forked from pool/dehydrated
- Clarified new default settings. KEY_ALGO=secp384r1. Please consult
README.maintainer for details and how to return to RSA-based certificate issuance. (jsc#ECO-3435, jsc#SLE-15909) - Added a note about ACMEv1 deprecation - Added a note on new ACME providers and the new non-URL provider syntax See README.maintainer for details. OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=69
This commit is contained in:
parent
9ddb42dcc7
commit
4f691d6fef
@ -162,6 +162,64 @@ Limitations & Ceveats
|
||||
Upgrade Notes
|
||||
=============
|
||||
|
||||
v0.7.0
|
||||
------
|
||||
|
||||
Key Algorithm
|
||||
~~~~~~~~~~~~~
|
||||
|
||||
If you are upgrading from dehydrated <= 0.6.5, the new default for
|
||||
new installations changes from
|
||||
|
||||
KEY_ALGO=rsa
|
||||
|
||||
to
|
||||
|
||||
KEY_ALGO=secp384r1
|
||||
|
||||
This switches the algorithm for newly issued certificates from RSA
|
||||
to the elliptic curve (EC) based secp384r1 algorithm. While both are
|
||||
considered sufficiently compatible to current software in public
|
||||
environments, some software may not yet be compatible with EC algorithms.
|
||||
In these environments, the KEY_ALGO setting needs to be set to "rsa"
|
||||
manually. If you are receiving errors about an invalid key length,
|
||||
comment out the KEYSIZE option.
|
||||
|
||||
Extended use of the CA variable / New ACME providers
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Starting with 0.7.0, dehydrated supports additional, commercial certificate
|
||||
providers that use the ACME protocol to automatically issue certificates.
|
||||
|
||||
The CA config variable, which so far expected a URL to a ACME API endpoint can
|
||||
now contain the following shorthand service strings instead, which are
|
||||
internally converted to the API URLs and hence are equivalent:
|
||||
|
||||
* LetsEncrypt: "letsencrypt" (staging environment: "letsencrypt-test")
|
||||
* BuyPass: "buypass" (test environment: "buypass-test")
|
||||
* ZeroSSL: "zerossl"
|
||||
|
||||
LetsEncrypt remains the default provider. If you prefer to use the URL instead,
|
||||
you can continue to do so.
|
||||
|
||||
Note: ZeroSSL requires additional the options EAB_KID and EAB_HMAC_KEY to be
|
||||
set. Please consult the ZeroSSL documentation fore more information.
|
||||
|
||||
ACME v1 deprecation
|
||||
~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
The upstream project has deprecated ACME v1 in favor of the IETF-
|
||||
blessed [1] ACME v2 protocol. While dehydrated still supports v1-based
|
||||
verification flows, future versions might no longer do. If you are using a
|
||||
custom ACME endpoint URL, you can check compliance with the ACME v2 protocol by
|
||||
consulting your ACME service provider's documentation. Verify by setting API=2
|
||||
in the config file and then running "dehydrated --cron".
|
||||
|
||||
[1] https://tools.ietf.org/html/rfc8555
|
||||
|
||||
v0.3.1
|
||||
------
|
||||
|
||||
If you are upgrading from letsencrypt.sh, note that you need to move
|
||||
/etc/letsencrypt.sh to /etc/dehydrated and chown it to the "dehydrated"
|
||||
user.
|
||||
|
@ -1,3 +1,14 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Mar 3 15:42:18 UTC 2021 - Daniel Molkentin <daniel.molkentin@suse.com>
|
||||
|
||||
- Clarified new default settings. KEY_ALGO=secp384r1. Please consult
|
||||
README.maintainer for details and how to return to RSA-based certificate
|
||||
issuance. (jsc#ECO-3435, jsc#SLE-15909)
|
||||
- Added a note about ACMEv1 deprecation
|
||||
- Added a note on new ACME providers and the new non-URL provider syntax
|
||||
|
||||
See README.maintainer for details.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Dec 10 16:01:01 UTC 2020 - Daniel Molkentin <daniel.molkentin@suse.com>
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package dehydrated
|
||||
#
|
||||
# Copyright (c) 2020 SUSE LLC
|
||||
# Copyright (c) 2021 SUSE LLC
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
|
Loading…
Reference in New Issue
Block a user