Archives
/
smallstep-certificates
mirror of https://github.com/smallstep/certificates
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
1,132 Commits
43 Branches
215 Tags
44 MiB
master
root-not-found-error-message
relative-paths-config
fix-1637
dependabot/go_modules/github.com/slackhq/nebula-1.9.3
dependabot/go_modules/github.com/google/go-tpm-0.9.1
wire-acme-extensions
mariano/init-provisioners
herman/wire-dpop-struct
herman/fix-nebula-curve-param
herman/wrapped-listener
herman/configure-server-http-timeout
josh/fips
herman/acme-macos-properties
josh/webhook-error-response-content
user-regex
max/nebula-sign-curve
carl/bootstrap-error-clarity
max/capabilities
herman/acme-cname-txt
max/test
herman/acme-da-roots
backports
but
collections
update-step-env-vars
panos/api/flow
errors-internal
docker-dns-names
docker-init
carl/sysd-update
carl/readmes
carl/ssh-host-matchbug
nosql-0.3.2
dcow/challenge-retry
ssh
printAud
getHosts
ssh-config
certificate-transparency
seb/ct-local
seb/markdown-issues
seb/anchors
v0.25.3-rc7
v0.25.3-rc6
v0.25.3-rc4
v0.25.3-rc.1
v0.22.2-rc14
v0.22.2-rc13
v0.0.1-rc.1
v0.0.1-rc.2
v0.0.1-rc.3
v0.10.0
v0.11.0
v0.11.0-rc.1
v0.11.0-rc.2
v0.11.0-rc.3
v0.11.0-rc.4
v0.12.0
v0.13.0
v0.13.1
v0.13.2
v0.13.3
v0.14.0
v0.14.0-rc.1
v0.14.0-rc.10.badger2
v0.14.0-rc.14
v0.14.0-rc.15
v0.14.0-rc.16
v0.14.0-rc.2
v0.14.0-rc.3
v0.14.0-rc.4.badger2
v0.14.0-rc.5
v0.14.0-rc.6
v0.14.0-rc.7
v0.14.0-rc.8
v0.14.0-rc.9
v0.14.0.rc.11.badger2
v0.14.0.rc.12.badger2
v0.14.0.rc.13.badger2
v0.14.1
v0.14.2
v0.14.3
v0.14.3-rc.1.badger2
v0.14.3-rc.2.32bitbadger2
v0.14.4
v0.14.5
v0.14.5-rc.1.100MB.badgerV2
v0.14.5-rc.2.100MB.badgerV2
v0.14.5-rc.3.cullACMEOrders
v0.14.5-rc.4
v0.14.6
v0.14.7-rc.1.docker-buildx
v0.14.7-rc.2.deb-name-test
v0.15.0
v0.15.0-rc.1
v0.15.1
v0.15.1-rc.1
v0.15.10
v0.15.11
v0.15.12
v0.15.12-rc1
v0.15.12-rc2
v0.15.12-rc3
v0.15.12-rc4
v0.15.12-rc5
v0.15.13
v0.15.14
v0.15.15
v0.15.16
v0.15.16-rc1.test-arm6
v0.15.16-rc2.test-arm6
v0.15.16-rc3.test-arm6
v0.15.16-rc4
v0.15.16-rc5
v0.15.16-rc6
v0.15.16-rc7
v0.15.2
v0.15.2-rc.1
v0.15.3
v0.15.4
v0.15.5
v0.15.5-rc.1
v0.15.6
v0.15.7
v0.15.7-rc.1
v0.15.8
v0.15.9
v0.15.9-rc1
v0.15.9-rc10
v0.15.9-rc11
v0.15.9-rc12
v0.15.9-rc13
v0.15.9-rc14
v0.15.9-rc15
v0.15.9-rc16
v0.15.9-rc17
v0.15.9-rc18
v0.15.9-rc19
v0.15.9-rc2
v0.15.9-rc3
v0.15.9-rc4
v0.15.9-rc5
v0.15.9-rc6
v0.15.9-rc7
v0.15.9-rc8
v0.15.9-rc9
v0.16.0
v0.16.0-rc.1
v0.16.0-rc.2
v0.16.1
v0.16.2
v0.16.3
v0.16.4
v0.17.0
v0.17.0-rc1
v0.17.1
v0.17.2
v0.17.2-rc1
v0.17.3
v0.17.3-rc1
v0.17.3-rc2
v0.17.3-rc3
v0.17.3-rc4
v0.17.3-rc5
v0.17.3-rc6
v0.17.3-rc7
v0.17.3-rc8
v0.17.3-rc9
v0.17.4
v0.17.4-rc1
v0.17.5
v0.17.5-rc1
v0.17.6
v0.17.6-rc1
v0.17.6-rc2
v0.17.7-rc1
v0.18.0
v0.18.1
v0.18.1-rc1
v0.18.1-rc2
v0.18.1-rc3
v0.18.2
v0.18.3-rc1
v0.18.3-rc2
v0.18.3-rc3
v0.18.3-rc4
v0.19.0
v0.20.0
v0.21.0
v0.22.0
v0.22.1
v0.22.2-rc10
v0.22.2-rc11
v0.22.2-rc12
v0.22.2-rc15
v0.22.2-rc16
v0.22.2-rc17
v0.22.2-rc18
v0.22.2-rc2
v0.22.2-rc3
v0.22.2-rc4
v0.22.2-rc5
v0.22.2-rc6
v0.22.2-rc7
v0.22.2-rc8
v0.22.2-rc9
v0.23.0
v0.23.0-rc.1
v0.23.0-rc.2
v0.23.0-rc.3
v0.23.1
v0.23.1-rc.1
v0.23.2
v0.24.0
v0.24.0-rc.2
v0.24.0-rc1
v0.24.1
v0.24.2
v0.24.3-rc.1
v0.24.3-rc.2
v0.24.3-rc.3
v0.24.3-rc.4
v0.24.3-rc.5
v0.24.3-rc1
v0.25.0
v0.25.1
v0.25.2
v0.25.3-rc2
v0.25.3-rc3
v0.25.3-rc5
v0.26.0
v0.26.0-rc1
v0.26.0-rc2
v0.26.1
v0.26.2
v0.8.1
v0.8.1-rc.1
v0.8.1-rc.2
v0.8.2
v0.8.2-rc.1
v0.8.3
v0.8.4
v0.8.4-rc.1
v0.8.4-rc.2
v0.8.5
v0.8.5-rc.1
v0.8.5-rc.2
v0.8.5-rc.3
v0.8.5-rc.4
v0.8.5-rc.5
v0.9.0
v0.9.0-rc.1
v0.9.1
v0.9.1-rc.1
v0.9.1-rc.2
v0.9.2
v0.9.2-rc.1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '195cdd664a'
${ noResults }
Commit Graph

1132 Commits (195cdd664aa8ba1f53b3e90d6f76c0b234868dfe)
 

Author SHA1 Message Date
Miclain K Keffeler 195cdd664a
RHEL/CentOS Example 4 years ago
Max 0b528d2507
Merge pull request #283 from smallstep/max/empty-oids-nil 
Always convert empty list to nil when saving orderIDs index.
 4 years ago
max furman 41a1a053d8 Always convert empty list to nil when saving orderIDs index. 4 years ago
Max 619f6f6ce0
Merge pull request #281 from smallstep/max/acmeOrders 
Only retain `pending' orders in the `acme_account_orders_index`
 4 years ago
max furman 704a510a2a Remove non-pending orders from the acme_orders_by_account index ... 
- Each acme account has an index in this table. Before this change, the
index would grow unchecked as orders accumulate. This change removes
orders that have moved out of the 'PENDING' state.
 4 years ago
max furman c4f1eea5dc Correct badger file loading mode documentation. 4 years ago
David Cowden 30bfba48d5 Merge branch 'dcow/key-change-error' 
Fixes: https://github.com/smallstep/certificates/pull/276
 4 years ago
max furman d9a1fb7e5d Recommend badgerV2 in badger extra options documentation. 4 years ago
David Cowden a26b5f322d acme/api: Brush up documentation on key-change 
Add more specific wording describing what a 501 means and add more color
explaining how official vs unofficial error types should be handled.
 4 years ago
Mariano Cano 2ca63a9ff5
Merge pull request #267 from smallstep/awskms 
AWS KMS support
 4 years ago
Mariano Cano 26c89cf779 Rename method. 4 years ago
Mariano Cano 7a985b1470 Fix usage, remove unsupported flag. 4 years ago
Mariano Cano df3e9c0cd6 Add full version of the license. 4 years ago
Mariano Cano 4ac51dd508
Merge pull request #274 from smallstep/oidc-raw-locals 
Allow dots and other symbols in principals for OIDC
 4 years ago
Mariano Cano 6c9cd7050c Add test with query strings. 4 years ago
Mariano Cano dfe8e11e44 Remove anchor from link. 4 years ago
Mariano Cano 3246a3e81f Add missing test case. 4 years ago
David Cowden b26e6e42b3 acme: Return 501 for the key-change route 
RFC 8555 § 7.3.5 is not listed as optional but we do not currently
support it. Rather than 404, return a 501 to inform clients that this
functionality is not yet implemented.

The notImplmented error type is not an official error registered in the
ietf:params:acme:error namespace, so prefix if with step:acme:error. An
ACME server is allowed to return other errors and clients should display
the message detail to users.

Fixes: https://github.com/smallstep/certificates/issues/209
 4 years ago
Max ab0f2aedcc
Merge pull request #268 from smallstep/max/acme-nbf 
Set nbf and nbf for ACME orders even when they are not set in the request.

Closes #92
 4 years ago
max furman 6e69f99310 Always set nbf and naf for new ACME orders ... 
- Use the default value from the ACME provisioner if values are not
defined in the request.
 4 years ago
Mariano Cano 0b5fd156e8 Add a third principal on OIDC tokens with the raw local part of the email. 
For the email first.last@example.com it will create the principals
  ["firstlast", "first.last", "first.last@example.com"]

Fixes #253, #254
 4 years ago
Mariano Cano 7104588fcb Fix linter error. 4 years ago
Mariano Cano f006cca87a Use Go 1.14. 4 years ago
Mariano Cano aaf71ce66a Add unit tests for awskms. 4 years ago
Mariano Cano d4cb9f4ac7 Define an interface for kms operations. 
This interface will be used for unit testing.
 4 years ago
Mariano Cano deac15327f Add docs for AWS KMS. 4 years ago
Mariano Cano 82fb96588e Fix unit tests. 4 years ago
Mariano Cano 5b680b2349 Add initialization script for an AWS KMS. 4 years ago
Mariano Cano c32abb76cd Add initial implementation to support AWS KMS. 4 years ago
Mariano Cano b0f768a3fb Add implementation of URIs for KMS. 
Implementation is based on the PKCS #11 URI Scheme RFC
https://tools.ietf.org/html/rfc7512
 4 years ago
Mariano Cano 2bc69d3edd
Merge pull request #252 from smallstep/yubikey 
Yubikey support
 4 years ago
Mariano Cano 89e164dad6 Add AuthorityKeyId to cloudkms root cert. 4 years ago
Mariano Cano 97508ca215 Add AuthorityKeyId to root certificate. 
Fix error string.
 4 years ago
Max ba91f4ed13
Merge pull request #260 from anxolerd/feat-force-cn-if-empty 
[Feature] Force CommonName for certificates from ACME provisioner
 4 years ago
Oleksandr Kovalchuk 4cd01b6868
Implement tests for forceCNOption modifier 
Implement unit tests which checks forceCNOption modifier (implemented
in 322200b7db) is not broken and works
correctly.

Ref: https://github.com/smallstep/certificates/issues/259
 4 years ago
Oleksandr Kovalchuk 893a53793a
Modify existing tests to accept forceCNOption modifier 
Modify existing tests to pass with changes introduced in commit
322200b7db. This is safe to do as
tests assert exact length of modifiers, which has changed.
 4 years ago
Oleksandr Kovalchuk 322200b7db
Implement modifier to set CommonName 
Implement modifier which sets CommonName to the certificate if
CommonName is empty and forceCN is set in the config. Replace previous
implementation introduced in 0218018cee
with new modifier.

Closes https://github.com/smallstep/certificates/issues/259
Ref: https://github.com/smallstep/certificates/pull/260#issuecomment-628961322
 4 years ago
Mariano Cano 3e40cb89a7 Add some docs for YubiKey configuration. 4 years ago
Mariano Cano d95c055163 piv-go requires libpcsclite-dev on linux. 4 years ago
Mariano Cano 03a6789f0e Fix compile errors without cgo support. 4 years ago
Mariano Cano 012a4734bf Add better messaging when yubikey is not detected. 4 years ago
Mariano Cano 7d61c0003c Enable softkms and cloudkms. 4 years ago
Max ae15573f93
Merge pull request #249 from smallstep/clive-jevons/dynamic-host-detection-for-acme-directory 
dynamic host detection for acme directory

Closes #235, #193
 4 years ago
max furman e1409349f3 Allow relative URL for all links in ACME api ... 
* Pass the request context all the way down the ACME stack.
* Save baseURL in context and use when generating ACME urls.
 4 years ago
Oleksandr Kovalchuk 0218018cee
Generate Subject if `forceCN` and Subject is empty 
When `forceCN` is set in provisioner configuration and
Subject.CommonName is empty, set Subject.CommonName to the first SAN
from the CSR to follow the letsencrypt's boulder behavior. This is done
in order to support system which require certificate's Subject field to
be non-empty.

N.B. certbot does not send Subject in its certificate request and relies
on similar behavior of letsencrypt.

Closes https://github.com/smallstep/certificates/issues/259
 4 years ago
Oleksandr Kovalchuk 503c9f6101
Add config option to force CN 
Add configuration option `forceCN` to ACME provisioner. When this option
is set to `true`, provisioner should generate Subject.CommonName for
certificate if it was not present in the request. Default value of
`false` should keep the existing behavior (do not modify CSR and
certificate).

Ref: https://github.com/smallstep/certificates/issues/259
 4 years ago
Clive Jevons 639993bd09 Read host and protocol information from request for links 
When constructing links we want to read the required host and protocol
information in a dynamic manner from the request for constructing ACME
links such as the directory information. This way, if the server is
running behind a proxy, and we don't know what the exposed URL should
be at runtime, we can construct the required information from the
host, tls and X-Forwarded-Proto fields in the HTTP request.
Inspired by the LetsEncrypt Boulder project (web/relative.go).
 4 years ago
Mariano Cano 025c0aa20f Display the proper yubikey uri. 4 years ago
Mariano Cano 22b86c3fcc Only rewrite keys with --force. 4 years ago
Mariano Cano 63e36ecd7a Refactor the initialization of KeyManagers. 4 years ago