Mirror
/
acmed
mirror of https://github.com/breard-r/acmed.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
551 Commits
12 Branches
27 Tags
2.1 MiB
Branch: main
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'main'
${ noResults }
acmed/CHANGELOG.md

310 lines
11 KiB
Raw Permalink Normal View History

ACMEd v0.7.0
4 years ago
Add man pages Documentation is a crucial point for every project, and the most effective and traditional way to document a program is to write man page. Here, the mdoc is used because it is simple. Because the documentation is quite different from the project itself, the man pages and others helpful files are distributed under a different license. For this usage, the GNU All-Permissive License is adequate. https://www.gnu.org/prep/maintain/html_node/License-Notices-for-Other-Files.html man 7 groff_mdoc
5 years ago
Allow to reuse a key pair instead of creating a new one at each renewal The default behavior of most ACME clients is to generate a new key pair at each renewal. While this choice is respectable and perfectly justified in most configuration, it is also quite incompatible with the use of HTTP Public Key Pinning (HPKP). Although HPKP is not wildly supported and sometimes deprecated, users wishing to use it should not be blocked. https://tools.ietf.org/html/rfc7469 https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
5 years ago
ACMEd v0.23.0
3 months ago
Update dependencies
4 months ago
Add the raw_proof variable to the challenge-tls-alpn-01 hook fixes #129
4 months ago
Update dependencies
4 months ago
Update dependencies
3 months ago
Update dependencies
4 months ago
ACMEd v0.22.2
4 months ago
Fix the default hooks
4 months ago
ACMEd v0.22.1
5 months ago
Update the lockfile during release fix #103
5 months ago
ACMEd v0.22.0
5 months ago
Update the MSRV
1 year ago
Update the change log
6 months ago
Update the MSRV
1 year ago
Update the MSRV
6 months ago
Update the change log
1 year ago
Randomized early renew Let's Encrypt suggests in the integration guide, that for spacing out renewals after issueing a lot of new certificates in a batch, you renew a few of them a bit early until it's evened out. This adds a config option that allows to set a timeframe in which early random delays are attempted.
1 year ago
Change the template engine to MiniJinja
11 months ago
Update the change log
5 months ago
Update the MSRV
1 year ago
Update the change log
1 year ago
Update the change log
1 year ago
ACMEd v0.19.0
2 years ago
Fix an invalid reference in the command line arguments
2 years ago
Add the `--no-pid-file` argument Fixes #60
2 years ago
Fix an invalid reference in the command line arguments
2 years ago
Add some missing file path in log messages Rel #24
2 years ago
Stop using `libc::time_t` This type was used for the calculation of the certificate's expiration delay, which causes troubles on some 32 bits systems. Rel #59
2 years ago
Fix an invalid reference in the command line arguments
2 years ago
ACMEd v0.19.0
2 years ago
Update the minimal required Rust version
3 years ago
Add the acmed@user.service systemd unit configuration
2 years ago
Update the minimal required Rust version
3 years ago
Fix the changelog
2 years ago
Update the minimal required Rust version
3 years ago
ACMEd v0.18.0
3 years ago
Add new verbs to the polkit rule
3 years ago
Add support for Ed25519 and Ed448 account keys and certificates Fixes #36
3 years ago
Add new verbs to the polkit rule
3 years ago
ACMEd v0.18.0
3 years ago
Allow the configuration of some default values at compile time using environment variables
3 years ago
Move the account and certificate default directories Those directories were located in /etc/acmed/, which is not the best choice. According to the Filesystem Hierarchy Standard, they should be located in /var/lib/acmed/. Because systems may have different conventions, those values are now configuration at build time. https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard
3 years ago
Update the change log
3 years ago
Move the account and certificate default directories Those directories were located in /etc/acmed/, which is not the best choice. According to the Filesystem Hierarchy Standard, they should be located in /var/lib/acmed/. Because systems may have different conventions, those values are now configuration at build time. https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard
3 years ago
update LFS compliance volatile runtime data * the former /var/run is depreciated -> using /run * update rust build scripts sources to use the new path * update CHANGELOG to reflect the changes Signed-off-by: Ralf Zerres <ralf.zerres@networkx.de>
3 years ago
Move the account and certificate default directories Those directories were located in /etc/acmed/, which is not the best choice. According to the Filesystem Hierarchy Standard, they should be located in /var/lib/acmed/. Because systems may have different conventions, those values are now configuration at build time. https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard
3 years ago
Allow the configuration of some default values at compile time using environment variables
3 years ago
ACMEd v0.16.0
4 years ago
Update the certificate's subject attributes
4 years ago
ACMEd v0.15.0
4 years ago
Update the nom dependency
4 years ago
Add the file_name_format config directive
4 years ago
Include config files only once
4 years ago
Allow certificates to have the same name but different key type
4 years ago
Update the nom dependency
4 years ago
ACMEd v0.14.0
4 years ago
Add the `root_certificates` parameter Being able to define root certificates in the command line is not enough for two reasons: 1. It is always global, you cannot define a root certificate for a specific endpoint. 2. Daemon scripts and unit files are not meant to be changed every time you need to add a root certificate. For those reasons, it is now to possible to define root certificates in the configuration. Those defined in the `global` section will be used on every endpoint, just like those added via the command line. Those defined in an endpoint will be used in this endpoint only.
4 years ago
Update the attohttpc dependency Finishes the job initiated in #39
4 years ago
Allow to specify a unique name for each certificate
4 years ago
Update the attohttpc dependency Finishes the job initiated in #39
4 years ago
Add the `root_certificates` parameter Being able to define root certificates in the command line is not enough for two reasons: 1. It is always global, you cannot define a root certificate for a specific endpoint. 2. Daemon scripts and unit files are not meant to be changed every time you need to add a root certificate. For those reasons, it is now to possible to define root certificates in the configuration. Those defined in the `global` section will be used on every endpoint, just like those added via the command line. Those defined in an endpoint will be used in this endpoint only.
4 years ago
Fix the CHANGELOG
4 years ago
ACMEd v0.12.0
4 years ago
Allow to specify subject attributes for certificates
4 years ago
Add support for NIST P-521 curve and ES512 signatures
4 years ago
Allow to specify subject attributes for certificates
4 years ago
Stop to require the `orders` field on account creation RFC 8555 states that: - when an account is successfully created, the server "returns this account object" (section 7.3); - the `orders` field in account objects is mandatory (section 7.1.2). Despite that, Boulder does not returns the `orders` field when an account is created. This non-standard behavior prevented ACMEd from creating account and testing them for existence. In order to allow ACMEd to retrieve certificates from CAs using Boulder, the `orders` field is no longer mandatory and the account existence is tested when the order is requested. https://github.com/letsencrypt/boulder/issues/3335
4 years ago
Allow to specify subject attributes for certificates
4 years ago
ACMEd v0.11.0
4 years ago
Refactor the account management Until now, the account management was archaic and it was impossible to improve it without this heavy refactoring. Accounts are now disjoint from both certificates and endpoints. They have their own hooks and their own environment variables. They are stored in a binary file instead of the PEM exports of the private and public keys. This refactoring will allow account management to evolve into something more serious, with real key rollover, contact information update and so on.
4 years ago
Add external account binding
4 years ago
Refactor the account management Until now, the account management was archaic and it was impossible to improve it without this heavy refactoring. Accounts are now disjoint from both certificates and endpoints. They have their own hooks and their own environment variables. They are stored in a binary file instead of the PEM exports of the private and public keys. This refactoring will allow account management to evolve into something more serious, with real key rollover, contact information update and so on.
4 years ago
Update the CHANGELOG
4 years ago
Refactor the account management Until now, the account management was archaic and it was impossible to improve it without this heavy refactoring. Accounts are now disjoint from both certificates and endpoints. They have their own hooks and their own environment variables. They are stored in a binary file instead of the PEM exports of the private and public keys. This refactoring will allow account management to evolve into something more serious, with real key rollover, contact information update and so on.
4 years ago
ACMEd v0.10.0
4 years ago
Refactor the Makefile The previous version of the Makefile used features which are specific to GNU Make and therefore does not works on BSD systems. This new version, which is much more simpler, works both on GNU Make and BSD Make (tested on FreeBSD 12.1).
4 years ago
Allow to specify the account key type and signature alg in the config
4 years ago
Improve the CHANGELOG
4 years ago
Allow to define a custom delay for renewal
4 years ago
Improve the CHANGELOG
4 years ago
Implement IP identifiers RFC 8738: https://tools.ietf.org/html/rfc8738
4 years ago
Add Unix style globing for config file inclusion Close #6
4 years ago
Improve the CHANGELOG
4 years ago
Implement IP identifiers RFC 8738: https://tools.ietf.org/html/rfc8738
4 years ago
Refactor the certificate key type management The previous system used a duplicated enum (`acmed::certificate::Algorithm`) and an imprecise identifier name (algorithm) for both the certificate configuration and post operation hook variable. The first one has been replaced by the `acme_common::crypto::KeyType` enum and the second renames `key_type`.
4 years ago
Implement IP identifiers RFC 8738: https://tools.ietf.org/html/rfc8738
4 years ago
Allow to specify the account key type and signature alg in the config
4 years ago
Refactor the Makefile The previous version of the Makefile used features which are specific to GNU Make and therefore does not works on BSD systems. This new version, which is much more simpler, works both on GNU Make and BSD Make (tested on FreeBSD 12.1).
4 years ago
ACMEd v0.9.0
4 years ago
Add support for user and groups names
4 years ago
Replace `reqwest` by `attohttpc` `reqwest` is a very good crate, however ACMEd does not require most of its functionalities. For this job, `attohttpc` is also great and comes with much less dependencies. rel #1
4 years ago
Update the change log
4 years ago
Add support for user and groups names
4 years ago
ACMEd v0.8.0
4 years ago
Refactor the HTTP back-end The previous HTTP back-end was tightly coupled with the threads, which was very inconvenient. It is now completely decoupled so a new threading model may be implemented.
4 years ago
`Make install` now work with the busybox toolchain.
4 years ago
Refactor the HTTP back-end The previous HTTP back-end was tightly coupled with the threads, which was very inconvenient. It is now completely decoupled so a new threading model may be implemented.
4 years ago
ACMEd v0.7.0
4 years ago
Replace * by _ in file names
4 years ago
Add internationalized domain names support
4 years ago
Replace * by _ in file names
4 years ago
Allow --pid-file to be used with --foreground The PID file is now always written whether or not ACMEd is running in the foreground. Previously, it was written only when running in the background. Fix #7
4 years ago
Fix the type of the externalAccountRequired field
4 years ago
Add internationalized domain names support
4 years ago
ACMEd v0.6.1
5 years ago
Update the change log
5 years ago
Fix the "foregroung" typo I made the typo once and then copy/pasted it everywhere.
5 years ago
Update the change log
5 years ago
ACMEd 0.6.0
5 years ago
Add an option to stop or continue after a failed hook
5 years ago
Allow to give a file path in a hook's stdin There is use-cases where a command's standard input should be filled with a file's content. In order to stay consistent with the names of the other fields, `stdin` is now the field which accepts such a path. `stdin_str` has been created in order to also support the use of a raw string.
5 years ago
Add rate limits for HTTPS requests
5 years ago
Add an option to stop or continue after a failed hook
5 years ago
Clean the hooks right after the current challenge has been validated Cleaning hooks after the certificate has been retrieved is a mistake since a failure somewhere in the process will prevent all called hook to be cleaned. With the current implementation, only the currently failed hook is left without being cleaned.
5 years ago
Renew certificates in parallel
5 years ago
Clean the hooks right after the current challenge has been validated Cleaning hooks after the certificate has been retrieved is a mistake since a failure somewhere in the process will prevent all called hook to be cleaned. With the current implementation, only the currently failed hook is left without being cleaned.
5 years ago
Allow to give a file path in a hook's stdin There is use-cases where a command's standard input should be filled with a file's content. In order to stay consistent with the names of the other fields, `stdin` is now the field which accepts such a path. `stdin_str` has been created in order to also support the use of a raw string.
5 years ago
Improve the logging format In order to renew different certificate at the same time, log messages must display which certificate they are referring to.
5 years ago
Clean the hooks right after the current challenge has been validated Cleaning hooks after the certificate has been retrieved is a mistake since a failure somewhere in the process will prevent all called hook to be cleaned. With the current implementation, only the currently failed hook is left without being cleaned.
5 years ago
Fix the http-01-echo default hook
5 years ago
Add an option to stop or continue after a failed hook
5 years ago
ACMEd 0.5.0
5 years ago
Display a warning when fetching order or an authorization Orders and authorization can both contain an error which can, for example, help an user to fix a broken hook. It is therefore very useful to display it. Plus, when pooling one of those objects, having an error does not mean we should stop pooling since the error may be temporary.
5 years ago
Allow the config file to include other files
5 years ago
Add environment variables to hook templates
5 years ago
Add env variable definition in the global section
5 years ago
Allow tacd to listen on a unix socket
5 years ago
Display a warning when fetching order or an authorization Orders and authorization can both contain an error which can, for example, help an user to fix a broken hook. It is therefore very useful to display it. Plus, when pooling one of those objects, having an error does not mean we should stop pooling since the error may be temporary.
5 years ago
ACMEd 0.4.0
5 years ago
Add man pages Documentation is a crucial point for every project, and the most effective and traditional way to document a program is to write man page. Here, the mdoc is used because it is simple. Because the documentation is quite different from the project itself, the man pages and others helpful files are distributed under a different license. For this usage, the GNU All-Permissive License is adequate. https://www.gnu.org/prep/maintain/html_node/License-Notices-for-Other-Files.html man 7 groff_mdoc
5 years ago
Update the changelog
5 years ago
Add the is_success variable to post-operation hooks
5 years ago
Add the is_clean_hook variable to challenge hooks
5 years ago
Renew a certificate that does not include all domains At some point, someone may add new domains to an existing certificate. In such case, this certificate should be renewed as soon as possible instead of upon expiration.
5 years ago
Update the changelog
5 years ago
Add man pages Documentation is a crucial point for every project, and the most effective and traditional way to document a program is to write man page. Here, the mdoc is used because it is simple. Because the documentation is quite different from the project itself, the man pages and others helpful files are distributed under a different license. For this usage, the GNU All-Permissive License is adequate. https://www.gnu.org/prep/maintain/html_node/License-Notices-for-Other-Files.html man 7 groff_mdoc
5 years ago
Fix the OpenSSL time parsing ACMEd was not able to parse some possible time representation, which could cause a certificate not being renewed at all. This commit support all current known outputs. https://github.com/openssl/openssl/blob/master/crypto/asn1/a_time.c
5 years ago
Add man pages Documentation is a crucial point for every project, and the most effective and traditional way to document a program is to write man page. Here, the mdoc is used because it is simple. Because the documentation is quite different from the project itself, the man pages and others helpful files are distributed under a different license. For this usage, the GNU All-Permissive License is adequate. https://www.gnu.org/prep/maintain/html_node/License-Notices-for-Other-Files.html man 7 groff_mdoc
5 years ago
v0.3.0
5 years ago
Remove the `acme-lib` dependency Although the `acme-lib` crate comes very handy when creating a simple ACME client, a more advanced one may not want to use it. First of all, `acme-lib` does not support all of the ACME specification, some very interesting one are not implemented. Also, it does not store the account public key, which does not allow to revoke certificates. In addition to those two critical points, I would also add `acme-lib` has some troubles with its own dependencies: it uses both `openssl` and `ring`, which is redundant and contribute to inflate the size of the binary. Some of the dependencies also makes an excessive use of logging: even if logging is very useful, in some cases it really is too much and debugging becomes a nightmare. ref #1
5 years ago
Use account objects instead of an email field Defining an account solely by an email address is not the best strategy since the ACME protocol does not require it and also allows for more contacts information. Although this commit does not change the "one email" policy, it sets the bases so it could evolve in the future.
5 years ago
Add tacd to the CHANGELOG
5 years ago
Use account objects instead of an email field Defining an account solely by an email address is not the best strategy since the ACME protocol does not require it and also allows for more contacts information. Although this commit does not change the "one email" policy, it sets the bases so it could evolve in the future.
5 years ago
Change the hook and domains definitions The previous system was too limited when it comes to flexibility using hooks. This limitation came from the false idea that, for a given certificate, all challenges must be validated with the same method. In order to prove that false, domains in a certificate can now make use of any challenge type available. In order to be more flexible, hooks are now given a type and are defined in the same registry (instead of 6). Each one will be called when considered relevant based on its type.
5 years ago
Update the CHANGELOG
5 years ago
Retry request rejected with a recoverable error Some errors, like the badNonce one, are recoverable. Hence, the client is expected to retry. ACMEd will now re-send the associated request until it succeed or the max retries number is reached. Each retry is preceded by a small waiting time in order to let the server recover in case it was faulty.
5 years ago
Add tls-alpn-01 challenge support Although the standardization is still a draft, this challenge is already supported by Let's Encrypt. https://datatracker.ietf.org/doc/draft-ietf-acme-tls-alpn/
5 years ago
Use account objects instead of an email field Defining an account solely by an email address is not the best strategy since the ACME protocol does not require it and also allows for more contacts information. Although this commit does not change the "one email" policy, it sets the bases so it could evolve in the future.
5 years ago
Remove the `acme-lib` dependency Although the `acme-lib` crate comes very handy when creating a simple ACME client, a more advanced one may not want to use it. First of all, `acme-lib` does not support all of the ACME specification, some very interesting one are not implemented. Also, it does not store the account public key, which does not allow to revoke certificates. In addition to those two critical points, I would also add `acme-lib` has some troubles with its own dependencies: it uses both `openssl` and `ring`, which is redundant and contribute to inflate the size of the binary. Some of the dependencies also makes an excessive use of logging: even if logging is very useful, in some cases it really is too much and debugging becomes a nightmare. ref #1
5 years ago
Use account objects instead of an email field Defining an account solely by an email address is not the best strategy since the ACME protocol does not require it and also allows for more contacts information. Although this commit does not change the "one email" policy, it sets the bases so it could evolve in the future.
5 years ago
Change the hook and domains definitions The previous system was too limited when it comes to flexibility using hooks. This limitation came from the false idea that, for a given certificate, all challenges must be validated with the same method. In order to prove that false, domains in a certificate can now make use of any challenge type available. In order to be more flexible, hooks are now given a type and are defined in the same registry (instead of 6). Each one will be called when considered relevant based on its type.
5 years ago
Remove the `acme-lib` dependency Although the `acme-lib` crate comes very handy when creating a simple ACME client, a more advanced one may not want to use it. First of all, `acme-lib` does not support all of the ACME specification, some very interesting one are not implemented. Also, it does not store the account public key, which does not allow to revoke certificates. In addition to those two critical points, I would also add `acme-lib` has some troubles with its own dependencies: it uses both `openssl` and `ring`, which is redundant and contribute to inflate the size of the binary. Some of the dependencies also makes an excessive use of logging: even if logging is very useful, in some cases it really is too much and debugging becomes a nightmare. ref #1
5 years ago
Change the hook and domains definitions The previous system was too limited when it comes to flexibility using hooks. This limitation came from the false idea that, for a given certificate, all challenges must be validated with the same method. In order to prove that false, domains in a certificate can now make use of any challenge type available. In order to be more flexible, hooks are now given a type and are defined in the same registry (instead of 6). Each one will be called when considered relevant based on its type.
5 years ago
Remove the `acme-lib` dependency Although the `acme-lib` crate comes very handy when creating a simple ACME client, a more advanced one may not want to use it. First of all, `acme-lib` does not support all of the ACME specification, some very interesting one are not implemented. Also, it does not store the account public key, which does not allow to revoke certificates. In addition to those two critical points, I would also add `acme-lib` has some troubles with its own dependencies: it uses both `openssl` and `ring`, which is redundant and contribute to inflate the size of the binary. Some of the dependencies also makes an excessive use of logging: even if logging is very useful, in some cases it really is too much and debugging becomes a nightmare. ref #1
5 years ago
Change the hook and domains definitions The previous system was too limited when it comes to flexibility using hooks. This limitation came from the false idea that, for a given certificate, all challenges must be validated with the same method. In order to prove that false, domains in a certificate can now make use of any challenge type available. In order to be more flexible, hooks are now given a type and are defined in the same registry (instead of 6). Each one will be called when considered relevant based on its type.
5 years ago
Remove the `acme-lib` dependency Although the `acme-lib` crate comes very handy when creating a simple ACME client, a more advanced one may not want to use it. First of all, `acme-lib` does not support all of the ACME specification, some very interesting one are not implemented. Also, it does not store the account public key, which does not allow to revoke certificates. In addition to those two critical points, I would also add `acme-lib` has some troubles with its own dependencies: it uses both `openssl` and `ring`, which is redundant and contribute to inflate the size of the binary. Some of the dependencies also makes an excessive use of logging: even if logging is very useful, in some cases it really is too much and debugging becomes a nightmare. ref #1
5 years ago
v0.2.1
5 years ago
Allow to reuse a key pair instead of creating a new one at each renewal The default behavior of most ACME clients is to generate a new key pair at each renewal. While this choice is respectable and perfectly justified in most configuration, it is also quite incompatible with the use of HTTP Public Key Pinning (HPKP). Although HPKP is not wildly supported and sometimes deprecated, users wishing to use it should not be blocked. https://tools.ietf.org/html/rfc7469 https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
5 years ago
Add hook groups Some configurations may require to run the same bunch of hooks for several domains. In order to limit repetition, it is now possible to create a group that will reference to hooks or hook groups.
5 years ago
Add hooks before and after a file is created or edited It is considered a good practice to archive old certificates and private keys instead of simply dropping them away. Because ACMEd should not impose a way of doing things to system administrators, hooks are the way to go.
5 years ago
Send logs to syslog
5 years ago
Rename post_operation_hook to post_operation_hooks
5 years ago
Send logs to syslog
5 years ago
Daemonize the process
5 years ago
  1. [//]: # (Copyright 2019-2020 Rodolphe Bréard <rodolphe@breard.tf>)
  3. [//]: # (Copying and distribution of this file, with or without modification,)
  4. [//]: # (are permitted in any medium without royalty provided the copyright)
  5. [//]: # (notice and this notice are preserved. This file is offered as-is,)
  6. [//]: # (without any warranty.)
  8. # Changelog
  9. All notable changes to this project will be documented in this file.
  11. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
  12. and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
  15. ## [0.23.0] - 2024-02-10
  17. ### Added
  18. - The `challenge-tls-alpn-01` hook now exposes the `raw_proof` variable, which contains the SHA-256 digest of the key authorization, encoded using Base64 URL scheme without padding.
  20. ### Changed
  21. - The minimum supported Rust version (MSRV) is now 1.74.
  24. ## [0.22.2] - 2024-01-09
  26. ### Fixed
  27. - The default hooks were not properly updated during the 0.22.0 release, which causes the certificate renewal to fail.
  30. ## [0.22.1] - 2023-12-20
  32. ### Fixed
  33. - The `Cargo.lock` file is now updated before a new version is released (GitHub bug #103).
  36. ## [0.22.0] - 2023-12-20
  38. ### Fixed
  39. - ACMEd no longer crashes when the `random_early_renew` parameter is set to zero (GitHub bug #102).
  41. ### Changed
  42. - The minimum supported Rust version (MSRV) is now 1.70.
  43. - Manual (and badly designed) threads have been replaced by async.
  44. - Randomized early delay, for spacing out renewals when dealing with a lot of certificates.
  45. - Replaced the template engine TinyTemplate with MiniJinja.
  46. - The default period of time between the certificate renewal and its expiration date (`renew_delay`) has been changed from 3 weeks to 30 days.
  49. ## [0.21.0] - 2022-12-19
  51. ### Fixed
  52. - The JWK representation of ECDSA keys now have their coordinates padded.
  54. ### Changed
  55. - The minimal required Rust version is now 1.60.
  58. ## [0.20.0] - 2022-05-08
  60. ### Added
  61. - The `--no-pid-file` argument has been added to ACMEd and tacd.
  63. ### Fixed
  64. - An invalid reference in the command line arguments has been fixed.
  65. - Some missing file path in log messages has been added.
  66. - The calculation of the certificate's expiration delay does no longer break compilation on some systems.
  69. ## [0.19.0] - 2022-04-17
  71. ### Added
  72. - The `acmed@user.service` systemd unit configuration has been added as an alternative to the `acmed.service` unit.
  74. ### Changed
  75. - The minimal required Rust version is now 1.54.
  77. ## [0.18.0] - 2021-06-13
  79. ### Added
  80. - Add support for Ed25519 and Ed448 account keys and certificates.
  81. - In addition to `restart`, the Polkit rule also allows the `reload`, `try-restart`, `reload-or-restart` and `try-reload-or-restart` verbs.
  84. ## [0.17.0] - 2021-05-04
  86. ### Added
  87. - Allow the configuration of some default values at compile time using environment variables.
  89. ### Changed
  90. - The template engine has been changed in favor of TinyTemplate, which has a different syntax than the previous one.
  91. - The default account directory now is `/var/lib/acmed/accounts`.
  92. - The default certificates and private keys directory now is `/var/lib/acmed/certs`.
  93. - The default for volatile runtime data now is `/run`.
  96. ## [0.16.0] - 2020-11-11
  98. ### Added
  99. - The `pkcs9_email_address`, `postal_address` and `postal_code` subject attributes has been added.
  101. ### Changed
  102. - The `friendly_name` and `pseudonym` subject attributes has been removed.
  103. - The `street_address` subject attribute has been renamed `street`.
  106. ## [0.15.0] - 2020-11-03
  108. ### Added
  109. - The names of both the certificate file and the associated private key can now be configured.
  111. ### Fixed
  112. - Configuration files cannot be loaded more than one time, which prevents infinite recursion.
  114. ### Changed
  115. - Certificates are now allowed to share the same name if their respective key type is different.
  118. ## [0.14.0] - 2020-10-27
  120. ### Added
  121. - Add proxy support through the `HTTP_PROXY`, `HTTPS_PROXY` and `NO_PROXY` environment variables.
  122. - Allow to specify a unique name for each certificate.
  124. ### Changed
  125. - The minimal required Rust version is 1.42.0.
  128. ## [0.13.0] - 2020-10-10
  130. ### Added
  131. - In the configuration, `root_certificates` has been added to the `global` and `endpoint` sections as an array of strings representing the path to root certificate files.
  132. - At compilation, it is now possible to statically link OpenSSL using the `openssl_vendored` feature.
  133. - In the Makefile, it is now possible to specify which target triple to build for.
  136. ## [0.12.0] - 2020-09-26
  138. ### Added
  139. - Some subject attributes can now be specified.
  140. - Support for NIST P-521 certificates and account keys.
  142. ### Fixed
  143. - Support for Let's Encrypt non-standard account creation object.
  146. ## [0.11.0] - 2020-09-19
  148. ### Added
  149. - The `contacts` account configuration field has been added.
  150. - External account binding.
  152. ### Changed
  153. - The `email` account configuration field has been removed. In replacement, use the `contacts` field.
  154. - Accounts now have their own hooks and environment.
  155. - Accounts are now stored in a single binary file.
  157. ### Fixed
  158. - ACMEd can now build on platforms with a `time_t` not defined as an `i64`.
  159. - The Makefile is now fully works on FreeBSD.
  162. ## [0.10.0] - 2020-08-27
  164. ### Added
  165. - The account key type and signature algorithm can now be specified in the configuration using the `key_type` and `signature_algorithm` parameters.
  166. - The delay to renew a certificate before its expiration date can be specified in the configuration using the `renew_delay` parameter at either the certificate, endpoint and global level.
  167. - It is now possible to specify IP identifiers (RFC 8738) using the `ip` parameter instead of the `dns` one.
  168. - The hook templates of type `challenge-*` have a new `identifier_tls_alpn` field which contains, if available, the identifier in a form that is suitable to the TLS ALPN challenge.
  169. - Globing is now supported for configuration files inclusion.
  170. - The CSR's digest algorithm can now be specified using the `csr_digest` parameter.
  172. ### Changed
  173. - In the certificate configuration, the `domains` field has been renamed `identifiers`.
  174. - The `algorithm` certificate configuration field has been renamed `key_type`.
  175. - The `algorithm` hook template variable has been renamed `key_type`.
  176. - The `domain` hook template variable has been renamed `identifier`.
  177. - The default hooks have been updated.
  179. ### Fixed
  180. - The Makefile now works on FreeBSD. It should also work on other BSD although it has not been tested.
  183. ## [0.9.0] - 2020-08-01
  185. ### Added
  186. - System users and groups can now be specified by name in addition to uid/gid.
  188. ### Changed
  189. - The HTTP(S) part is now handled by `attohttpc` instead of `reqwest`.
  191. ### Fixed
  192. - In tacd, the `--acme-ext-file` parameter is now in conflict with `acme-ext` instead of itself.
  195. ## [0.8.0] - 2020-06-12
  197. ### Changed
  198. - The HTTP(S) part is now handled by `reqwest` instead of `http_req`.
  200. ## Fixed
  201. - `make install` now work with the busybox toolchain.
  204. ## [0.7.0] - 2020-03-12
  206. ### Added
  207. - Wildcard certificates are now supported. In the file name, the `*` is replaced by `_`.
  208. - Internationalized domain names are now supported.
  210. ### Changed
  211. - The PID file is now always written whether or not ACMEd is running in the foreground. Previously, it was written only when running in the background.
  213. ### Fixed
  214. - In the directory, the `externalAccountRequired` field is now a boolean instead of a string.
  217. ## [0.6.1] - 2019-09-13
  219. ### Fixed
  220. - A race condition when requesting multiple certificates on the same non-existent account has been fixed.
  221. - The `foregroung` option has been renamed `foreground`.
  224. ## [0.6.0] - 2019-06-05
  226. ### Added
  227. - Hooks now have the optional `allow_failure` field.
  228. - In hooks, the `stdin_str` has been added in replacement of the previous `stdin` behavior.
  229. - HTTPS request rate limits.
  231. ### Changed
  232. - Certificates are renewed in parallel.
  233. - Hooks are now cleaned right after the current challenge has been validated instead of after the certificate's retrieval.
  234. - In hooks, the `stdin` field now refers to the path of the file that should be written into the hook's standard input.
  235. - The logging format has been re-written.
  237. ### Fixed
  238. - The http-01-echo hook now correctly sets the file's access rights
  241. ## [0.5.0] - 2019-05-09
  243. ### Added
  244. - ACMEd now displays a warning when the server indicates an error in an order or an authorization.
  245. - A configuration file can now include several other files.
  246. - Hooks have access to environment variables.
  247. - In the configuration, the global section, certificates and domains can define environment variables for the hooks.
  248. - tacd is now able to listen on a unix socket.
  251. ## [0.4.0] - 2019-05-08
  253. ### Added
  254. - Man pages.
  255. - The project can now be built and installed using `make`.
  256. - The post-operation hooks now have access to the `is_success` template variable.
  257. - Challenge hooks now have the `is_clean_hook` template variable.
  258. - An existing certificate will be renewed if more domains have been added in the configuration.
  260. ### Changed
  261. - Unknown configuration fields are no longer tolerated.
  263. ### Removed
  264. - In challenge hooks, the `algorithm` template variable has been removed.
  266. ### Fixed
  267. - In some cases, ACMEd was unable to parse a certificate's expiration date.
  270. ## [0.3.0] - 2019-04-30
  272. ### Added
  273. - tacd, the TLS-ALPN-01 validation daemon.
  274. - An account object has been added in the configuration.
  275. - In the configuration, hooks now have a mandatory `type` variable.
  276. - It is now possible to declare hooks to clean after the challenge validation hooks.
  277. - The CLI `--root-cert` option has been added.
  278. - Failure recovery: HTTPS requests rejected by the server that are recoverable, like the badNonce error, are now retried several times before being considered a hard failure.
  279. - The TLS-ALPN-01 challenge is now supported. The proof is a string representation of the acmeIdentifier extension. The self-signed certificate itself has to be built by a hook.
  281. ### Changed
  282. - In the configuration, the `email` certificate field has been replaced by the `account` field which matches an account object.
  283. - The format of the `domain` configuration variable has changed and now includes the challenge type.
  284. - The `token` challenge hook variable has been renamed `file_name`.
  285. - The `challenge_hooks`, `post_operation_hooks`, `file_pre_create_hooks`, `file_post_create_hooks`, `file_pre_edit_hooks` and `file_post_edit_hooks` certificate variables has been replaced by `hooks`.
  286. - The logs has been purged from many useless debug and trace entries.
  288. ### Removed
  289. - The DER storage format has been removed.
  290. - The `challenge` certificate variables has been removed.
  293. ## [0.2.1] - 2019-03-30
  295. ### Changed
  296. - The bug that prevented from requesting more than two certificates has been fixed.
  299. ## [0.2.0] - 2019-03-27
  301. ### Added
  302. - The `kp_reuse` flag allow to reuse a key pair instead of creating a new one at each renewal.
  303. - It is now possible to define hook groups that can reference either hooks or other hook groups.
  304. - Hooks can be defined when before and after a file is created or edited (`file_pre_create_hooks`, `file_post_create_hooks`, `file_pre_edit_hooks` and `file_post_edit_hooks`).
  305. - It is now possible to send logs either to syslog or stderr using the `--to-syslog` and `--to-stderr` arguments.
  307. ### Changed
  308. - `post_operation_hook` has been renamed `post_operation_hooks`.
  309. - By default, logs are now sent to syslog instead of stderr.
  310. - The process is now daemonized by default. It is possible to still run it in the foreground using the `--foregroung` flag.