From 4f691d6fefacf6bc0918944258b6a44b21f95c3f28c2d63787a2889e4401639b Mon Sep 17 00:00:00 2001 From: Daniel Molkentin Date: Wed, 3 Mar 2021 17:15:11 +0000 Subject: [PATCH 1/2] - Clarified new default settings. KEY_ALGO=secp384r1. Please consult README.maintainer for details and how to return to RSA-based certificate issuance. (jsc#ECO-3435, jsc#SLE-15909) - Added a note about ACMEv1 deprecation - Added a note on new ACME providers and the new non-URL provider syntax See README.maintainer for details. OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=69 --- README.maintainer | 58 ++++++++++++++++++++++++++++++++++++++++++++++ dehydrated.changes | 11 +++++++++ dehydrated.spec | 2 +- 3 files changed, 70 insertions(+), 1 deletion(-) diff --git a/README.maintainer b/README.maintainer index 7f5c945..5ac00b7 100644 --- a/README.maintainer +++ b/README.maintainer @@ -162,6 +162,64 @@ Limitations & Ceveats Upgrade Notes ============= +v0.7.0 +------ + +Key Algorithm +~~~~~~~~~~~~~ + +If you are upgrading from dehydrated <= 0.6.5, the new default for +new installations changes from + + KEY_ALGO=rsa + +to + + KEY_ALGO=secp384r1 + +This switches the algorithm for newly issued certificates from RSA +to the elliptic curve (EC) based secp384r1 algorithm. While both are +considered sufficiently compatible to current software in public +environments, some software may not yet be compatible with EC algorithms. +In these environments, the KEY_ALGO setting needs to be set to "rsa" +manually. If you are receiving errors about an invalid key length, +comment out the KEYSIZE option. + +Extended use of the CA variable / New ACME providers +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Starting with 0.7.0, dehydrated supports additional, commercial certificate +providers that use the ACME protocol to automatically issue certificates. + +The CA config variable, which so far expected a URL to a ACME API endpoint can +now contain the following shorthand service strings instead, which are +internally converted to the API URLs and hence are equivalent: + +* LetsEncrypt: "letsencrypt" (staging environment: "letsencrypt-test") +* BuyPass: "buypass" (test environment: "buypass-test") +* ZeroSSL: "zerossl" + +LetsEncrypt remains the default provider. If you prefer to use the URL instead, +you can continue to do so. + +Note: ZeroSSL requires additional the options EAB_KID and EAB_HMAC_KEY to be +set. Please consult the ZeroSSL documentation fore more information. + +ACME v1 deprecation +~~~~~~~~~~~~~~~~~~~ + +The upstream project has deprecated ACME v1 in favor of the IETF- +blessed [1] ACME v2 protocol. While dehydrated still supports v1-based +verification flows, future versions might no longer do. If you are using a +custom ACME endpoint URL, you can check compliance with the ACME v2 protocol by +consulting your ACME service provider's documentation. Verify by setting API=2 +in the config file and then running "dehydrated --cron". + +[1] https://tools.ietf.org/html/rfc8555 + +v0.3.1 +------ + If you are upgrading from letsencrypt.sh, note that you need to move /etc/letsencrypt.sh to /etc/dehydrated and chown it to the "dehydrated" user. diff --git a/dehydrated.changes b/dehydrated.changes index 9507adc..ea9cd24 100644 --- a/dehydrated.changes +++ b/dehydrated.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Wed Mar 3 15:42:18 UTC 2021 - Daniel Molkentin + +- Clarified new default settings. KEY_ALGO=secp384r1. Please consult + README.maintainer for details and how to return to RSA-based certificate + issuance. (jsc#ECO-3435, jsc#SLE-15909) +- Added a note about ACMEv1 deprecation +- Added a note on new ACME providers and the new non-URL provider syntax + + See README.maintainer for details. + ------------------------------------------------------------------- Thu Dec 10 16:01:01 UTC 2020 - Daniel Molkentin diff --git a/dehydrated.spec b/dehydrated.spec index ae8df37..77b7794 100644 --- a/dehydrated.spec +++ b/dehydrated.spec @@ -1,7 +1,7 @@ # # spec file for package dehydrated # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed From a341530789674f47f826dca9de658995c8344597a91936b3d105fab0bbd0a172 Mon Sep 17 00:00:00 2001 From: Daniel Molkentin Date: Wed, 3 Mar 2021 17:23:27 +0000 Subject: [PATCH 2/2] Be more precise concerning EC compatiblity OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=70 --- README.maintainer | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.maintainer b/README.maintainer index 5ac00b7..ef40e3f 100644 --- a/README.maintainer +++ b/README.maintainer @@ -180,7 +180,8 @@ to This switches the algorithm for newly issued certificates from RSA to the elliptic curve (EC) based secp384r1 algorithm. While both are considered sufficiently compatible to current software in public -environments, some software may not yet be compatible with EC algorithms. +environments and SUSE supports EC even in SLES 12, some 3rd party software +and/or appliances may still not yet be compatible with EC algorithms. In these environments, the KEY_ALGO setting needs to be set to "rsa" manually. If you are receiving errors about an invalid key length, comment out the KEYSIZE option.