SHA256
1
0
forked from pool/dehydrated

- Clarified new default settings. KEY_ALGO=secp384r1. Please consult

README.maintainer for details and how to return to RSA-based certificate
  issuance. (jsc#ECO-3435, jsc#SLE-15909)
- Added a note about ACMEv1 deprecation
- Added a note on new ACME providers and the new non-URL provider syntax
  See README.maintainer for details.

OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=69
This commit is contained in:
Daniel Molkentin 2021-03-03 17:15:11 +00:00 committed by Git OBS Bridge
parent 9ddb42dcc7
commit 4f691d6fef
3 changed files with 70 additions and 1 deletions

View File

@ -162,6 +162,64 @@ Limitations & Ceveats
Upgrade Notes
=============
v0.7.0
------
Key Algorithm
~~~~~~~~~~~~~
If you are upgrading from dehydrated <= 0.6.5, the new default for
new installations changes from
KEY_ALGO=rsa
to
KEY_ALGO=secp384r1
This switches the algorithm for newly issued certificates from RSA
to the elliptic curve (EC) based secp384r1 algorithm. While both are
considered sufficiently compatible to current software in public
environments, some software may not yet be compatible with EC algorithms.
In these environments, the KEY_ALGO setting needs to be set to "rsa"
manually. If you are receiving errors about an invalid key length,
comment out the KEYSIZE option.
Extended use of the CA variable / New ACME providers
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Starting with 0.7.0, dehydrated supports additional, commercial certificate
providers that use the ACME protocol to automatically issue certificates.
The CA config variable, which so far expected a URL to a ACME API endpoint can
now contain the following shorthand service strings instead, which are
internally converted to the API URLs and hence are equivalent:
* LetsEncrypt: "letsencrypt" (staging environment: "letsencrypt-test")
* BuyPass: "buypass" (test environment: "buypass-test")
* ZeroSSL: "zerossl"
LetsEncrypt remains the default provider. If you prefer to use the URL instead,
you can continue to do so.
Note: ZeroSSL requires additional the options EAB_KID and EAB_HMAC_KEY to be
set. Please consult the ZeroSSL documentation fore more information.
ACME v1 deprecation
~~~~~~~~~~~~~~~~~~~
The upstream project has deprecated ACME v1 in favor of the IETF-
blessed [1] ACME v2 protocol. While dehydrated still supports v1-based
verification flows, future versions might no longer do. If you are using a
custom ACME endpoint URL, you can check compliance with the ACME v2 protocol by
consulting your ACME service provider's documentation. Verify by setting API=2
in the config file and then running "dehydrated --cron".
[1] https://tools.ietf.org/html/rfc8555
v0.3.1
------
If you are upgrading from letsencrypt.sh, note that you need to move
/etc/letsencrypt.sh to /etc/dehydrated and chown it to the "dehydrated"
user.

View File

@ -1,3 +1,14 @@
-------------------------------------------------------------------
Wed Mar 3 15:42:18 UTC 2021 - Daniel Molkentin <daniel.molkentin@suse.com>
- Clarified new default settings. KEY_ALGO=secp384r1. Please consult
README.maintainer for details and how to return to RSA-based certificate
issuance. (jsc#ECO-3435, jsc#SLE-15909)
- Added a note about ACMEv1 deprecation
- Added a note on new ACME providers and the new non-URL provider syntax
See README.maintainer for details.
-------------------------------------------------------------------
Thu Dec 10 16:01:01 UTC 2020 - Daniel Molkentin <daniel.molkentin@suse.com>

View File

@ -1,7 +1,7 @@
#
# spec file for package dehydrated
#
# Copyright (c) 2020 SUSE LLC
# Copyright (c) 2021 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed