This is a high-level summary of the most important changes. For a full list of changes, see the git commit log and pick the appropriate release branch.
Features and Improvements:
- support of enrollment hooks
challenge_validation_timeoutparameter in acme_srv.cfg- cmpv2_ca_handler using the inbuilt cmp feature from openssl 3.0
- Github action to test certificate enrollment using CMPv2 protocol
- Github action to test certificate enrollment from NetGuard Certificate Lifecycle Manager
Bugfixes:
- RFC compliant content-type in error responses
Features and Improvements:
- CA handler using Microsoft Windows Client Certificate Enrollment Protocol
- asynchronous enrollment workflow using threading module
- option to re-use certificates enrolled within a certain time window
- workflow using Posh-ACME
Bugfixes:
- return challenge status when creating/polling Authorization resources
- remove duplicated certificate extension in openssl_ca_handler.py
- change challenge status to 'invalid' in case enrollment fails
Features and Improvements:
- disable TLSv1.0 and TLSv1.1 fallback when conduction TLS-ALP=1 challenge validation
- python3-cryptography will be installed via pip to fulfill dependencies from pyOpenssl
- Changed encoding detection library from chardet to charset_normalizer
- lgtm conformance
Features and Improvements:
- support for django 3.x
- workflow for application testing using win-acme
- additional linting and pep8 conformance checks
Features and Improvements:
- pep8 conformance
- time adjustments in certmanager and django workflows
- addressing code-scanning alerts from bandit and CodeQL
Bugfixes:
- Authorization polling does not trigger challenge validation anymore
- Overcome database locking situations in django environments using sqlite3 backends
Features and Improvements:
Bugfixes:
Features and Improvements:
- absolute path support for CA- and EABhandler
Bugfixes:
- fixed race condition in push_to_docker workflow
Upgrade notes:
- database scheme gets updated. Please run either
tools/db_update.pywhen using the wsgi_handler ortools/django_update.pyin case you are using the django_handler
Features and Improvements:
- proxy support for http and tls-alpn challenge validation and in several ca-handlers
- acme_ca_handler
- support for account registration and http_challenge validation
- openssl_ca_handler:
cn_enforceparameter to enfore setting a common name in certificatewhitelistparameter got renamed toallowed_domainlistblocklistparameter got renamed toblocked_domainlist
- xca_ca_handler:
cn_enforceparameter to enfore setting a common name in certificate
Bugfixes:
- python request module - version pinning to 2.25.1
Upgrade notes:
- database scheme gets updated. Please run either
tools/db_update.pywhen using the wsgi_handler ortools/django_update.pyin case you are using the django_handler
Features:
- Generic ACME protocol handler
- CA handler for acme2dfn (external; ACME proxy for the German research network's SOAP API)
- wsgi_db_handler: allow DB file path configuration
- allow setting config file location via environment variable
Improvements:
acmemodule has been renamed toacme_srvto avoid naming clashes with acme-python- allow GET method for newnonce
- don't verify SSL certificate during http-01 challenge validation
Features:
- CA-Handler configuration via environment variables:
- cmp_ca_handler: ref-num and passphrase
- certifier_ca_handler: api_user, api_password
- est_ca_handler: est_host, est_user, est_password
- mscertsrv_ca_handler: host, user, password
- nclm_ca_handler: api_user, api_password
- openssl_ca_handler: passphrase
- xca_ca_handler: passphrase
Bugfixes:
- don't overwrite group ownership for volume folder
- don't copy ca_handler file if a valid ca_handler was defined under
CAhandlersection in acme_srv.cfg - django migrations files will get stored on volume
- avoidance of KU/EKU duplicates when using templates in xca_ca_handler
- alpn challenge handling in django deployments
- fix for handling of empty challenges
- more robust DNS challenge validation
Other improvements:
- CodeCoverage measurement via codecov.io
- Switch to acme.sh:latest in CI pipeline
- Regression test-cases for django deployments using either mariadb or postgres backends
Upgrade notes:
- database scheme gets updated. Please run either
tools/db_update.pywhen using the wsgi_handler ortools/django_update.pyin case you are using the django.handler
Bugfixes:
- fix for
typefield length inChallengetable
Bugfixes:
- additional fixes for dns-01 challenge validation (handling for *.foo.bar and foo.bar in the same csr)
Bugfixes:
- fixes for dns-01 challenge validation
- default ku settings when using xca templates
Upgrade notes:
- You need to run the upgrade-script after updating the package
Features:
- support for tls-alpn-01 challenges
- eab kid logging and reporting
Bugfixes:
- database scheme versioning
Upgrade notes:
- You need to run the upgrade-script after updating the package
Features:
- support for External Account Binding
Bugfixes:
acme2certifier_wsgi.py- newaccount() - initializeAccount()class as context handler
Upgrade notes:
- You need to run the upgrade-script after updating the package
Bugfixes:
helper.py- fqdn_resolve() - resolve AAAA recordshelper.py- url_gete() - ipv4 fallback during http challenge validation
Features:
- template support in
xca_handler.pyandnclm_ca_handler.py - docker images at ghcr.io
Bugfixes/Improvements:
- refactor
nclm_ca_handler.py - refactor
certifier_ca_handler.py - workflows for
- code-scanning (CodeQL and Bandit)
- ca_handler tests
- phonito security scans
Upgrade notes:
- You need to run the upgrade-script after updating the package
Bugfixes:
helper.py- fqdn_resolve() - resolve AAAA records
Upgrade notes:
- its enough to run the upgrade script. Depending on your configuration you need to either run
tools/db_update.pywhen using the wsgi_handler ortools/django_update.pyin case you are using the django.handler
Features:
- docker images containing nginx
- readymade images at dockerhub
Bugfixes/Improvements:
- several fixes in unit-tests
- unit-tests are split into separate files
- unittests for
certifier_ca_handler.py - documentation updates
- Github actions to test
- certificate enrollment for all four containerized deployment options
- tnauth functionality
- image creation and dockerhub upload
Bugfixes:
cmp_ca_handler.py- avoid crash if tmp_dir has not been specified in config-filesorder.py- expiry date will be added during authz creationauthorization.py- corner cases handling in case authz expiry is set to 0wiki-update.yml- checkout fromgrindsa/github-wiki-publish-action@customize_wiki_title*.md- meta tag "wiki-name" added
Upgrade notes:
- take a backup of your
acme_srv.dbbefore doing the upgrade - update your
db_handler.pywith the latest version from theexamples/db_handlerdirectory - database scheme gets updated. Please run either
tools/db_update.pywhen using the wsgi_handler ortools/django_update.pyin case you are using the django.handler
- orders and authorization expire based on (pre)configured timers
- default expiration timer is 86400 seconds and can be adjusted in
acme_srv.cfg. - auto expiration can be disabled in
acme_srv.cfg. Check docs/acme_srv.md for further information. - the expiration checks and order/authorization invalidation will be triggered in case a client accesses an
orderorauthorizationresource. It is recommended to run the scripttools/invalidator.pyafter the upgrade to manually check and invalidate expired authorizations and orders and update issuing- and expiration date in the certificate table.
Features:
- ca_handler kann be specified in
acme_srv.cfg - certifier_ca_handler.py - handling of der encoded certificates in trigger() method
- issuing date and expiration date will be stored in the
certificatetable xca_ca_handler: new variableissuing_ca_key- basic reporting and housekeeping
- order and authorization expiration
- method to remove expired certificates from database. Check the
certificate_cleanupmethod docs/housekeeping.md for further information - database versioning and error logging in case of version mismatch
Bugfixes*:
- Base64 encoding
certifier_trigger.sh(removed blanks by using-w 0) - improved exception handling in case of database-errors
Upgrade notes:
- database scheme gets updated. Depending on the db_handler you need to:
- run
py manage.py makemigrations && py manage.py migratein case you use the django_handler. - execute the
tools/db_upgrade.pyscript when using the wsgi_handler
- run
Features:
- http_x_forward header support
- configurable tos
- option to disable contact check
- option to disable tos check
Bugfixes:
- mscertsrv_ca_handler: #37 - pkcs#7 to pem conversion
- mscertsrv_ca_handler: CRLF to LF conversion
- #35 rfc608 compliant contact checking
- xca_handler: #38 - prevent error message leakage to client
Features:
- option to mandate the usage of ecc keys
- openssl_handler: "save_as_hex" option
- openssl_handler: black/whitlist support
- openssl_hanlder: option to configure customized cert extensions
- option to configure custom dns resolvers
- xca_handler
- Additional client support (lego and win-acme)
Bugfixes:
- updated license
- empty CRL handling
- string parsing in
b64_url_encode() - py3 support for est_handler
- #9 - base64-parsing of dns challenge
- openssl_handler: set correct x509 version
- openssl_handler: mandentory cert-extensions
- harmonization of apache config files
- migration support for docker_django deployment
Features:
- Challenge polling
- Support for CA polling and call-backs
- Certificate profiling in openssl handler
- Ssl support
- Container deployments
- Django project with mysql as backend database
Features:
- support ECC keys
- key update and key roll-over support
- generic CMPv2 handler
Features:
- EST and certsrv support
Features:
- CSR validation against order identifiers
Features:
- experimental TNAuthList identifier and tkauth-01 challenge support
- compatibility with Python3