Hi Mia,
On Thu, May 07, 2026 at 12:27:05AM +0300, Mia Kanashi wrote:
> Oh, I guess I need to pass v2 to the git format-patch,
> else it doesn't add it, good to know.
You can directly pass -v2 to git-send-email in fact, and every parameter that
you pass to git format-patch usually, it's not mandatory to do a git-format
before.
> Also maybe replying to the first message in a thread makes more sense,
> as the conversation is too deep otherwise.
Would be confusing if you forgot the -v2, it would mix up multiple patches
with the same version in the same thread :-) But you can also just resend a
series without any message ID, that's fine as well.
Thanks for your patches, I merged your series, but I've done some minor
changes:
diff --git a/src/acme.c b/src/acme.c
index f4fd6f14d1..7785c61972 100644
--- a/src/acme.c
+++ b/src/acme.c
@@ -896,7 +896,7 @@ static int cfg_postsection_acme()
/* empty files are allowed, but issue a log message */
ha_notice("acme: section '%s': EAB key id from '%s' is
empty.\n", cur_acme->name, cur_acme->eab.kid_file);
} else {
- ha_alert("acme: section '%s': couldn't load EAB key id
from '%s', code %d.\n", cur_acme->name, cur_acme->eab.mac_key_file, rv);
+ ha_alert("acme: section '%s': couldn't load EAB key id
from '%s', code %d.\n", cur_acme->name, cur_acme->eab.kid_file, rv);
err_code |= ERR_ALERT | ERR_FATAL | ERR_ABORT;
goto out;
}
@@ -927,7 +927,7 @@ static int cfg_postsection_acme()
if (bytes < alg_bytes) {
ha_alert("acme: section '%s': EAB mac key from
'%s' is only %d bytes long, but at least %d bytes is required for the specified
mac type.\n",
- cur_acme->name, cur_acme->eab.kid_file,
bytes, alg_bytes);
+ cur_acme->name,
cur_acme->eab.mac_key_file, bytes, alg_bytes);
err_code |= ERR_ALERT | ERR_FATAL | ERR_ABORT;
goto out;
}
diff --git a/src/acme.c b/src/acme.c
index 7785c61972..d11446b13f 100644
--- a/src/acme.c
+++ b/src/acme.c
@@ -1123,6 +1123,8 @@ void deinit_acme()
ha_free(&acme_cfgs->challenge);
ha_free(&acme_cfgs->map);
ha_free(&acme_cfgs->profile);
+ ha_free(&acme_cfgs->eab.kid_file);
+ ha_free(&acme_cfgs->eab.mac_key_file);
chunk_destroy(&acme_cfgs->eab.mac_key);
ha_free(&acme_cfgs->eab.kid);
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 98db0e2fe6..de877ab590 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -32660,25 +32660,41 @@ Example:
curves P-384
map virt@acme
-eab-mac-key <filename>
eab-key-id <filename>
- Configure the path to the EAB MAC key and EAB key id credential pair. You
- should get credentials from you CA and place them at the specified path
- before launching HAProxy, they will be used during the account creation.
+ Configure the path to the EAB key id file. The credential is provided by
+ the CA and must be placed at the specified path before starting HAProxy.
+ It is used during account creation only.
+
+ The file must contain a plain ASCII string.
+
+ EAB credentials are only required during the initial ACME account creation
+ and can be removed afterwards, either from the config or by emptying the
+ files. An empty file is silently ignored. Whitespace is not ignored, except
+ for the trailing newline.
+
+ See also: "eab-mac-key", "eab-mac-alg"
- EAB key id file should be a plain ASCII string that CA provides as an id.
- EAB MAC key file should be a base64url encoded MAC key that CA provides.
+eab-mac-key <filename>
+ Configure the path to the EAB MAC key file. The credential is provided by
+ the CA and must be placed at the specified path before starting HAProxy.
+ It is used during account creation only.
+
+ The file must contain a base64url encoded MAC key.
- EAB credentials are used only during the initial ACME account creation, and
- can be removed afterwards, either from the config or by emptying the files.
- If file is empty HAProxy will ignore it. Whitespace in is not ignored,
- except the trailing newline.
+ EAB credentials are only required during the initial ACME account creation
+ and can be removed afterwards, either from the config or by emptying the
+ files. An empty file is silently ignored. Whitespace is not ignored, except
+ for the trailing newline.
+
+ See also: "eab-key-id", "eab-mac-alg"
eab-mac-alg { HS256 | HS384 | HS512 }
Configure MAC algorithm used for EAB signing. Default is HS256. EAB MAC key
must be large enough to support specified MAC algorithm. Not all CAs support
algorithms other than HS256.
+ See also: "eab-key-id", "eab-mac-key"
+
diff --git a/src/acme.c b/src/acme.c
index d11446b13f..26ffc3ab85 100644
--- a/src/acme.c
+++ b/src/acme.c
@@ -907,7 +907,7 @@ static int cfg_postsection_acme()
int bytes = 0;
int alg_bytes = 0;
- bytes = base64dec(trash.area, trash.data,
dec_mac->area, dec_mac->size);
+ bytes = base64urldec(trash.area, trash.data,
dec_mac->area, dec_mac->size);
if (bytes < 0) {
ha_alert("acme: section '%s': failed to
base64url decode EAB MAC key.\n", cur_acme->name);
err_code |= ERR_ALERT | ERR_FATAL | ERR_ABORT;
--
William Lallemand
