|kristaps e82c130dd9 Sync.||9 months ago|
|GNUmakefile||1 year ago|
|LICENSE.md||1 year ago|
|Linux-seccomp.md||1 year ago|
|README.md||1 year ago|
|acctproc.c||9 months ago|
|acme-client.1||9 months ago|
|base64.c||1 year ago|
|certproc.c||1 year ago|
|chngproc.c||9 months ago|
|compat-setresgid.c||1 year ago|
|compat-setresuid.c||1 year ago|
|config.h||1 year ago|
|dbg.c||1 year ago|
|dnsproc.c||1 year ago|
|extern.h||9 months ago|
|fileproc.c||9 months ago|
|http.c||1 year ago|
|http.h||1 year ago|
|jsmn.c||1 year ago|
|jsmn.h||1 year ago|
|json.c||1 year ago|
|keyproc.c||9 months ago|
|main.c||9 months ago|
|netproc.c||9 months ago|
|revokeproc.c||9 months ago|
|rsa.c||1 year ago|
|rsa.h||1 year ago|
|sandbox-darwin.c||1 year ago|
|sandbox-null.c||1 year ago|
|sandbox-pledge.c||1 year ago|
|sandbox-seccomp.c||1 year ago|
|util-pledge.c||1 year ago|
|util-portable.c||1 year ago|
|util.c||1 year ago|
It was named letskencrypt-portable until version 0.1.11.
Please see kristaps.bsd.lv/acme-client for stable releases: this repository is for current development of the portable branch, which tracks acme-client with goop to allow compilation and secure operation on Linux, Mac OS X, NetBSD, and FreeBSD (hence "-portable"). You will need libressl on all systems and libbsd on Linux (except for musl libc systems like Alpine).
This repository mirrors the master CVS repository: any source changes will occur on the master and be pushed periodically to GitHub. If you have bug reports or patches, either file them here or e-mail them to me. Feature requests will be ignored unless joined by a patch.
What are the difference between this and the non-portable release?
This version tries its best to be secure, but some of its supported operating systems are hostile to security.
On both Linux and Mac OS X, for example, the DNS resolution process is effectively run in the main file-system and un-sandboxed due to the complexity of lookups (needing mDNSresponder in the latter case or a slew of mystery files in the former).
Moreover, while the sandbox on Mac OS X (which is deprecated?) exists, its behaviour is not well-documented and, morever, is weakened to co-exist with the file-system jail.
Feature requests will be ignored unless joined by a patch. If there's something you need, I'm happy to work with you to make it happen. If you really need it, I'm available for contract (contact me by e-mail).
Since your system might not be one of the tested ones (FreeBSD, Linux, Linux with musl libc, etc.), you may need to tune some of the values in the GNUmakefile or config.h. Please tell me if you do so, so I can accommodate in future releases.
In the former, you can adjust system-specific compilation flags.
In the latter, you can set the
NOBODY_USER value to be the name of an
unprivileged user for privilege dropping.
You can also set
DEFAULT_CA_FILE for the location of the certificate
file loaded by libtls.
PATH_VAR_EMPTY, which should be an empty directory into
which we can create our jail.
Sources use the ISC (like OpenBSD) license. See the LICENSE.md file for details.