Implement RFC 8555 "Automatic Certificate Management Environment
(ACME)" to be able to talk to the v02 Let's Encrypt API.

With this acme-client(1) will no longer be able to talk to the v01
API. User

Implement RFC 8555 "Automatic Certificate Management Environment
(ACME)" to be able to talk to the v02 Let's Encrypt API.

With this acme-client(1) will no longer be able to talk to the v01
API. Users must change the api url in /etc/acme-client.conf to
https://acme-v02.api.letsencrypt.org/directory
Existing accounts (and certs of course) stay valid and after the url
change acme-client will be able to renew certs.

Tested by Renaud Allard and benno
Input & OK benno

show more ...

Use TLS_CA_CERT_FILE instead of a separate define.

ok beck@ bluhm@ tb@

In netproc process, unveil to only expose the CA file.
ok florian

remove __BEGIN_DECLS and __END_DECLS from http.h
sync with ocspcheck and acme-client
ok benno@

string terminator is called a NUL

Avoid a potential MITM - calling tls_config_insecure_noverify() is a bad
idea, so stop doing that. Instead, use a single tls_config, set it up and
configure the CA file to use while we still have rpa

Avoid a potential MITM - calling tls_config_insecure_noverify() is a bad
idea, so stop doing that. Instead, use a single tls_config, set it up and
configure the CA file to use while we still have rpath, then drop rpath.
This also avoids creating a new tls_config for each and every HTTPS
connection, which is unnecessary.

ok benno@ florian@

show more ...

whitespace

Import Kristaps' letskencrypt and call it acme-client in tree.
OK to get it in deraadt@ (and probably beck@)

At least deraadt@, beck@ and otto@ are fine with the name and the
disagreements stopped.