All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- tacd does no longer supports OpenSSL 1.0.
- The
challenge-tls-alpn-01
hook now exposes theraw_proof
variable, which contains the SHA-256 digest of the key authorization, encoded using Base64 URL scheme without padding.
- The minimum supported Rust version (MSRV) is now 1.74.
- The default hooks were not properly updated during the 0.22.0 release, which causes the certificate renewal to fail.
- The
Cargo.lock
file is now updated before a new version is released (GitHub bug #103).
- ACMEd no longer crashes when the
random_early_renew
parameter is set to zero (GitHub bug #102).
- The minimum supported Rust version (MSRV) is now 1.70.
- Manual (and badly designed) threads have been replaced by async.
- Randomized early delay, for spacing out renewals when dealing with a lot of certificates.
- Replaced the template engine TinyTemplate with MiniJinja.
- The default period of time between the certificate renewal and its expiration date (
renew_delay
) has been changed from 3 weeks to 30 days.
- The JWK representation of ECDSA keys now have their coordinates padded.
- The minimal required Rust version is now 1.60.
- The
--no-pid-file
argument has been added to ACMEd and tacd.
- An invalid reference in the command line arguments has been fixed.
- Some missing file path in log messages has been added.
- The calculation of the certificate's expiration delay does no longer break compilation on some systems.
- The
[email protected]
systemd unit configuration has been added as an alternative to theacmed.service
unit.
- The minimal required Rust version is now 1.54.
- Add support for Ed25519 and Ed448 account keys and certificates.
- In addition to
restart
, the Polkit rule also allows thereload
,try-restart
,reload-or-restart
andtry-reload-or-restart
verbs.
- Allow the configuration of some default values at compile time using environment variables.
- The template engine has been changed in favor of TinyTemplate, which has a different syntax than the previous one.
- The default account directory now is
/var/lib/acmed/accounts
. - The default certificates and private keys directory now is
/var/lib/acmed/certs
. - The default for volatile runtime data now is
/run
.
- The
pkcs9_email_address
,postal_address
andpostal_code
subject attributes has been added.
- The
friendly_name
andpseudonym
subject attributes has been removed. - The
street_address
subject attribute has been renamedstreet
.
- The names of both the certificate file and the associated private key can now be configured.
- Configuration files cannot be loaded more than one time, which prevents infinite recursion.
- Certificates are now allowed to share the same name if their respective key type is different.
- Add proxy support through the
HTTP_PROXY
,HTTPS_PROXY
andNO_PROXY
environment variables. - Allow to specify a unique name for each certificate.
- The minimal required Rust version is 1.42.0.
- In the configuration,
root_certificates
has been added to theglobal
andendpoint
sections as an array of strings representing the path to root certificate files. - At compilation, it is now possible to statically link OpenSSL using the
openssl_vendored
feature. - In the Makefile, it is now possible to specify which target triple to build for.
- Some subject attributes can now be specified.
- Support for NIST P-521 certificates and account keys.
- Support for Let's Encrypt non-standard account creation object.
- The
contacts
account configuration field has been added. - External account binding.
- The
email
account configuration field has been removed. In replacement, use thecontacts
field. - Accounts now have their own hooks and environment.
- Accounts are now stored in a single binary file.
- ACMEd can now build on platforms with a
time_t
not defined as ani64
. - The Makefile is now fully works on FreeBSD.
- The account key type and signature algorithm can now be specified in the configuration using the
key_type
andsignature_algorithm
parameters. - The delay to renew a certificate before its expiration date can be specified in the configuration using the
renew_delay
parameter at either the certificate, endpoint and global level. - It is now possible to specify IP identifiers (RFC 8738) using the
ip
parameter instead of thedns
one. - The hook templates of type
challenge-*
have a newidentifier_tls_alpn
field which contains, if available, the identifier in a form that is suitable to the TLS ALPN challenge. - Globing is now supported for configuration files inclusion.
- The CSR's digest algorithm can now be specified using the
csr_digest
parameter.
- In the certificate configuration, the
domains
field has been renamedidentifiers
. - The
algorithm
certificate configuration field has been renamedkey_type
. - The
algorithm
hook template variable has been renamedkey_type
. - The
domain
hook template variable has been renamedidentifier
. - The default hooks have been updated.
- The Makefile now works on FreeBSD. It should also work on other BSD although it has not been tested.
- System users and groups can now be specified by name in addition to uid/gid.
- The HTTP(S) part is now handled by
attohttpc
instead ofreqwest
.
- In tacd, the
--acme-ext-file
parameter is now in conflict withacme-ext
instead of itself.
- The HTTP(S) part is now handled by
reqwest
instead ofhttp_req
.
make install
now work with the busybox toolchain.
- Wildcard certificates are now supported. In the file name, the
*
is replaced by_
. - Internationalized domain names are now supported.
- The PID file is now always written whether or not ACMEd is running in the foreground. Previously, it was written only when running in the background.
- In the directory, the
externalAccountRequired
field is now a boolean instead of a string.
- A race condition when requesting multiple certificates on the same non-existent account has been fixed.
- The
foregroung
option has been renamedforeground
.
- Hooks now have the optional
allow_failure
field. - In hooks, the
stdin_str
has been added in replacement of the previousstdin
behavior. - HTTPS request rate limits.
- Certificates are renewed in parallel.
- Hooks are now cleaned right after the current challenge has been validated instead of after the certificate's retrieval.
- In hooks, the
stdin
field now refers to the path of the file that should be written into the hook's standard input. - The logging format has been re-written.
- The http-01-echo hook now correctly sets the file's access rights
- ACMEd now displays a warning when the server indicates an error in an order or an authorization.
- A configuration file can now include several other files.
- Hooks have access to environment variables.
- In the configuration, the global section, certificates and domains can define environment variables for the hooks.
- tacd is now able to listen on a unix socket.
- Man pages.
- The project can now be built and installed using
make
. - The post-operation hooks now have access to the
is_success
template variable. - Challenge hooks now have the
is_clean_hook
template variable. - An existing certificate will be renewed if more domains have been added in the configuration.
- Unknown configuration fields are no longer tolerated.
- In challenge hooks, the
algorithm
template variable has been removed.
- In some cases, ACMEd was unable to parse a certificate's expiration date.
- tacd, the TLS-ALPN-01 validation daemon.
- An account object has been added in the configuration.
- In the configuration, hooks now have a mandatory
type
variable. - It is now possible to declare hooks to clean after the challenge validation hooks.
- The CLI
--root-cert
option has been added. - Failure recovery: HTTPS requests rejected by the server that are recoverable, like the badNonce error, are now retried several times before being considered a hard failure.
- The TLS-ALPN-01 challenge is now supported. The proof is a string representation of the acmeIdentifier extension. The self-signed certificate itself has to be built by a hook.
- In the configuration, the
email
certificate field has been replaced by theaccount
field which matches an account object. - The format of the
domain
configuration variable has changed and now includes the challenge type. - The
token
challenge hook variable has been renamedfile_name
. - The
challenge_hooks
,post_operation_hooks
,file_pre_create_hooks
,file_post_create_hooks
,file_pre_edit_hooks
andfile_post_edit_hooks
certificate variables has been replaced byhooks
. - The logs has been purged from many useless debug and trace entries.
- The DER storage format has been removed.
- The
challenge
certificate variables has been removed.
- The bug that prevented from requesting more than two certificates has been fixed.
- The
kp_reuse
flag allow to reuse a key pair instead of creating a new one at each renewal. - It is now possible to define hook groups that can reference either hooks or other hook groups.
- Hooks can be defined when before and after a file is created or edited (
file_pre_create_hooks
,file_post_create_hooks
,file_pre_edit_hooks
andfile_post_edit_hooks
). - It is now possible to send logs either to syslog or stderr using the
--to-syslog
and--to-stderr
arguments.
post_operation_hook
has been renamedpost_operation_hooks
.- By default, logs are now sent to syslog instead of stderr.
- The process is now daemonized by default. It is possible to still run it in the foreground using the
--foregroung
flag.