@ -17,7 +17,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
### Changed
- Instead of loading a default configuration file, ACMEd now loads all the files from a default configuration directory (by default, `/etc/acmed/conf-enabled`).
- Instead of loading a default configuration file, ACMEd now loads all the
files from a default configuration directory (by default,
`/etc/acmed/conf-enabled`).
### Removed
@ -40,7 +42,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
### Added
- The `challenge-tls-alpn-01` hook now exposes the `raw_proof` variable, which contains the SHA-256 digest of the key authorization, encoded using Base64 URL scheme without padding.
- The `challenge-tls-alpn-01` hook now exposes the `raw_proof` variable, which
contains the SHA-256 digest of the key authorization, encoded using Base64
URL scheme without padding.
### Changed
@ -51,29 +55,34 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
### Fixed
- The default hooks were not properly updated during the 0.22.0 release, which causes the certificate renewal to fail.
- The default hooks were not properly updated during the 0.22.0 release, which
causes the certificate renewal to fail.
## [0.22.1] - 2023-12-20
### Fixed
- The `Cargo.lock` file is now updated before a new version is released (GitHub bug #103).
- The `Cargo.lock` file is now updated before a new version is released (GitHub
bug #103).
## [0.22.0] - 2023-12-20
### Fixed
- ACMEd no longer crashes when the `random_early_renew` parameter is set to zero (GitHub bug #102).
- ACMEd no longer crashes when the `random_early_renew` parameter is set to
zero (GitHub bug #102).
### Changed
- The minimum supported Rust version (MSRV) is now 1.70.
- Manual (and badly designed) threads have been replaced by async.
- Randomized early delay, for spacing out renewals when dealing with a lot of certificates.
- Randomized early delay, for spacing out renewals when dealing with a lot of
certificates.
- Replaced the template engine TinyTemplate with MiniJinja.
- The default period of time between the certificate renewal and its expiration date (`renew_delay`) has been changed from 3 weeks to 30 days.
- The default period of time between the certificate renewal and its expiration
date (`renew_delay`) has been changed from 3 weeks to 30 days.
## [0.21.0] - 2022-12-19
@ -97,14 +106,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- An invalid reference in the command line arguments has been fixed.
- Some missing file path in log messages has been added.
- The calculation of the certificate's expiration delay does no longer break compilation on some systems.
- The calculation of the certificate's expiration delay does no longer break
compilation on some systems.
## [0.19.0] - 2022-04-17
### Added
- The `acmed@user.service` systemd unit configuration has been added as an alternative to the `acmed.service` unit.
- The `acmed@user.service` systemd unit configuration has been added as an
alternative to the `acmed.service` unit.
### Changed
@ -115,20 +126,24 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
### Added
- Add support for Ed25519 and Ed448 account keys and certificates.
- In addition to `restart`, the Polkit rule also allows the `reload`, `try-restart`, `reload-or-restart` and `try-reload-or-restart` verbs.
- In addition to `restart`, the Polkit rule also allows the `reload`,
`try-restart`, `reload-or-restart` and `try-reload-or-restart` verbs.
## [0.17.0] - 2021-05-04
### Added
- Allow the configuration of some default values at compile time using environment variables.
- Allow the configuration of some default values at compile time using
environment variables.
### Changed
- The template engine has been changed in favor of TinyTemplate, which has a different syntax than the previous one.
- The template engine has been changed in favor of TinyTemplate, which has a
different syntax than the previous one.
- The default account directory now is `/var/lib/acmed/accounts`.
- The default certificates and private keys directory now is `/var/lib/acmed/certs`.
- The default certificates and private keys directory now is
`/var/lib/acmed/certs`.
- The default for volatile runtime data now is `/run`.
@ -136,7 +151,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
### Added
- The `pkcs9_email_address`, `postal_address` and `postal_code` subject attributes has been added.
- The `pkcs9_email_address`, `postal_address` and `postal_code` subject
attributes has been added.
### Changed
@ -148,22 +164,26 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
### Added
- The names of both the certificate file and the associated private key can now be configured.
- The names of both the certificate file and the associated private key can now
be configured.
### Fixed
- Configuration files cannot be loaded more than one time, which prevents infinite recursion.
- Configuration files cannot be loaded more than one time, which prevents
infinite recursion.
### Changed
- Certificates are now allowed to share the same name if their respective key type is different.
- Certificates are now allowed to share the same name if their respective key
type is different.
## [0.14.0] - 2020-10-27
### Added
- Add proxy support through the `HTTP_PROXY`, `HTTPS_PROXY` and `NO_PROXY` environment variables.
- Add proxy support through the `HTTP_PROXY`, `HTTPS_PROXY` and `NO_PROXY`
environment variables.
- Allow to specify a unique name for each certificate.
### Changed
@ -175,9 +195,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
### Added
- In the configuration, `root_certificates` has been added to the `global` and `endpoint` sections as an array of strings representing the path to root certificate files.
- At compilation, it is now possible to statically link OpenSSL using the `openssl_vendored` feature.
- In the Makefile, it is now possible to specify which target triple to build for.
- In the configuration, `root_certificates` has been added to the `global` and
`endpoint` sections as an array of strings representing the path to root
certificate files.
- At compilation, it is now possible to statically link OpenSSL using the
`openssl_vendored` feature.
- In the Makefile, it is now possible to specify which target triple to build
for.
## [0.12.0] - 2020-09-26
@ -201,7 +225,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
### Changed
- The `email` account configuration field has been removed. In replacement, use the `contacts` field.
- The `email` account configuration field has been removed. In replacement, use
the `contacts` field.
- Accounts now have their own hooks and environment.
- Accounts are now stored in a single binary file.
@ -215,16 +240,24 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
### Added
- The account key type and signature algorithm can now be specified in the configuration using the `key_type` and `signature_algorithm` parameters.
- The delay to renew a certificate before its expiration date can be specified in the configuration using the `renew_delay` parameter at either the certificate, endpoint and global level.
- It is now possible to specify IP identifiers (RFC 8738) using the `ip` parameter instead of the `dns` one.
- The hook templates of type `challenge-*` have a new `identifier_tls_alpn` field which contains, if available, the identifier in a form that is suitable to the TLS ALPN challenge.
- The account key type and signature algorithm can now be specified in the
configuration using the `key_type` and `signature_algorithm` parameters.
- The delay to renew a certificate before its expiration date can be specified
in the configuration using the `renew_delay` parameter at either the
certificate, endpoint and global level.
- It is now possible to specify IP identifiers (RFC 8738) using the `ip`
parameter instead of the `dns` one.
- The hook templates of type `challenge-*` have a new `identifier_tls_alpn`
field which contains, if available, the identifier in a form that is suitable
to the TLS ALPN challenge.
- Globing is now supported for configuration files inclusion.
- The CSR's digest algorithm can now be specified using the `csr_digest` parameter.
- The CSR's digest algorithm can now be specified using the `csr_digest`
parameter.
### Changed
- In the certificate configuration, the `domains` field has been renamed `identifiers`.
- In the certificate configuration, the `domains` field has been renamed
`identifiers`.
- The `algorithm` certificate configuration field has been renamed `key_type`.
- The `algorithm` hook template variable has been renamed `key_type`.
- The `domain` hook template variable has been renamed `identifier`.
@ -232,7 +265,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
### Fixed
- The Makefile now works on FreeBSD. It should also work on other BSD although it has not been tested.
- The Makefile now works on FreeBSD. It should also work on other BSD although
it has not been tested.
## [0.9.0] - 2020-08-01
@ -247,7 +281,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
### Fixed
- In tacd, the `--acme-ext-file` parameter is now in conflict with `acme-ext` instead of itself.
- In tacd, the `--acme-ext-file` parameter is now in conflict with `acme-ext`
instead of itself.
## [0.8.0] - 2020-06-12
@ -265,23 +300,27 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
### Added
- Wildcard certificates are now supported. In the file name, the `*` is replaced by `_`.
- Wildcard certificates are now supported. In the file name, the `*` is
replaced by `_`.
- Internationalized domain names are now supported.
### Changed
- The PID file is now always written whether or not ACMEd is running in the foreground. Previously, it was written only when running in the background.
- The PID file is now always written whether or not ACMEd is running in the
foreground. Previously, it was written only when running in the background.
### Fixed
- In the directory, the `externalAccountRequired` field is now a boolean instead of a string.
- In the directory, the `externalAccountRequired` field is now a boolean
instead of a string.
## [0.6.1] - 2019-09-13
### Fixed
- A race condition when requesting multiple certificates on the same non-existent account has been fixed.
- A race condition when requesting multiple certificates on the same
non-existent account has been fixed.
- The `foregroung` option has been renamed `foreground`.
@ -290,14 +329,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
### Added
- Hooks now have the optional `allow_failure` field.
- In hooks, the `stdin_str` has been added in replacement of the previous `stdin` behavior.
- In hooks, the `stdin_str` has been added in replacement of the previous
`stdin` behavior.
- HTTPS request rate limits.
### Changed
- Certificates are renewed in parallel.
- Hooks are now cleaned right after the current challenge has been validated instead of after the certificate's retrieval.
- In hooks, the `stdin` field now refers to the path of the file that should be written into the hook's standard input.
- Hooks are now cleaned right after the current challenge has been validated
instead of after the certificate's retrieval.
- In hooks, the `stdin` field now refers to the path of the file that should be
written into the hook's standard input.
- The logging format has been re-written.
### Fixed
@ -309,10 +351,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
### Added
- ACMEd now displays a warning when the server indicates an error in an order or an authorization.
- ACMEd now displays a warning when the server indicates an error in an order
or an authorization.
- A configuration file can now include several other files.
- Hooks have access to environment variables.
- In the configuration, the global section, certificates and domains can define environment variables for the hooks.
- In the configuration, the global section, certificates and domains can define
environment variables for the hooks.
- tacd is now able to listen on a unix socket.
@ -322,9 +366,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- Man pages.
- The project can now be built and installed using `make`.
- The post-operation hooks now have access to the `is_success` template variable.
- The post-operation hooks now have access to the `is_success` template
variable.
- Challenge hooks now have the `is_clean_hook` template variable.
- An existing certificate will be renewed if more domains have been added in the configuration.
- An existing certificate will be renewed if more domains have been added in
the configuration.
### Changed
@ -346,17 +392,26 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- tacd, the TLS-ALPN-01 validation daemon.
- An account object has been added in the configuration.
- In the configuration, hooks now have a mandatory `type` variable.
- It is now possible to declare hooks to clean after the challenge validation hooks.
- It is now possible to declare hooks to clean after the challenge validation
hooks.
- The CLI `--root-cert` option has been added.
- Failure recovery: HTTPS requests rejected by the server that are recoverable, like the badNonce error, are now retried several times before being considered a hard failure.
- The TLS-ALPN-01 challenge is now supported. The proof is a string representation of the acmeIdentifier extension. The self-signed certificate itself has to be built by a hook.
- Failure recovery: HTTPS requests rejected by the server that are recoverable,
like the badNonce error, are now retried several times before being
considered a hard failure.
- The TLS-ALPN-01 challenge is now supported. The proof is a string
representation of the acmeIdentifier extension. The self-signed certificate
itself has to be built by a hook.
### Changed
- In the configuration, the `email` certificate field has been replaced by the `account` field which matches an account object.
- The format of the `domain` configuration variable has changed and now includes the challenge type.
- In the configuration, the `email` certificate field has been replaced by the
`account` field which matches an account object.
- The format of the `domain` configuration variable has changed and now
includes the challenge type.
- The `token` challenge hook variable has been renamed `file_name`.
- The `challenge_hooks`, `post_operation_hooks`, `file_pre_create_hooks`, `file_post_create_hooks`, `file_pre_edit_hooks` and `file_post_edit_hooks` certificate variables has been replaced by `hooks`.
- The `challenge_hooks`, `post_operation_hooks`, `file_pre_create_hooks`,
`file_post_create_hooks`, `file_pre_edit_hooks` and `file_post_edit_hooks`
certificate variables has been replaced by `hooks`.
- The logs has been purged from many useless debug and trace entries.
### Removed
@ -369,20 +424,27 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
### Fixed
- The bug that prevented from requesting more than two certificates has been fixed.
- The bug that prevented from requesting more than two certificates has been
fixed.
## [0.2.0] - 2019-03-27
### Added
- The `kp_reuse` flag allow to reuse a key pair instead of creating a new one at each renewal.
- It is now possible to define hook groups that can reference either hooks or other hook groups.
- Hooks can be defined when before and after a file is created or edited (`file_pre_create_hooks`, `file_post_create_hooks`, `file_pre_edit_hooks` and `file_post_edit_hooks`).
- It is now possible to send logs either to syslog or stderr using the `--to-syslog` and `--to-stderr` arguments.
- The `kp_reuse` flag allow to reuse a key pair instead of creating a new one
at each renewal.
- It is now possible to define hook groups that can reference either hooks or
other hook groups.
- Hooks can be defined when before and after a file is created or edited
(`file_pre_create_hooks`, `file_post_create_hooks`, `file_pre_edit_hooks` and
`file_post_edit_hooks`).
- It is now possible to send logs either to syslog or stderr using the
`--to-syslog` and `--to-stderr` arguments.
### Changed
- `post_operation_hook` has been renamed `post_operation_hooks`.
- By default, logs are now sent to syslog instead of stderr.
- The process is now daemonized by default. It is possible to still run it in the foreground using the `--foregroung` flag.
- The process is now daemonized by default. It is possible to still run it in
Rodolphe Bréard
2 months ago