mirror of https://github.com/breard-r/acmed.git
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
11 KiB
11 KiB
Changelog
All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
[Unreleased]
Fixed
- The default hooks were not properly updated during the 0.22.0 release, which causes the certificate renewal to fail.
[0.22.1] - 2023-12-20
Fixed
- The
Cargo.lock
file is now updated before a new version is released (GitHub bug #103).
[0.22.0] - 2023-12-20
Fixed
- ACMEd no longer crashes when the
random_early_renew
parameter is set to zero (GitHub bug #102).
Changed
- The minimum supported Rust version (MSRV) is now 1.70.
- Manual (and badly designed) threads have been replaced by async.
- Randomized early delay, for spacing out renewals when dealing with a lot of certificates.
- Replaced the template engine TinyTemplate with MiniJinja.
- The default period of time between the certificate renewal and its expiration date (
renew_delay
) has been changed from 3 weeks to 30 days.
[0.21.0] - 2022-12-19
Fixed
- The JWK representation of ECDSA keys now have their coordinates padded.
Changed
- The minimal required Rust version is now 1.60.
[0.20.0] - 2022-05-08
Added
- The
--no-pid-file
argument has been added to ACMEd and tacd.
Fixed
- An invalid reference in the command line arguments has been fixed.
- Some missing file path in log messages has been added.
- The calculation of the certificate's expiration delay does no longer break compilation on some systems.
[0.19.0] - 2022-04-17
Added
- The
acmed@user.service
systemd unit configuration has been added as an alternative to theacmed.service
unit.
Changed
- The minimal required Rust version is now 1.54.
[0.18.0] - 2021-06-13
Added
- Add support for Ed25519 and Ed448 account keys and certificates.
- In addition to
restart
, the Polkit rule also allows thereload
,try-restart
,reload-or-restart
andtry-reload-or-restart
verbs.
[0.17.0] - 2021-05-04
Added
- Allow the configuration of some default values at compile time using environment variables.
Changed
- The template engine has been changed in favor of TinyTemplate, which has a different syntax than the previous one.
- The default account directory now is
/var/lib/acmed/accounts
. - The default certificates and private keys directory now is
/var/lib/acmed/certs
. - The default for volatile runtime data now is
/run
.
[0.16.0] - 2020-11-11
Added
- The
pkcs9_email_address
,postal_address
andpostal_code
subject attributes has been added.
Changed
- The
friendly_name
andpseudonym
subject attributes has been removed. - The
street_address
subject attribute has been renamedstreet
.
[0.15.0] - 2020-11-03
Added
- The names of both the certificate file and the associated private key can now be configured.
Fixed
- Configuration files cannot be loaded more than one time, which prevents infinite recursion.
Changed
- Certificates are now allowed to share the same name if their respective key type is different.
[0.14.0] - 2020-10-27
Added
- Add proxy support through the
HTTP_PROXY
,HTTPS_PROXY
andNO_PROXY
environment variables. - Allow to specify a unique name for each certificate.
Changed
- The minimal required Rust version is 1.42.0.
[0.13.0] - 2020-10-10
Added
- In the configuration,
root_certificates
has been added to theglobal
andendpoint
sections as an array of strings representing the path to root certificate files. - At compilation, it is now possible to statically link OpenSSL using the
openssl_vendored
feature. - In the Makefile, it is now possible to specify which target triple to build for.
[0.12.0] - 2020-09-26
Added
- Some subject attributes can now be specified.
- Support for NIST P-521 certificates and account keys.
Fixed
- Support for Let's Encrypt non-standard account creation object.
[0.11.0] - 2020-09-19
Added
- The
contacts
account configuration field has been added. - External account binding.
Changed
- The
email
account configuration field has been removed. In replacement, use thecontacts
field. - Accounts now have their own hooks and environment.
- Accounts are now stored in a single binary file.
Fixed
- ACMEd can now build on platforms with a
time_t
not defined as ani64
. - The Makefile is now fully works on FreeBSD.
[0.10.0] - 2020-08-27
Added
- The account key type and signature algorithm can now be specified in the configuration using the
key_type
andsignature_algorithm
parameters. - The delay to renew a certificate before its expiration date can be specified in the configuration using the
renew_delay
parameter at either the certificate, endpoint and global level. - It is now possible to specify IP identifiers (RFC 8738) using the
ip
parameter instead of thedns
one. - The hook templates of type
challenge-*
have a newidentifier_tls_alpn
field which contains, if available, the identifier in a form that is suitable to the TLS ALPN challenge. - Globing is now supported for configuration files inclusion.
- The CSR's digest algorithm can now be specified using the
csr_digest
parameter.
Changed
- In the certificate configuration, the
domains
field has been renamedidentifiers
. - The
algorithm
certificate configuration field has been renamedkey_type
. - The
algorithm
hook template variable has been renamedkey_type
. - The
domain
hook template variable has been renamedidentifier
. - The default hooks have been updated.
Fixed
- The Makefile now works on FreeBSD. It should also work on other BSD although it has not been tested.
[0.9.0] - 2020-08-01
Added
- System users and groups can now be specified by name in addition to uid/gid.
Changed
- The HTTP(S) part is now handled by
attohttpc
instead ofreqwest
.
Fixed
- In tacd, the
--acme-ext-file
parameter is now in conflict withacme-ext
instead of itself.
[0.8.0] - 2020-06-12
Changed
- The HTTP(S) part is now handled by
reqwest
instead ofhttp_req
.
Fixed
make install
now work with the busybox toolchain.
[0.7.0] - 2020-03-12
Added
- Wildcard certificates are now supported. In the file name, the
*
is replaced by_
. - Internationalized domain names are now supported.
Changed
- The PID file is now always written whether or not ACMEd is running in the foreground. Previously, it was written only when running in the background.
Fixed
- In the directory, the
externalAccountRequired
field is now a boolean instead of a string.
[0.6.1] - 2019-09-13
Fixed
- A race condition when requesting multiple certificates on the same non-existent account has been fixed.
- The
foregroung
option has been renamedforeground
.
[0.6.0] - 2019-06-05
Added
- Hooks now have the optional
allow_failure
field. - In hooks, the
stdin_str
has been added in replacement of the previousstdin
behavior. - HTTPS request rate limits.
Changed
- Certificates are renewed in parallel.
- Hooks are now cleaned right after the current challenge has been validated instead of after the certificate's retrieval.
- In hooks, the
stdin
field now refers to the path of the file that should be written into the hook's standard input. - The logging format has been re-written.
Fixed
- The http-01-echo hook now correctly sets the file's access rights
[0.5.0] - 2019-05-09
Added
- ACMEd now displays a warning when the server indicates an error in an order or an authorization.
- A configuration file can now include several other files.
- Hooks have access to environment variables.
- In the configuration, the global section, certificates and domains can define environment variables for the hooks.
- tacd is now able to listen on a unix socket.
[0.4.0] - 2019-05-08
Added
- Man pages.
- The project can now be built and installed using
make
. - The post-operation hooks now have access to the
is_success
template variable. - Challenge hooks now have the
is_clean_hook
template variable. - An existing certificate will be renewed if more domains have been added in the configuration.
Changed
- Unknown configuration fields are no longer tolerated.
Removed
- In challenge hooks, the
algorithm
template variable has been removed.
Fixed
- In some cases, ACMEd was unable to parse a certificate's expiration date.
[0.3.0] - 2019-04-30
Added
- tacd, the TLS-ALPN-01 validation daemon.
- An account object has been added in the configuration.
- In the configuration, hooks now have a mandatory
type
variable. - It is now possible to declare hooks to clean after the challenge validation hooks.
- The CLI
--root-cert
option has been added. - Failure recovery: HTTPS requests rejected by the server that are recoverable, like the badNonce error, are now retried several times before being considered a hard failure.
- The TLS-ALPN-01 challenge is now supported. The proof is a string representation of the acmeIdentifier extension. The self-signed certificate itself has to be built by a hook.
Changed
- In the configuration, the
email
certificate field has been replaced by theaccount
field which matches an account object. - The format of the
domain
configuration variable has changed and now includes the challenge type. - The
token
challenge hook variable has been renamedfile_name
. - The
challenge_hooks
,post_operation_hooks
,file_pre_create_hooks
,file_post_create_hooks
,file_pre_edit_hooks
andfile_post_edit_hooks
certificate variables has been replaced byhooks
. - The logs has been purged from many useless debug and trace entries.
Removed
- The DER storage format has been removed.
- The
challenge
certificate variables has been removed.
[0.2.1] - 2019-03-30
Changed
- The bug that prevented from requesting more than two certificates has been fixed.
[0.2.0] - 2019-03-27
Added
- The
kp_reuse
flag allow to reuse a key pair instead of creating a new one at each renewal. - It is now possible to define hook groups that can reference either hooks or other hook groups.
- Hooks can be defined when before and after a file is created or edited (
file_pre_create_hooks
,file_post_create_hooks
,file_pre_edit_hooks
andfile_post_edit_hooks
). - It is now possible to send logs either to syslog or stderr using the
--to-syslog
and--to-stderr
arguments.
Changed
post_operation_hook
has been renamedpost_operation_hooks
.- By default, logs are now sent to syslog instead of stderr.
- The process is now daemonized by default. It is possible to still run it in the foreground using the
--foregroung
flag.