'configure.ac'.
The 'aclocal' program is part of the GNU Automake package:
<http://www.gnu.org/software/automake>
It also requires GNU Autoconf, GNU m4 and Perl in order to run:
<http://www.gnu.org/software/autoconf>
<http://www.gnu.org/software/m4/>
<http://www.perl.org/>
make: *** [Makefile:385: aclocal.m4] Error 127
I am not hugely familiar with autotools; is this something that is easy to change so that newer versions of automake
will continue to build uacme?
Hey,
Thanks for maintaining uacme! I'm not sure who's issue this is, but I thought I'd start with uacme as you're probably more knowledgeable of the related specs than a random customer service rep from ZeroSSL.
I'm trying to to refresh a certificate with ZeroSSL that has two names --- the root and a wilcard --- example.com,*.example.com
. Due to some configuration issue, the authorization was cut short yesterday. That is, only a single auth request succeeded -- for the root example.com
. Since then, however, it seems ZeroSSL reuses the authorizations/challenges and considers one out of the two constantly valid
and the other invalid
.
In other words, the initialization returns two auths:
{
"status": "pending",
"expires": "2024-05-04T22:26:35Z",
"identifiers": [
{
"type": "dns",
"value": "example.com"
},
{
"type": "dns",
"value": "*.example.com"
}
],
"authorizations": [
"https://acme.zerossl.com/v2/DV90/authz/ABC",
"https://acme.zerossl.com/v2/DV90/authz/XYZ"
],
"finalize": "https://acme.zerossl.com/v2/DV90/order/FOO/finalize"
}
The first constantly returns valid
. I presume they remember that yesterday this succeeded:
{
"identifier": {
"type": "dns",
"value": "example.com"
},
"status": "valid",
"expires": "2024-03-05T22:26:35Z",
"challenges": [
{
"type": "dns-01",
"url": "https://acme.zerossl.com/v2/DV90/chall/XXX",
"status": "valid",
"validated": "2024-02-04T22:26:39Z",
"token": "SNAFU"
}
]
}
The other, the wildcard auth, constantly returns invalid
:
{
"identifier": {
"type": "dns",
"value": "example.com"
},
"status": "invalid",
"expires": "2024-03-05T22:26:35Z",
"challenges": [
{
"type": "dns-01",
"url": "https://acme.zerossl.com/v2/DV90/chall/YYY",
"status": "invalid",
"error": {
},
"token": "SNAFU"
}
],
"wildcard": true
}
While I'm not familiar with the ACME protocol, it seems to be ZeroSSL presumes the second challenge should still be used, even though it's currently with an invalid
status. Uacme, though, bails out after not seeing pending
there and presumes that once the status flips to invalid
, it'll never switch to valid
.
So, any idea who's bug this is?
Thanks!
cat main.cr
`uacme -c /var/lib/uacme/ec -t EC -b 384 -h uacme_hook_knot issue "example.com" "*.example.com"`
cat uacme_hook_knot.cr
pp ARGV
Compile it crystal build ./main.cr
Move binary to server and try to execute
[root@webserver ~]# ./main
uacme: uacme_hook_knot: No such file or directory
[root@webserver ~]# ls -lha /usr/bin/uacme_hook_knot
-rwxr-xr-x 1 root root 331K Jul 31 13:43 /usr/bin/uacme_hook_knot
[root@webserver ~]# uacme_hook_knot 1 2 3 4 5
["1", "2", "3", "4", "5"]
But it works on laptop, where i compile it.
With python i got similar issue.
Upd. Now works with -h /usr/bin/uacme_hook_knot
, but before it doesn't
If I am trying to install like described on the main page, I'll get an error after running ./configure --disable-maintainer-mode
.
[...]
checking sys/socket.h usability... yes
checking sys/socket.h presence... yes
checking for sys/socket.h... yes
checking for sys/stat.h... (cached) yes
checking for sys/types.h... (cached) yes
checking sys/wait.h usability... yes
checking sys/wait.h presence... yes
checking for sys/wait.h... yes
checking for asprintf... yes
checking for vasprintf... yes
checking for getopt_long... yes
checking for setproctitle... no
checking for pkg-config... no
configure: error: Could not find pkg-config
Hello.
Just found your client, and decided that before using it, it would be interesting to see what clang --analyze would say about it.
Turns out that there are several warnings here (I will join the full log and how to generate it, since clang joins the traces it took to find the warnings):
Here is how I generated that:
clang -D SYSCONFDIR='"/etc/"' -D RUNSTATEDIR='"/var/run"' -I./libev --analyze --analyzer-output text *.c > build.log 2>&1
I have also noticed warnings with a different combination of flags:
assert( condition && "error message" );
instead? It does the same, but I still have to see a compiler whining about it.Of course, several of those warnings have only memory performance impact or are false positives, but I believe fixing most of those would allow an easier to maintain code (shadow declarations, names reserved by the standard,...) or less prone to errors (implicit casts, for example).
Those were generated with:
clang -Wall -Weverything -D SYSCONFDIR='"/etc/"' -D RUNSTATEDIR='"/var/run"' -I./libev *.c > build2.log 2>&1
Of course, this generates linking error too, but that's unimportant considering my goal here.
You will find both the analyzer log (build.log) and the clang complains (build2.log) attached.
I intend to check if I can patch some of those quickly.
When ualpn returns "OK", it also returns exit code 1. Breaking programs that check exit code, and not OK/ERR.
I just came across uacme when finally getting around to move my dns-01 setup across from some ACMEv1-only software. Thanks for writing it - I like the balance of useful features without being over-complex. It seems I picked a good time because nsupdate.sh was added recently - I ran into a few things I needed to change to get that to work for me, I'm happy to split into PRs if you like but I thought I'd discuss here first.
When trying to identify which servers should receive updates, ns_getdomain picks the last two components of the domain name (foo.bar.example.org -> example.org). This is fine for simple "domain.tld" cases with no subdomains, but fails for country TLDs like .uk where many names are registered under .co.uk/.org.uk/.net.uk, or where a zone is delegated privately.
I'm using this instead, which I think should handle all cases, at the expense of another callout to dig:
ns_getdomain()
{
local domain=$1
[ -n "$domain" ] || return
set -- $($DIG +noall +authority "$domain" SOA 2>/dev/null)
echo $1
}
A couple of other smaller things I noticed,
the various calls to dig using the system's default nameserver use -k RNDC_KEY, which fails at least in some situations - should those be dropped and RNDC_KEY just used for nsupdate calls?
there's a bashism ${res//"/} in ns_ispresent but the hashbang line is for /bin/sh (and the other scripts look like plain shell). It could be rewritten like this, or would it be preferable to change to a bash #!?
for NS in $nameservers; do
OLDIFS="${IFS}"
IFS='.'
set -- $($DIG +short "@$NS" "$fqhn" TXT 2>/dev/null)
IFS="${OLDIFS}"
[ "$*" = "$expect" ] || return 1
done
When I run make install
I get this:
config.status: executing depfiles commands
/Library/Developer/CommandLineTools/usr/bin/make install-am
CC ualpn-ualpn.o
ualpn.c:538:10: error: implicit declaration of function 'sem_timedwait' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
rc = sem_timedwait(&g_shm->sem, &ts);
^
ualpn.c:538:10: note: did you mean 'sem_trywait'?
/Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/usr/include/sys/semaphore.h:58:5: note: 'sem_trywait' declared here
int sem_trywait(sem_t *);
^
ualpn.c:3628:13: warning: 'sem_destroy' is deprecated [-Wdeprecated-declarations]
sem_destroy(&g_shm->logsem);
^
/Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/usr/include/sys/semaphore.h:53:26: note: 'sem_destroy' has been explicitly marked deprecated here
int sem_destroy(sem_t *) __deprecated;
^
/Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/usr/include/sys/cdefs.h:204:40: note: expanded from macro '__deprecated'
#define __deprecated __attribute__((__deprecated__))
^
ualpn.c:3631:13: warning: 'sem_destroy' is deprecated [-Wdeprecated-declarations]
sem_destroy(&g_shm->sem);
^
/Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/usr/include/sys/semaphore.h:53:26: note: 'sem_destroy' has been explicitly marked deprecated here
int sem_destroy(sem_t *) __deprecated;
^
/Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/usr/include/sys/cdefs.h:204:40: note: expanded from macro '__deprecated'
#define __deprecated __attribute__((__deprecated__))
^
ualpn.c:4653:9: warning: 'sem_init' is deprecated [-Wdeprecated-declarations]
if (sem_init(&g_shm->sem, 1, 1)) {
^
/Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/usr/include/sys/semaphore.h:55:42: note: 'sem_init' has been explicitly marked deprecated here
int sem_init(sem_t *, int, unsigned int) __deprecated;
^
/Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/usr/include/sys/cdefs.h:204:40: note: expanded from macro '__deprecated'
#define __deprecated __attribute__((__deprecated__))
^
ualpn.c:4658:9: warning: 'sem_init' is deprecated [-Wdeprecated-declarations]
if (sem_init(&g_shm->logsem, 1, 1)) {
^
/Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/usr/include/sys/semaphore.h:55:42: note: 'sem_init' has been explicitly marked deprecated here
int sem_init(sem_t *, int, unsigned int) __deprecated;
^
/Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/usr/include/sys/cdefs.h:204:40: note: expanded from macro '__deprecated'
#define __deprecated __attribute__((__deprecated__))
^
4 warnings and 1 error generated.
make[1]: *** [ualpn-ualpn.o] Error 1
make: *** [install] Error 2
asciidoc is a pretty heavy dependency - it pulls in LaTeX on Debian, for example - and there are much simpler ways to generate man pages.
Would you consider my tool, scdoc?
https://git.sr.ht/~sircmpwn/scdoc
It has zero dependencies other than a POSIX system and a C99 compiler.
You may be interested that compiling uacme with gcc v7 and
Using built-in specs. COLLECT_GCC=/opt/local/gcc7/bin/cc COLLECT_LTO_WRAPPER=/opt/local/gcc7/libexec/gcc/x86_64-sun-solaris2.11/7.4.0/lto-wrapper Target: x86_64-sun-solaris2.11
give diagnostic from realloc.
read-file.c:119:14: warning: argument 2 value '18446744073709551615' exceeds maximum object size 9223372036854775807 [-Walloc-size-larger-than=] if (!(new_buf = realloc (buf, alloc)))
Hello,
I am adapting the sample hook script for Cloudflare API. I notice a possible problem that may cause the script to fail silently.
At the line
Line 126 in 5edec0e
break
is executed if ns_doupdate
returns non-zero code. Then it flows to the lineLine 136 in 5edec0e
$?
is always 0 because previous res=$?
(and [ $res -eq 0 ]
?) itself updates $?
to be 0
.
Finally, the script returns 0
even though ns_doupdate
has failed.
A quick fix is to replace break
with return $res
.
(I do not have a bind server to test the original script. Please let me know if I missed something by mistake.)
with the new update, cross compile doesn't work anymore:
checking for sys/un.h... yes
checking for mmap... yes
checking if mmap(MAP_ANON|MAP_SHARED) works... configure: error: in `/home/build/proxy/build_dir/target-x86_64_musl/uacme-upstream-1.7.5':
configure: error: cannot run test program while cross compiling
See `config.log' for more details
configure:7108: checking for mmap
configure:7108: x86_64-openwrt-linux-musl-gcc -o conftest -Os -pipe -g3 -fno-caller-saves -fno-plt -fhonour-copts -fmacro-prefix-map
=/home/build/proxy/build_dir/target-x86_64_musl/uacme-upstream-1.7.5=uacme-upstream-1.7.5 -Wformat -Werror=format-security -fstack-p
rotector -D_FORTIFY_SOURCE=1 -Wl,-z,now -Wl,-z,relro -I/home/build/proxy/staging_dir/toolchain-x86_64_gcc-12.3.0_musl/usr/include -
I/home/build/proxy/staging_dir/toolchain-x86_64_gcc-12.3.0_musl/include -I/home/build/proxy/staging_dir/toolchain-x86_64_gcc-12.3.0_
musl/include/fortify -I/home/build/proxy/staging_dir/target-x86_64_musl/usr/include -L/home/build/proxy/staging_dir/toolchain-x86_6
4_gcc-12.3.0_musl/usr/lib -L/home/build/proxy/staging_dir/toolchain-x86_64_gcc-12.3.0_musl/lib -fuse-ld=bfd -znow -zrelro -Wl,--gc-s
ections,--as-needed -L/home/build/proxy/staging_dir/target-x86_64_musl/usr/lib conftest.c -lssl -lcrypto >&5
configure:7108: $? = 0
configure:7108: result: yes
configure:7119: checking if mmap(MAP_ANON|MAP_SHARED) works
configure:7122: error: in `/home/build/proxy/build_dir/target-x86_64_musl/uacme-upstream-1.7.5':
configure:7124: error: cannot run test program while cross compiling
See `config.log' for more details
Hi,
fooling around with uacme and pebble I noticed that account creation always fails. I found that pebble returns the header Content-Type: application/probjem+json; charset=utf-8
in its error replies, which is perfectly valid according to https://tools.ietf.org/html/rfc7231#section-3.1.1.1
Due to using strcasecmp for comparision, this fails on several places, including account creation, which is then wrongly aborted.
I guess the most simple fix would be to just use strncasecmp on those 4 occasions.
Hey all,
I have a smallstep certificate authority set up for in-house ACME provisioning, and am running into issues getting uacme
to work with it. When running the uacme new
command, I get an error saying that the "account does not exist" (see verbose logs below). I am able to create an account and issue a cert using certbot
, so I suspect this is either an issue with uacme
or a combination of uacme
and the smallstep setup.
I really like uacme
and would love to get it working with smallstep, so let me know if there's anything else I can do to help debug. Thanks for writing a great tool!
Log:
# uacme -v -v -v -a https://<DOMAIN>/acme/acme/directory new <EMAIL>
uacme: version 1.0.21 starting on Sat, 01 Feb 2020 14:41:55 +0000
uacme: loading key from /etc/ssl/uacme/private/key.pem
uacme: fetching directory at https://<DOMAIN>/acme/acme/directory
uacme: acme_get: url=https://<DOMAIN>/acme/acme/directory
uacme: acme_get: HTTP headers
HTTP/1.1 200 OK
Cache-Control: no-store
Content-Type: application/json
Replay-Nonce: <NONCE>
Date: Sat, 01 Feb 2020 14:41:55 GMT
Content-Length: 307
uacme: acme_get: HTTP body
{"newNonce":"https://<DOMAIN>/acme/acme/new-nonce","newAccount":"https://<DOMAIN>/acme/acme/new-account","newOrder":"https://<DOMAIN>/acme/acme/new-order","revokeCert":"https://<DOMAIN>/acme/acme/revoke-cert","keyChange":"https://<DOMAIN>/acme/acme/key-change"}
uacme: acme_get: return code 200, json=
{
"newNonce": "https://<DOMAIN>/acme/acme/new-nonce",
"newAccount": "https://<DOMAIN>/acme/acme/new-account",
"newOrder": "https://<DOMAIN>/acme/acme/new-order",
"revokeCert": "https://<DOMAIN>/acme/acme/revoke-cert",
"keyChange": "https://<DOMAIN>/acme/acme/key-change"
}
uacme: fetching new nonce at https://<DOMAIN>/acme/acme/new-nonce
uacme: acme_get: url=https://<DOMAIN>/acme/acme/new-nonce
uacme: acme_get: HTTP headers
HTTP/1.1 204 No Content
Cache-Control: no-store
Replay-Nonce: <NONCE>
Date: Sat, 01 Feb 2020 14:41:55 GMT
uacme: acme_get: HTTP body
uacme: acme_get: return code 204
uacme: creating new account at https://<DOMAIN>/acme/acme/new-account
uacme: acme_post: url=https://<DOMAIN>/acme/acme/new-account payload={"onlyReturnExisting":true} protected={"alg":"RS256","nonce":"<NONCE>","url":"https://<DOMAIN>/acme/acme/new-account","jwk":{"kty":"RSA","n":"<REDACTED>","e":"<REDACTED>"}} jws={"protected":"<REDACTED>","payload":"<REDACTED>","signature":"<REDACTED>"}
uacme: acme_post: HTTP headers:
HTTP/1.1 100 Continue
HTTP/1.1 404 Not Found
Cache-Control: no-store
Content-Type: application/problem+json
Link: <https://<DOMAIN>/acme/acme/directory>;rel="index"
Replay-Nonce: <NONCE>
Date: Sat, 01 Feb 2020 14:41:55 GMT
Content-Length: 92
uacme: acme_post: HTTP body:
{"type":"urn:ietf:params:acme:error:accountDoesNotExist","detail":"Account does not exist"}
uacme: acme_post: return code 404, json=
{
"type": "urn:ietf:params:acme:error:accountDoesNotExist",
"detail": "Account does not exist"
}
uacme: failed to create account at https://<DOMAIN>/acme/acme/new-account
uacme: the server reported the following error:
{
"type": "urn:ietf:params:acme:error:accountDoesNotExist",
"detail": "Account does not exist"
}
Hi,
I tried uacme and it gets cert and the key. However, it does not get chain and fullchain as done by certbot.
Can you please add feature or let me know how to do it?
Thanks
Launching ualpn with --daemon option makes it crash with SIGPIPE just before successful exit of the parent process. This results in returning error status to shell, while the actual daemon is started successfully.
I'm not sure why it says this, because curling the directory shows it contains newNonce.
dcunnin@dcunnin:~$ uacme -v -c uacme.d issue fractaldemo.comy
uacme: version 1.0.18 starting on Wed, 04 Dec 2019 18:39:08 +0000
uacme: loading key from uacme.d/private/key.pem
uacme: loading key from uacme.d/private/fractaldemo.com/key.pem
uacme: checking existence and expiration of uacme.d/fractaldemo.com/cert.pem
uacme: uacme.d/fractaldemo.com/cert.pem does not exist
uacme: fetching directory at https://acme-v02.api.letsencrypt.org/directory
uacme: failed to find newNonce URL in directory
dcunnin@dcunnin:~$ curl -i https://acme-v02.api.letsencrypt.org/directory
HTTP/2 200
server: nginx
date: Wed, 04 Dec 2019 18:39:41 GMT
content-type: application/json
content-length: 658
cache-control: public, max-age=0, no-cache
x-frame-options: DENY
strict-transport-security: max-age=604800
{
"iiOi2bpTbTM": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
I was thinking this could be useful for people that have configured their web server to statelessly respond to HTTP challenges. This has limitations but it can be done if the thumbprint of the account key is known. Any thoughts on adding a method for uacme to print the thumbprint of the current account key and then exit or similar?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.