Accepting request 876590 from security:dehydrated
- Clarified new default settings. KEY_ALGO=secp384r1. Please consult README.maintainer for details and how to return to RSA-based certificate issuance. (jsc#ECO-3435, jsc#SLE-15909) - Added a note about ACMEv1 deprecation - Added a note on new ACME providers and the new non-URL provider syntax See README.maintainer for details. OBS-URL: https://build.opensuse.org/request/show/876590 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/dehydrated?expand=0&rev=21
This commit is contained in:
commit
e5b502b382
@ -162,6 +162,65 @@ Limitations & Ceveats
|
|||||||
Upgrade Notes
|
Upgrade Notes
|
||||||
=============
|
=============
|
||||||
|
|
||||||
|
v0.7.0
|
||||||
|
------
|
||||||
|
|
||||||
|
Key Algorithm
|
||||||
|
~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
If you are upgrading from dehydrated <= 0.6.5, the new default for
|
||||||
|
new installations changes from
|
||||||
|
|
||||||
|
KEY_ALGO=rsa
|
||||||
|
|
||||||
|
to
|
||||||
|
|
||||||
|
KEY_ALGO=secp384r1
|
||||||
|
|
||||||
|
This switches the algorithm for newly issued certificates from RSA
|
||||||
|
to the elliptic curve (EC) based secp384r1 algorithm. While both are
|
||||||
|
considered sufficiently compatible to current software in public
|
||||||
|
environments and SUSE supports EC even in SLES 12, some 3rd party software
|
||||||
|
and/or appliances may still not yet be compatible with EC algorithms.
|
||||||
|
In these environments, the KEY_ALGO setting needs to be set to "rsa"
|
||||||
|
manually. If you are receiving errors about an invalid key length,
|
||||||
|
comment out the KEYSIZE option.
|
||||||
|
|
||||||
|
Extended use of the CA variable / New ACME providers
|
||||||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
Starting with 0.7.0, dehydrated supports additional, commercial certificate
|
||||||
|
providers that use the ACME protocol to automatically issue certificates.
|
||||||
|
|
||||||
|
The CA config variable, which so far expected a URL to a ACME API endpoint can
|
||||||
|
now contain the following shorthand service strings instead, which are
|
||||||
|
internally converted to the API URLs and hence are equivalent:
|
||||||
|
|
||||||
|
* LetsEncrypt: "letsencrypt" (staging environment: "letsencrypt-test")
|
||||||
|
* BuyPass: "buypass" (test environment: "buypass-test")
|
||||||
|
* ZeroSSL: "zerossl"
|
||||||
|
|
||||||
|
LetsEncrypt remains the default provider. If you prefer to use the URL instead,
|
||||||
|
you can continue to do so.
|
||||||
|
|
||||||
|
Note: ZeroSSL requires additional the options EAB_KID and EAB_HMAC_KEY to be
|
||||||
|
set. Please consult the ZeroSSL documentation fore more information.
|
||||||
|
|
||||||
|
ACME v1 deprecation
|
||||||
|
~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
The upstream project has deprecated ACME v1 in favor of the IETF-
|
||||||
|
blessed [1] ACME v2 protocol. While dehydrated still supports v1-based
|
||||||
|
verification flows, future versions might no longer do. If you are using a
|
||||||
|
custom ACME endpoint URL, you can check compliance with the ACME v2 protocol by
|
||||||
|
consulting your ACME service provider's documentation. Verify by setting API=2
|
||||||
|
in the config file and then running "dehydrated --cron".
|
||||||
|
|
||||||
|
[1] https://tools.ietf.org/html/rfc8555
|
||||||
|
|
||||||
|
v0.3.1
|
||||||
|
------
|
||||||
|
|
||||||
If you are upgrading from letsencrypt.sh, note that you need to move
|
If you are upgrading from letsencrypt.sh, note that you need to move
|
||||||
/etc/letsencrypt.sh to /etc/dehydrated and chown it to the "dehydrated"
|
/etc/letsencrypt.sh to /etc/dehydrated and chown it to the "dehydrated"
|
||||||
user.
|
user.
|
||||||
|
@ -1,3 +1,14 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Mar 3 15:42:18 UTC 2021 - Daniel Molkentin <daniel.molkentin@suse.com>
|
||||||
|
|
||||||
|
- Clarified new default settings. KEY_ALGO=secp384r1. Please consult
|
||||||
|
README.maintainer for details and how to return to RSA-based certificate
|
||||||
|
issuance. (jsc#ECO-3435, jsc#SLE-15909)
|
||||||
|
- Added a note about ACMEv1 deprecation
|
||||||
|
- Added a note on new ACME providers and the new non-URL provider syntax
|
||||||
|
|
||||||
|
See README.maintainer for details.
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Thu Dec 10 16:01:01 UTC 2020 - Daniel Molkentin <daniel.molkentin@suse.com>
|
Thu Dec 10 16:01:01 UTC 2020 - Daniel Molkentin <daniel.molkentin@suse.com>
|
||||||
|
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
#
|
#
|
||||||
# spec file for package dehydrated
|
# spec file for package dehydrated
|
||||||
#
|
#
|
||||||
# Copyright (c) 2020 SUSE LLC
|
# Copyright (c) 2021 SUSE LLC
|
||||||
#
|
#
|
||||||
# All modifications and additions to the file contributed by third parties
|
# All modifications and additions to the file contributed by third parties
|
||||||
# remain the property of their copyright owners, unless otherwise agreed
|
# remain the property of their copyright owners, unless otherwise agreed
|
||||||
|
Loading…
Reference in New Issue
Block a user