forked from TrueCloudLab/lego
17 KiB
17 KiB
Changelog
[v2.3.0] - 2019-03-11
Added:
- [dnsprovider] Add DNS Provider for ClouDNS.net
- [dnsprovider] Add DNS Provider for Oracle Cloud
Changed:
- [cli] Adds log when no renewal.
- [dnsprovider,lib] Add a mechanism to wrap a PreCheckFunc
- [dnsprovider] oraclecloud: better way to get private key.
- [dnsprovider] exoscale: update library
Fixed:
- [dnsprovider] OVH: Refresh zone after deleting challenge record
- [dnsprovider] oraclecloud: ttl config and timeout
- [dnsprovider] hostingde: fix client fails if customer has no access to dns-groups
- [dnsprovider] vscale: getting sub-domain
- [dnsprovider] selectel: getting sub-domain
- [dnsprovider] vscale: fix TXT records clean up
- [dnsprovider] selectel: fix TXT records clean up
[v2.2.0] - 2019-02-08
Added:
- [dnsprovider] Add support for Openstack Designate as a DNS provider
- [dnsprovider] gcloud: Option to specify gcloud service account json by env as string
- [experimental feature] Resolve CNAME when creating dns-01 challenge. To enable: set
LEGO_EXPERIMENTAL_CNAME_SUPPORT
totrue
.
Changed:
- [cli] Applies Let’s Encrypt’s recommendation about renew. The option
--days
of the commandrenew
has a new default value (30
) - [lib] Uses a jittered exponential backoff
Fixed:
- [cli] CLI and key type.
- [dnsprovider] httpreq: Endpoint with path.
- [dnsprovider] fastdns: Do not overwrite existing TXT records
- Log wildcard domain correctly in validation
[v2.1.0] - 2019-01-24
Added:
- [dnsprovider] Add support for zone.ee as a DNS provider.
Changed:
- [dnsprovider] nifcloud: Change DNS base url.
- [dnsprovider] gcloud: More detailed information about Google Cloud DNS.
Fixed:
- [lib] fix: OCSP, set HTTP client.
- [dnsprovider] alicloud: fix pagination.
- [dnsprovider] namecheap: fix panic.
[v2.0.0] - 2019-01-09
Added:
- [cli,lib] Option to disable the complete propagation Requirement
- [lib,cli] Support non-ascii domain name (punnycode)
- [cli,lib] Add configurable timeout when obtaining certificates
- [cli] Archive revoked certificates
- [cli] Add command to list certificates.
- [cli] support for renew with CSR
- [cli] add SAN on renew
- [lib] Adds
Remove
for challenges - [lib] Add version to xenolf-acme in User-Agent.
- [dnsprovider] The ability for a DNS provider to solve the challenge sequentially
- [dnsprovider] Add DNS provider for "HTTP request".
- [dnsprovider] Add DNS Provider for Vscale
- [dnsprovider] Add DNS Provider for TransIP
- [dnsprovider] Add DNS Provider for inwx
- [dnsprovider] alidns: add support to handle more than 20 domains
Changed:
- [lib] Check all challenges in a predictable order
- [lib] Poll authz URL instead of challenge URL
- [lib] Check all nameservers in a predictable order
- [lib] Logs every iteration of waiting for the propagation
- [cli]
--http
: enable HTTP challenge important - [cli]
--http.port
: previously named--http
- [cli]
--http.webroot
: previously named--webroot
- [cli]
--http.memcached-host
: previously named--memcached-host
- [cli]
--tls
: enable TLS challenge important - [cli]
--tls.port
: previously named--tls
- [cli]
--dns.resolvers
: previously named--dns-resolvers
- [cli] the option
--days
of the commandrenew
has default value (15
) - [dnsprovider] gcloud: Use GCE_PROJECT for project always, if specified
Removed:
- [lib] Remove
SetHTTP01Address
- [lib] Remove
SetTLSALPN01Address
- [lib] Remove
Exclude
- [cli] Remove
--exclude
,-x
Fixed:
- [lib] Fixes revocation for subdomains and non-ascii domains
- [lib] Disable pending authorizations
- [dnsprovider] transip: concurrent access to the API.
- [dnsprovider] gcloud: fix for wildcard
- [dnsprovider] Azure: Do not overwrite existing TXT records
- [dnsprovider] fix: Cloudflare error.
[v1.2.0] - 2018-11-04
Added:
- [dnsprovider] Add DNS Provider for ConoHa DNS
- [dnsprovider] Add DNS Provider for MyDNS.jp
- [dnsprovider] Add DNS Provider for Selectel
Fixed:
- [dnsprovider] netcup: make unmarshalling of api-responses more lenient.
Changed:
- [dnsprovider] aurora: change DNS client
- [dnsprovider] azure: update auth to support instance metadata service
- [dnsprovider] dnsmadeeasy: log response body on error
- [lib] TLS-ALPN-01: Update idPeAcmeIdentifierV1, draft refs.
- [lib] Do not send a JWS body when POSTing challenges.
- [lib] Support POST-as-GET.
[v1.1.0] - 2018-10-16
Added:
- [lib] TLS-ALPN-01 Challenge
- [cli] Add filename parameter
- [dnsprovider] Allow to configure TTL, interval and timeout
- [dnsprovider] Add support for reading DNS provider setup from files
- [dnsprovider] Add DNS Provider for ACME-DNS
- [dnsprovider] Add DNS Provider for ALIYUN DNS
- [dnsprovider] Add DNS Provider for DreamHost
- [dnsprovider] Add DNS provider for hosting.de
- [dnsprovider] Add DNS Provider for IIJ
- [dnsprovider] Add DNS Provider for netcup
- [dnsprovider] Add DNS Provider for NIFCLOUD DNS
- [dnsprovider] Add DNS Provider for SAKURA Cloud
- [dnsprovider] Add DNS Provider for Stackpath
- [dnsprovider] Add DNS Provider for VegaDNS
- [dnsprovider] exec: add EXEC_MODE=RAW support.
- [dnsprovider] cloudflare: support for CF_API_KEY and CF_API_EMAIL
Fixed:
- [lib] Don't trust identifiers order.
- [lib] Fix missing issuer certificates from Let's Encrypt
- [dnsprovider] duckdns: fix TXT record update url
- [dnsprovider] duckdns: fix subsubdomain
- [dnsprovider] gcloud: update findTxtRecords to use Name=fqdn and Type=TXT
- [dnsprovider] lightsail: Fix Domain does not exist error
- [dnsprovider] ns1: use the authoritative zone and not the domain name
- [dnsprovider] ovh: check error to avoid panic due to nil client
Changed:
- [lib] Submit all dns records up front, then validate serially
[v1.0.0] - 2018-05-30
Changed:
- [lib] ACME v2 Support.
- [dnsprovider] Renamed
/providers/dns/googlecloud
to/providers/dns/gcloud
. - [dnsprovider] Modified Google Cloud provider
gcloud.NewDNSProviderServiceAccount
function to extract the project id directly from the service account file. - [dnsprovider] Made errors more verbose for the Cloudflare provider.
[v0.5.0] - 2018-05-29
Added:
- [dnsprovider] Add DNS challenge provider
exec
- [dnsprovider] Add DNS Provider for Akamai FastDNS
- [dnsprovider] Add DNS Provider for Bluecat DNS
- [dnsprovider] Add DNS Provider for CloudXNS
- [dnsprovider] Add DNS Provider for Duck DNS
- [dnsprovider] Add DNS Provider for Gandi Beta Platform (LiveDNS)
- [dnsprovider] Add DNS Provider for GleSYS API
- [dnsprovider] Add DNS Provider for GoDaddy
- [dnsprovider] Add DNS Provider for Lightsail
- [dnsprovider] Add DNS Provider for Name.com
Fixed:
- [dnsprovider] Azure: Added missing environment variable in the comments
- [dnsprovider] PowerDNS: Fix zone URL, add leading slash.
- [dnsprovider] DNSimple: Fix api
- [cli] Correct help text for
--dns-resolvers
default. - [cli] renew/revoke - don't panic on wrong account.
- [lib] Fix zone detection for cross-zone cnames.
- [lib] Use proxies from environment when making outbound http connections.
Changed:
- [lib] Users of an effective top-level domain can use the DNS challenge.
- [dnsprovider] Azure: Refactor to work with new Azure SDK version.
- [dnsprovider] Cloudflare and Azure: Adding output of which envvars are missing.
- [dnsprovider] Dyn DNS: Slightly improve provider error reporting.
- [dnsprovider] Exoscale: update to latest egoscale version.
- [dnsprovider] Route53: Use NewSessionWithOptions instead of deprecated New.
[0.4.1] - 2017-09-26
Added:
- lib: A new DNS provider for OTC.
- lib: The
AWS_HOSTED_ZONE_ID
environment variable for the Route53 DNS provider to directly specify the zone. - lib: The
RFC2136_TIMEOUT
enviroment variable to make the timeout for the RFC2136 provider configurable. - lib: The
GCE_SERVICE_ACCOUNT_FILE
environment variable to specify a service account file for the Google Cloud DNS provider.
Fixed:
- lib: Fixed an authentication issue with the latest Azure SDK.
[0.4.0] - 2017-07-13
Added:
- CLI: The
--http-timeout
switch. This allows for an override of the default client HTTP timeout. - lib: The
HTTPClient
field. This allows for an override of the default HTTP timeout for library HTTP requests. - CLI: The
--dns-timeout
switch. This allows for an override of the default DNS timeout for library DNS requests. - lib: The
DNSTimeout
switch. This allows for an override of the default client DNS timeout. - lib: The
QueryRegistration
function onacme.Client
. This performs a POST on the client registration's URI and gets the updated registration info. - lib: The
DeleteRegistration
function onacme.Client
. This deletes the registration as currently configured in the client. - lib: The
ObtainCertificateForCSR
function onacme.Client
. The function allows to request a certificate for an already existing CSR. - CLI: The
--csr
switch. Allows to use already existing CSRs for certificate requests on the command line. - CLI: The
--pem
flag. This will change the certificate output so it outputs a .pem file concatanating the .key and .crt files together. - CLI: The
--dns-resolvers
flag. Allows for users to override the default DNS servers used for recursive lookup. - lib: Added a memcached provider for the HTTP challenge.
- CLI: The
--memcached-host
flag. This allows to use memcached for challenge storage. - CLI: The
--must-staple
flag. This enables OCSP must staple in the generated CSR. - lib: The library will now honor entries in your resolv.conf.
- lib: Added a field
IssuerCertificate
to theCertificateResource
struct. - lib: A new DNS provider for OVH.
- lib: A new DNS provider for DNSMadeEasy.
- lib: A new DNS provider for Linode.
- lib: A new DNS provider for AuroraDNS.
- lib: A new DNS provider for NS1.
- lib: A new DNS provider for Azure DNS.
- lib: A new DNS provider for Rackspace DNS.
- lib: A new DNS provider for Exoscale DNS.
- lib: A new DNS provider for DNSPod.
Changed:
- lib: Exported the
PreCheckDNS
field so library users can manage the DNS check in tests. - lib: The library will now skip challenge solving if a valid Authz already exists.
Removed:
- lib: The library will no longer check for auto renewed certificates. This has been removed from the spec and is not supported in Boulder.
Fixed:
- lib: Fix a problem with the Route53 provider where it was possible the verification was published to a private zone.
- lib: Loading an account from file should fail if a integral part is nil
- lib: Fix a potential issue where the Dyn provider could resolve to an incorrect zone.
- lib: If a registration encounteres a conflict, the old registration is now recovered.
- CLI: The account.json file no longer has the executable flag set.
- lib: Made the client registration more robust in case of a 403 HTTP response.
- lib: Fixed an issue with zone lookups when they have a CNAME in another zone.
- lib: Fixed the lookup for the authoritative zone for Google Cloud.
- lib: Fixed a race condition in the nonce store.
- lib: The Google Cloud provider now removes old entries before trying to add new ones.
- lib: Fixed a condition where we could stall due to an early error condition.
- lib: Fixed an issue where Authz object could end up in an active state after an error condition.
0.3.1 - 2016-04-19
Added:
- lib: A new DNS provider for Vultr.
Fixed:
- lib: DNS Provider for DigitalOcean could not handle subdomains properly.
- lib: handleHTTPError should only try to JSON decode error messages with the right content type.
- lib: The propagation checker for the DNS challenge would not retry on send errors.
0.3.0 - 2016-03-19
Added:
- CLI: The
--dns
switch. To include the DNS challenge for consideration. When using this switch, all other solvers are disabled. Supported are the following solvers: cloudflare, digitalocean, dnsimple, dyn, gandi, googlecloud, namecheap, route53, rfc2136 and manual. - CLI: The
--accept-tos
switch. Indicates your acceptance of the Let's Encrypt terms of service without prompting you. - CLI: The
--webroot
switch. The HTTP-01 challenge may now be completed by dropping a file into a webroot. When using this switch, all other solvers are disabled. - CLI: The
--key-type
switch. This replaces the--rsa-key-size
switch and supports the following key types: EC256, EC384, RSA2048, RSA4096 and RSA8192. - CLI: The
--dnshelp
switch. This displays a more in-depth help topic for DNS solvers. - CLI: The
--no-bundle
sub switch for therun
andrenew
commands. When this switch is set, the CLI will not bundle the issuer certificate with your certificate. - lib: A new type for challenge identifiers
Challenge
- lib: A new interface for custom challenge providers
acme.ChallengeProvider
- lib: A new interface for DNS-01 providers to allow for custom timeouts for the validation function
acme.ChallengeProviderTimeout
- lib: SetChallengeProvider function. Pass a challenge identifier and a Provider to replace the default behaviour of a challenge.
- lib: The DNS-01 challenge has been implemented with modular solvers using the
ChallengeProvider
interface. Included solvers are: cloudflare, digitalocean, dnsimple, gandi, namecheap, route53, rfc2136 and manual. - lib: The
acme.KeyType
type was added and is used for the configuration of crypto parameters for RSA and EC keys. Valid KeyTypes are: EC256, EC384, RSA2048, RSA4096 and RSA8192.
Changed
- lib: ExcludeChallenges now expects to be passed an array of
Challenge
types. - lib: HTTP-01 now supports custom solvers using the
ChallengeProvider
interface. - lib: TLS-SNI-01 now supports custom solvers using the
ChallengeProvider
interface. - lib: The
GetPrivateKey
function in theacme.User
interface is now expected to return acrypto.PrivateKey
instead of anrsa.PrivateKey
for EC compat. - lib: The
acme.NewClient
function now expects anacme.KeyType
instead of the keyBits parameter.
Removed
- CLI: The
rsa-key-size
switch was removed in favor ofkey-type
to support EC keys.
Fixed
- lib: Fixed a race condition in HTTP-01
- lib: Fixed an issue where status codes on ACME challenge responses could lead to no action being taken.
- lib: Fixed a regression when calling the Renew function with a SAN certificate.
0.2.0 - 2016-01-09
Added:
- CLI: The
--exclude
or-x
switch. To exclude a challenge from being solved. - CLI: The
--http
switch. To set the listen address and port of HTTP based challenges. Supportshost:port
and:port
for any interface. - CLI: The
--tls
switch. To set the listen address and port of TLS based challenges. Supportshost:port
and:port
for any interface. - CLI: The
--reuse-key
switch for therenew
operation. This lets you reuse an existing private key for renewals. - lib: ExcludeChallenges function. Pass an array of challenge identifiers to exclude them from solving.
- lib: SetHTTPAddress function. Pass a port to set the listen port for HTTP based challenges.
- lib: SetTLSAddress function. Pass a port to set the listen port of TLS based challenges.
- lib: acme.UserAgent variable. Use this to customize the user agent on all requests sent by lego.
Changed:
- lib: NewClient does no longer accept the optPort parameter
- lib: ObtainCertificate now returns a SAN certificate if you pass more then one domain.
- lib: GetOCSPForCert now returns the parsed OCSP response instead of just the status.
- lib: ObtainCertificate has a new parameter
privKey crypto.PrivateKey
which lets you reuse an existing private key for new certificates. - lib: RenewCertificate now expects the PrivateKey property of the CertificateResource to be set only if you want to reuse the key.
Removed:
- CLI: The
--port
switch was removed. - lib: RenewCertificate does no longer offer to also revoke your old certificate.
Fixed:
- CLI: Fix logic using the
--days
parameter for renew
0.1.1 - 2015-12-18
Added:
- CLI: Added a way to automate renewal through a cronjob using the --days parameter to renew
Changed:
- lib: Improved log output on challenge failures.
Fixed:
- CLI: The short parameter for domains would not get accepted
- CLI: The cli did not return proper exit codes on error library errors.
- lib: RenewCertificate did not properly renew SAN certificates.
Security
- lib: Fix possible DOS on GetOCSPForCert
0.1.0 - 2015-12-03
- Initial release