v0.25.0

Adds support for disabling distributed solving, but still allows distributed solving of the http-01 challenge as long as the right ACME account is used.

What's Changed

• Implement precise lock lease renewal for storage backends that support lease renewal. by @zoltan-frm in #347

New Contributors

• @zoltan-frm made their first contribution in #347

Full Changelog: v0.24.0...v0.25.0

v0.24.0

What's Changed

• Bump golang.org/x/net from 0.37.0 to 0.38.0 by @dependabot[bot] in #342
• refactor: replace the file storage logger with the default logger by @jinrenjie in #311
• acmeissuer: LE now supports IP certs by @mohammed90 in #345
• Move cfg nil check from RenewManagedCertificates to getConfig by @joga84 in #348

New Contributors

• @jinrenjie made their first contribution in #311
• @joga84 made their first contribution in #348

Full Changelog: v0.23.0...v0.24.0

v0.22.1

Minor patch to better support IDNs.

Full Changelog: v0.22.0...v0.22.1

v0.22.0

Added support for ACME profiles (still an experimental draft) and fixed some bugs. 💯

Full Changelog: v0.21.6...v0.22.0

v0.21.6

Minor patch for ARI handshake maintenance.

What's Changed

• Fix typos by @deining in #324
• Replace interface{} with any by @deining in #325
• ari: Only check if cert is not expired, and use proper context by @mholt in #328

New Contributors

• @deining made their first contribution in #324

Full Changelog: v0.21.5...v0.21.6

v0.21.5

Primarily bug fixes and minor enhancements.

What's Changed

• Repair broken link for dotGo presentation. by @icpd in #312
• ZeroSSLIssuer: Make PollInterval configurable by @aplr in #316
• Remove obsolete constants by @ankon in #317
• Add a fast path for the DefaultCertificateSelector by @ankon in #318
• Quiet OCSP warnings if the cert has a short lifetime by @francislavoie in #320
• Bump golang.org/x/crypto from 0.27.0 to 0.31.0 by @dependabot in #322

New Contributors

• @icpd made their first contribution in #312
• @aplr made their first contribution in #316

Full Changelog: v0.21.4...v0.21.5

v0.21.4

We've made several improvements across the board, notably:

• Storage is temporarily a required field, until we implement a zerossl issuer that doesn't require storage. I'm hoping this will be optional again before v1.0.
• New exported function GetRenewalInfo(), useful for issuers that support ARI.
• Better logging related to account loading and creation, and CSR generation; useful for troubleshooting.
• ACME account registration is now synced across a cluster.
• ARI fetching is now synced across a cluster.
• Normalization fix for IDNs.
• Writes to the filesystem (default) storage now use temporary files, which provides greater concurrency safety. This should improve the very rare and sporadic corrupted certificate or metadata (JSON) files that have been observed and reported.

Thank you to everyone who contributed!

What's Changed

• Move looking up info for HTTP validation to warn level by @mbardelmeijer in #290
• Sync ACME account registration by @mholt in #293
• fix: use a tempfile to write files in filestorage. by @elee1766 in #300
• Add .internal to internal-only hostnames by @nickubels in #305

New Contributors

• @mbardelmeijer made their first contribution in #290
• @elee1766 made their first contribution in #300
• @nickubels made their first contribution in #305

Full Changelog: v0.21.2...v0.21.4

v0.21.2

This is apparently the same as v0.21.1, for some reason I thought there were new commits. Oh well, enjoy!

What's Changed

• Apply DefaultServerName more broadly during handshake by @mholt in #287
• downgrade minimum Go version by @mohammed90 in #289

Full Changelog: v0.21.0...v0.21.2

v0.21.0

CertMagic v0.21 introduces some big changes:

• Draft support for draft-03 of ACME Renewal Information (ARI) which assists with deciding when to renew certificates. This augments CertMagic's already-advanced logic using cert lifetime and OCSP/revocation status.
• New ZeroSSLIssuer uses the ZeroSSL API to get certificates. ZeroSSL also has an ACME endpoint, which can still be accesed using the existing ACMEIssuer, as always. Their proprietary API is paid, but has extra features like IP certificates, better reliability, and support.
• DNS challenges should be smoother in some cases as we've improved propagation checking.
• In the odd case your ACME account disappears from the ACME server, CertMagic will automatically retry with a new account. (This happens in some test/dev environments.)
• ACME accounts are identified only by their public keys, but CertMagic maps accounts by CA+email for practical/storage reasons. So now you can "pin" an account key to use by specifying your email and the account public key in your config, which is useful if you need to absolutely be sure to use a specific account (like if you get rate limit exemptions from a CA).

Please try it out and report any issues!

Thanks to @framer for their contributions to this release!

What's Changed

• Bump golang.org/x/crypto from 0.14.0 to 0.17.0 by @dependabot in #264
• Demote "storage cleaning happened too recently" from WARN to INFO by @francislavoie in #270
• Check DNS propagation at authoritative nameservers only with default resolvers by @pgeh in #274
• Retry with new account if account disappeared remotely by @mholt in #269
• Update readme examples to use TLS-ALPN const from ACMEz by @goksan in #277
• Initial implementation of ZeroSSL API issuer by @mholt in #279
• Allow deleting directories via FileStorage by @goksan in #282
• Use the email configuration in the ACME issuer to "pin" an account to a key by @ankon in #283
• Initial implementation of ARI by @mholt in #286

New Contributors

• @pgeh made their first contribution in #274
• @goksan made their first contribution in #277

Full Changelog: v0.20.0...v0.21.0

v0.20.0

This release vastly improves storage cleaning as well improving a few smaller things. There is a minor breaking change as we get ever closer to v1.0.

• ⚠️ The DecisionFunc for On-Demand TLS now takes a context.Context value as its first argument. The context carries the ClientHelloInfo value (keyed by ClientHelloInfoCtxKey) for logging purposes.
• Storage cleaning is now synchronized across the cluster, including process restarts. The state of cleaning expired certificates and OCSP staples is written to storage, and distributed locking is used to ensure that only 1 instance does it at a time. This greatly reduces costs for expensive storage backends! Cleaning is also done less often when the process is frequently restarted because the state is written to storage, so it is not forgotten after shutting down.
• .home.arpa is now considered an internal suffix.
• Backoff timings have been tuned based on real-world experience.

What's Changed

• README: Add hint about NextProtos for certmagic.TLS by @oliverpool in #251
• Bump golang.org/x/net from 0.11.0 to 0.17.0 by @dependabot in #253
• Optionally pass the context argument down to the OnDemand decision func by @ankon in #255
• Retain the error stack if checkIfCertShouldBeObtained returns an error by @ankon in #256
• Add OCSP stapling unit tests by @kenjenkins in #259

New Contributors

• @oliverpool made their first contribution in #251

Full Changelog: v0.19.2...v0.20.0