You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

241 lines
9.1 KiB

5 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
5 years ago
5 years ago
6 years ago
6 years ago
6 years ago
6 years ago
6 years ago
  1. [//]: # (Copyright 2019-2020 Rodolphe Bréard <rodolphe@breard.tf>)
  2. [//]: # (Copying and distribution of this file, with or without modification,)
  3. [//]: # (are permitted in any medium without royalty provided the copyright)
  4. [//]: # (notice and this notice are preserved. This file is offered as-is,)
  5. [//]: # (without any warranty.)
  6. # Changelog
  7. All notable changes to this project will be documented in this file.
  8. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
  9. and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
  10. ## [Unreleased]
  11. ### Added
  12. - Allow the configuration of some default values at compile time using environment variables.
  13. ### Changed
  14. - The template engine has been changed in favor of TinyTemplate, which has a different syntax than the previous one.
  15. - The default account directory now is `/var/lib/acmed/accounts`.
  16. - The default certificates and private keys directory now is `/var/lib/acmed/certs`.
  17. - The default for volatile runtime data now is `/run`.
  18. ## [0.16.0] - 2020-11-11
  19. ### Added
  20. - The `pkcs9_email_address`, `postal_address` and `postal_code` subject attributes has been added.
  21. ### Changed
  22. - The `friendly_name` and `pseudonym` subject attributes has been removed.
  23. - The `street_address` subject attribute has been renamed `street`.
  24. ## [0.15.0] - 2020-11-03
  25. ### Added
  26. - The names of both the certificate file and the associated private key can now be configured.
  27. ### Fixed
  28. - Configuration files cannot be loaded more than one time, which prevents infinite recursion.
  29. ### Changed
  30. - Certificates are now allowed to share the same name if their respective key type is different.
  31. ## [0.14.0] - 2020-10-27
  32. ### Added
  33. - Add proxy support through the `HTTP_PROXY`, `HTTPS_PROXY` and `NO_PROXY` environment variables.
  34. - Allow to specify a unique name for each certificate.
  35. ### Changed
  36. - The minimal required Rust version is 1.42.0.
  37. ## [0.13.0] - 2020-10-10
  38. ### Added
  39. - In the configuration, `root_certificates` has been added to the `global` and `endpoint` sections as an array of strings representing the path to root certificate files.
  40. - At compilation, it is now possible to statically link OpenSSL using the `openssl_vendored` feature.
  41. - In the Makefile, it is now possible to specify which target triple to build for.
  42. ## [0.12.0] - 2020-09-26
  43. ### Added
  44. - Some subject attributes can now be specified.
  45. - Support for NIST P-521 certificates and account keys.
  46. ### Fixed
  47. - Support for Let's Encrypt non-standard account creation object.
  48. ## [0.11.0] - 2020-09-19
  49. ### Added
  50. - The `contacts` account configuration field has been added.
  51. - External account binding.
  52. ### Changed
  53. - The `email` account configuration field has been removed. In replacement, use the `contacts` field.
  54. - Accounts now have their own hooks and environment.
  55. - Accounts are now stored in a single binary file.
  56. ### Fixed
  57. - ACMEd can now build on platforms with a `time_t` not defined as an `i64`.
  58. - The Makefile is now fully works on FreeBSD.
  59. ## [0.10.0] - 2020-08-27
  60. ### Added
  61. - The account key type and signature algorithm can now be specified in the configuration using the `key_type` and `signature_algorithm` parameters.
  62. - The delay to renew a certificate before its expiration date can be specified in the configuration using the `renew_delay` parameter at either the certificate, endpoint and global level.
  63. - It is now possible to specify IP identifiers (RFC 8738) using the `ip` parameter instead of the `dns` one.
  64. - The hook templates of type `challenge-*` have a new `identifier_tls_alpn` field which contains, if available, the identifier in a form that is suitable to the TLS ALPN challenge.
  65. - Globing is now supported for configuration files inclusion.
  66. - The CSR's digest algorithm can now be specified using the `csr_digest` parameter.
  67. ### Changed
  68. - In the certificate configuration, the `domains` field has been renamed `identifiers`.
  69. - The `algorithm` certificate configuration field has been renamed `key_type`.
  70. - The `algorithm` hook template variable has been renamed `key_type`.
  71. - The `domain` hook template variable has been renamed `identifier`.
  72. - The default hooks have been updated.
  73. ### Fixed
  74. - The Makefile now works on FreeBSD. It should also work on other BSD although it has not been tested.
  75. ## [0.9.0] - 2020-08-01
  76. ### Added
  77. - System users and groups can now be specified by name in addition to uid/gid.
  78. ### Changed
  79. - The HTTP(S) part is now handled by `attohttpc` instead of `reqwest`.
  80. ### Fixed
  81. - In tacd, the `--acme-ext-file` parameter is now in conflict with `acme-ext` instead of itself.
  82. ## [0.8.0] - 2020-06-12
  83. ### Changed
  84. - The HTTP(S) part is now handled by `reqwest` instead of `http_req`.
  85. ## Fixed
  86. - `make install` now work with the busybox toolchain.
  87. ## [0.7.0] - 2020-03-12
  88. ### Added
  89. - Wildcard certificates are now supported. In the file name, the `*` is replaced by `_`.
  90. - Internationalized domain names are now supported.
  91. ### Changed
  92. - The PID file is now always written whether or not ACMEd is running in the foreground. Previously, it was written only when running in the background.
  93. ### Fixed
  94. - In the directory, the `externalAccountRequired` field is now a boolean instead of a string.
  95. ## [0.6.1] - 2019-09-13
  96. ### Fixed
  97. - A race condition when requesting multiple certificates on the same non-existent account has been fixed.
  98. - The `foregroung` option has been renamed `foreground`.
  99. ## [0.6.0] - 2019-06-05
  100. ### Added
  101. - Hooks now have the optional `allow_failure` field.
  102. - In hooks, the `stdin_str` has been added in replacement of the previous `stdin` behavior.
  103. - HTTPS request rate limits.
  104. ### Changed
  105. - Certificates are renewed in parallel.
  106. - Hooks are now cleaned right after the current challenge has been validated instead of after the certificate's retrieval.
  107. - In hooks, the `stdin` field now refers to the path of the file that should be written into the hook's standard input.
  108. - The logging format has been re-written.
  109. ### Fixed
  110. - The http-01-echo hook now correctly sets the file's access rights
  111. ## [0.5.0] - 2019-05-09
  112. ### Added
  113. - ACMEd now displays a warning when the server indicates an error in an order or an authorization.
  114. - A configuration file can now include several other files.
  115. - Hooks have access to environment variables.
  116. - In the configuration, the global section, certificates and domains can define environment variables for the hooks.
  117. - tacd is now able to listen on a unix socket.
  118. ## [0.4.0] - 2019-05-08
  119. ### Added
  120. - Man pages.
  121. - The project can now be built and installed using `make`.
  122. - The post-operation hooks now have access to the `is_success` template variable.
  123. - Challenge hooks now have the `is_clean_hook` template variable.
  124. - An existing certificate will be renewed if more domains have been added in the configuration.
  125. ### Changed
  126. - Unknown configuration fields are no longer tolerated.
  127. ### Removed
  128. - In challenge hooks, the `algorithm` template variable has been removed.
  129. ### Fixed
  130. - In some cases, ACMEd was unable to parse a certificate's expiration date.
  131. ## [0.3.0] - 2019-04-30
  132. ### Added
  133. - tacd, the TLS-ALPN-01 validation daemon.
  134. - An account object has been added in the configuration.
  135. - In the configuration, hooks now have a mandatory `type` variable.
  136. - It is now possible to declare hooks to clean after the challenge validation hooks.
  137. - The CLI `--root-cert` option has been added.
  138. - Failure recovery: HTTPS requests rejected by the server that are recoverable, like the badNonce error, are now retried several times before being considered a hard failure.
  139. - The TLS-ALPN-01 challenge is now supported. The proof is a string representation of the acmeIdentifier extension. The self-signed certificate itself has to be built by a hook.
  140. ### Changed
  141. - In the configuration, the `email` certificate field has been replaced by the `account` field which matches an account object.
  142. - The format of the `domain` configuration variable has changed and now includes the challenge type.
  143. - The `token` challenge hook variable has been renamed `file_name`.
  144. - The `challenge_hooks`, `post_operation_hooks`, `file_pre_create_hooks`, `file_post_create_hooks`, `file_pre_edit_hooks` and `file_post_edit_hooks` certificate variables has been replaced by `hooks`.
  145. - The logs has been purged from many useless debug and trace entries.
  146. ### Removed
  147. - The DER storage format has been removed.
  148. - The `challenge` certificate variables has been removed.
  149. ## [0.2.1] - 2019-03-30
  150. ### Changed
  151. - The bug that prevented from requesting more than two certificates has been fixed.
  152. ## [0.2.0] - 2019-03-27
  153. ### Added
  154. - The `kp_reuse` flag allow to reuse a key pair instead of creating a new one at each renewal.
  155. - It is now possible to define hook groups that can reference either hooks or other hook groups.
  156. - Hooks can be defined when before and after a file is created or edited (`file_pre_create_hooks`, `file_post_create_hooks`, `file_pre_edit_hooks` and `file_post_edit_hooks`).
  157. - It is now possible to send logs either to syslog or stderr using the `--to-syslog` and `--to-stderr` arguments.
  158. ### Changed
  159. - `post_operation_hook` has been renamed `post_operation_hooks`.
  160. - By default, logs are now sent to syslog instead of stderr.
  161. - The process is now daemonized by default. It is possible to still run it in the foreground using the `--foregroung` flag.