diff --git a/CHANGELOG.md b/CHANGELOG.md index fb6377b..64b6937 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,7 +17,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Changed -- Instead of loading a default configuration file, ACMEd now loads all the files from a default configuration directory (by default, `/etc/acmed/conf-enabled`). +- Instead of loading a default configuration file, ACMEd now loads all the + files from a default configuration directory (by default, + `/etc/acmed/conf-enabled`). ### Removed @@ -40,7 +42,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Added -- The `challenge-tls-alpn-01` hook now exposes the `raw_proof` variable, which contains the SHA-256 digest of the key authorization, encoded using Base64 URL scheme without padding. +- The `challenge-tls-alpn-01` hook now exposes the `raw_proof` variable, which + contains the SHA-256 digest of the key authorization, encoded using Base64 + URL scheme without padding. ### Changed @@ -51,29 +55,34 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Fixed -- The default hooks were not properly updated during the 0.22.0 release, which causes the certificate renewal to fail. +- The default hooks were not properly updated during the 0.22.0 release, which + causes the certificate renewal to fail. ## [0.22.1] - 2023-12-20 ### Fixed -- The `Cargo.lock` file is now updated before a new version is released (GitHub bug #103). +- The `Cargo.lock` file is now updated before a new version is released (GitHub + bug #103). ## [0.22.0] - 2023-12-20 ### Fixed -- ACMEd no longer crashes when the `random_early_renew` parameter is set to zero (GitHub bug #102). +- ACMEd no longer crashes when the `random_early_renew` parameter is set to + zero (GitHub bug #102). ### Changed - The minimum supported Rust version (MSRV) is now 1.70. - Manual (and badly designed) threads have been replaced by async. -- Randomized early delay, for spacing out renewals when dealing with a lot of certificates. +- Randomized early delay, for spacing out renewals when dealing with a lot of + certificates. - Replaced the template engine TinyTemplate with MiniJinja. -- The default period of time between the certificate renewal and its expiration date (`renew_delay`) has been changed from 3 weeks to 30 days. +- The default period of time between the certificate renewal and its expiration + date (`renew_delay`) has been changed from 3 weeks to 30 days. ## [0.21.0] - 2022-12-19 @@ -97,14 +106,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - An invalid reference in the command line arguments has been fixed. - Some missing file path in log messages has been added. -- The calculation of the certificate's expiration delay does no longer break compilation on some systems. +- The calculation of the certificate's expiration delay does no longer break + compilation on some systems. ## [0.19.0] - 2022-04-17 ### Added -- The `acmed@user.service` systemd unit configuration has been added as an alternative to the `acmed.service` unit. +- The `acmed@user.service` systemd unit configuration has been added as an + alternative to the `acmed.service` unit. ### Changed @@ -115,20 +126,24 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Added - Add support for Ed25519 and Ed448 account keys and certificates. -- In addition to `restart`, the Polkit rule also allows the `reload`, `try-restart`, `reload-or-restart` and `try-reload-or-restart` verbs. +- In addition to `restart`, the Polkit rule also allows the `reload`, + `try-restart`, `reload-or-restart` and `try-reload-or-restart` verbs. ## [0.17.0] - 2021-05-04 ### Added -- Allow the configuration of some default values at compile time using environment variables. +- Allow the configuration of some default values at compile time using + environment variables. ### Changed -- The template engine has been changed in favor of TinyTemplate, which has a different syntax than the previous one. +- The template engine has been changed in favor of TinyTemplate, which has a + different syntax than the previous one. - The default account directory now is `/var/lib/acmed/accounts`. -- The default certificates and private keys directory now is `/var/lib/acmed/certs`. +- The default certificates and private keys directory now is + `/var/lib/acmed/certs`. - The default for volatile runtime data now is `/run`. @@ -136,7 +151,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Added -- The `pkcs9_email_address`, `postal_address` and `postal_code` subject attributes has been added. +- The `pkcs9_email_address`, `postal_address` and `postal_code` subject + attributes has been added. ### Changed @@ -148,22 +164,26 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Added -- The names of both the certificate file and the associated private key can now be configured. +- The names of both the certificate file and the associated private key can now + be configured. ### Fixed -- Configuration files cannot be loaded more than one time, which prevents infinite recursion. +- Configuration files cannot be loaded more than one time, which prevents + infinite recursion. ### Changed -- Certificates are now allowed to share the same name if their respective key type is different. +- Certificates are now allowed to share the same name if their respective key + type is different. ## [0.14.0] - 2020-10-27 ### Added -- Add proxy support through the `HTTP_PROXY`, `HTTPS_PROXY` and `NO_PROXY` environment variables. +- Add proxy support through the `HTTP_PROXY`, `HTTPS_PROXY` and `NO_PROXY` + environment variables. - Allow to specify a unique name for each certificate. ### Changed @@ -175,9 +195,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Added -- In the configuration, `root_certificates` has been added to the `global` and `endpoint` sections as an array of strings representing the path to root certificate files. -- At compilation, it is now possible to statically link OpenSSL using the `openssl_vendored` feature. -- In the Makefile, it is now possible to specify which target triple to build for. +- In the configuration, `root_certificates` has been added to the `global` and + `endpoint` sections as an array of strings representing the path to root + certificate files. +- At compilation, it is now possible to statically link OpenSSL using the + `openssl_vendored` feature. +- In the Makefile, it is now possible to specify which target triple to build + for. ## [0.12.0] - 2020-09-26 @@ -201,7 +225,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Changed -- The `email` account configuration field has been removed. In replacement, use the `contacts` field. +- The `email` account configuration field has been removed. In replacement, use + the `contacts` field. - Accounts now have their own hooks and environment. - Accounts are now stored in a single binary file. @@ -215,16 +240,24 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Added -- The account key type and signature algorithm can now be specified in the configuration using the `key_type` and `signature_algorithm` parameters. -- The delay to renew a certificate before its expiration date can be specified in the configuration using the `renew_delay` parameter at either the certificate, endpoint and global level. -- It is now possible to specify IP identifiers (RFC 8738) using the `ip` parameter instead of the `dns` one. -- The hook templates of type `challenge-*` have a new `identifier_tls_alpn` field which contains, if available, the identifier in a form that is suitable to the TLS ALPN challenge. +- The account key type and signature algorithm can now be specified in the + configuration using the `key_type` and `signature_algorithm` parameters. +- The delay to renew a certificate before its expiration date can be specified + in the configuration using the `renew_delay` parameter at either the + certificate, endpoint and global level. +- It is now possible to specify IP identifiers (RFC 8738) using the `ip` + parameter instead of the `dns` one. +- The hook templates of type `challenge-*` have a new `identifier_tls_alpn` + field which contains, if available, the identifier in a form that is suitable + to the TLS ALPN challenge. - Globing is now supported for configuration files inclusion. -- The CSR's digest algorithm can now be specified using the `csr_digest` parameter. +- The CSR's digest algorithm can now be specified using the `csr_digest` + parameter. ### Changed -- In the certificate configuration, the `domains` field has been renamed `identifiers`. +- In the certificate configuration, the `domains` field has been renamed + `identifiers`. - The `algorithm` certificate configuration field has been renamed `key_type`. - The `algorithm` hook template variable has been renamed `key_type`. - The `domain` hook template variable has been renamed `identifier`. @@ -232,7 +265,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Fixed -- The Makefile now works on FreeBSD. It should also work on other BSD although it has not been tested. +- The Makefile now works on FreeBSD. It should also work on other BSD although + it has not been tested. ## [0.9.0] - 2020-08-01 @@ -247,7 +281,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Fixed -- In tacd, the `--acme-ext-file` parameter is now in conflict with `acme-ext` instead of itself. +- In tacd, the `--acme-ext-file` parameter is now in conflict with `acme-ext` + instead of itself. ## [0.8.0] - 2020-06-12 @@ -265,23 +300,27 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Added -- Wildcard certificates are now supported. In the file name, the `*` is replaced by `_`. +- Wildcard certificates are now supported. In the file name, the `*` is + replaced by `_`. - Internationalized domain names are now supported. ### Changed -- The PID file is now always written whether or not ACMEd is running in the foreground. Previously, it was written only when running in the background. +- The PID file is now always written whether or not ACMEd is running in the + foreground. Previously, it was written only when running in the background. ### Fixed -- In the directory, the `externalAccountRequired` field is now a boolean instead of a string. +- In the directory, the `externalAccountRequired` field is now a boolean + instead of a string. ## [0.6.1] - 2019-09-13 ### Fixed -- A race condition when requesting multiple certificates on the same non-existent account has been fixed. +- A race condition when requesting multiple certificates on the same + non-existent account has been fixed. - The `foregroung` option has been renamed `foreground`. @@ -290,14 +329,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Added - Hooks now have the optional `allow_failure` field. -- In hooks, the `stdin_str` has been added in replacement of the previous `stdin` behavior. +- In hooks, the `stdin_str` has been added in replacement of the previous + `stdin` behavior. - HTTPS request rate limits. ### Changed - Certificates are renewed in parallel. -- Hooks are now cleaned right after the current challenge has been validated instead of after the certificate's retrieval. -- In hooks, the `stdin` field now refers to the path of the file that should be written into the hook's standard input. +- Hooks are now cleaned right after the current challenge has been validated + instead of after the certificate's retrieval. +- In hooks, the `stdin` field now refers to the path of the file that should be + written into the hook's standard input. - The logging format has been re-written. ### Fixed @@ -309,10 +351,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Added -- ACMEd now displays a warning when the server indicates an error in an order or an authorization. +- ACMEd now displays a warning when the server indicates an error in an order + or an authorization. - A configuration file can now include several other files. - Hooks have access to environment variables. -- In the configuration, the global section, certificates and domains can define environment variables for the hooks. +- In the configuration, the global section, certificates and domains can define + environment variables for the hooks. - tacd is now able to listen on a unix socket. @@ -322,9 +366,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Man pages. - The project can now be built and installed using `make`. -- The post-operation hooks now have access to the `is_success` template variable. +- The post-operation hooks now have access to the `is_success` template + variable. - Challenge hooks now have the `is_clean_hook` template variable. -- An existing certificate will be renewed if more domains have been added in the configuration. +- An existing certificate will be renewed if more domains have been added in + the configuration. ### Changed @@ -346,17 +392,26 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - tacd, the TLS-ALPN-01 validation daemon. - An account object has been added in the configuration. - In the configuration, hooks now have a mandatory `type` variable. -- It is now possible to declare hooks to clean after the challenge validation hooks. +- It is now possible to declare hooks to clean after the challenge validation + hooks. - The CLI `--root-cert` option has been added. -- Failure recovery: HTTPS requests rejected by the server that are recoverable, like the badNonce error, are now retried several times before being considered a hard failure. -- The TLS-ALPN-01 challenge is now supported. The proof is a string representation of the acmeIdentifier extension. The self-signed certificate itself has to be built by a hook. +- Failure recovery: HTTPS requests rejected by the server that are recoverable, + like the badNonce error, are now retried several times before being + considered a hard failure. +- The TLS-ALPN-01 challenge is now supported. The proof is a string + representation of the acmeIdentifier extension. The self-signed certificate + itself has to be built by a hook. ### Changed -- In the configuration, the `email` certificate field has been replaced by the `account` field which matches an account object. -- The format of the `domain` configuration variable has changed and now includes the challenge type. +- In the configuration, the `email` certificate field has been replaced by the + `account` field which matches an account object. +- The format of the `domain` configuration variable has changed and now + includes the challenge type. - The `token` challenge hook variable has been renamed `file_name`. -- The `challenge_hooks`, `post_operation_hooks`, `file_pre_create_hooks`, `file_post_create_hooks`, `file_pre_edit_hooks` and `file_post_edit_hooks` certificate variables has been replaced by `hooks`. +- The `challenge_hooks`, `post_operation_hooks`, `file_pre_create_hooks`, + `file_post_create_hooks`, `file_pre_edit_hooks` and `file_post_edit_hooks` + certificate variables has been replaced by `hooks`. - The logs has been purged from many useless debug and trace entries. ### Removed @@ -369,20 +424,27 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Fixed -- The bug that prevented from requesting more than two certificates has been fixed. +- The bug that prevented from requesting more than two certificates has been + fixed. ## [0.2.0] - 2019-03-27 ### Added -- The `kp_reuse` flag allow to reuse a key pair instead of creating a new one at each renewal. -- It is now possible to define hook groups that can reference either hooks or other hook groups. -- Hooks can be defined when before and after a file is created or edited (`file_pre_create_hooks`, `file_post_create_hooks`, `file_pre_edit_hooks` and `file_post_edit_hooks`). -- It is now possible to send logs either to syslog or stderr using the `--to-syslog` and `--to-stderr` arguments. +- The `kp_reuse` flag allow to reuse a key pair instead of creating a new one + at each renewal. +- It is now possible to define hook groups that can reference either hooks or + other hook groups. +- Hooks can be defined when before and after a file is created or edited + (`file_pre_create_hooks`, `file_post_create_hooks`, `file_pre_edit_hooks` and + `file_post_edit_hooks`). +- It is now possible to send logs either to syslog or stderr using the + `--to-syslog` and `--to-stderr` arguments. ### Changed - `post_operation_hook` has been renamed `post_operation_hooks`. - By default, logs are now sent to syslog instead of stderr. -- The process is now daemonized by default. It is possible to still run it in the foreground using the `--foregroung` flag. +- The process is now daemonized by default. It is possible to still run it in + the foreground using the `--foregroung` flag.