Releases: caddyserver/certmagic
v0.21.6
v0.21.5
Primarily bug fixes and minor enhancements.
What's Changed
- Repair broken link for dotGo presentation. by @icpd in #312
- ZeroSSLIssuer: Make PollInterval configurable by @aplr in #316
- Remove obsolete constants by @ankon in #317
- Add a fast path for the DefaultCertificateSelector by @ankon in #318
- Quiet OCSP warnings if the cert has a short lifetime by @francislavoie in #320
- Bump golang.org/x/crypto from 0.27.0 to 0.31.0 by @dependabot in #322
New Contributors
Full Changelog: v0.21.4...v0.21.5
v0.21.4
We've made several improvements across the board, notably:
Storage
is temporarily a required field, until we implement azerossl
issuer that doesn't require storage. I'm hoping this will be optional again before v1.0.- New exported function
GetRenewalInfo()
, useful for issuers that support ARI. - Better logging related to account loading and creation, and CSR generation; useful for troubleshooting.
- ACME account registration is now synced across a cluster.
- ARI fetching is now synced across a cluster.
- Normalization fix for IDNs.
- Writes to the
filesystem
(default) storage now use temporary files, which provides greater concurrency safety. This should improve the very rare and sporadic corrupted certificate or metadata (JSON) files that have been observed and reported.
Thank you to everyone who contributed!
What's Changed
- Move
looking up info for HTTP validation
to warn level by @mbardelmeijer in #290 - Sync ACME account registration by @mholt in #293
- fix: use a tempfile to write files in filestorage. by @elee1766 in #300
- Add .internal to internal-only hostnames by @nickubels in #305
New Contributors
- @mbardelmeijer made their first contribution in #290
- @elee1766 made their first contribution in #300
- @nickubels made their first contribution in #305
Full Changelog: v0.21.2...v0.21.4
v0.21.2
This is apparently the same as v0.21.1, for some reason I thought there were new commits. Oh well, enjoy!
What's Changed
- Apply DefaultServerName more broadly during handshake by @mholt in #287
- downgrade minimum Go version by @mohammed90 in #289
Full Changelog: v0.21.0...v0.21.2
v0.21.0
CertMagic v0.21 introduces some big changes:
- Draft support for draft-03 of ACME Renewal Information (ARI) which assists with deciding when to renew certificates. This augments CertMagic's already-advanced logic using cert lifetime and OCSP/revocation status.
- New
ZeroSSLIssuer
uses the ZeroSSL API to get certificates. ZeroSSL also has an ACME endpoint, which can still be accesed using the existing ACMEIssuer, as always. Their proprietary API is paid, but has extra features like IP certificates, better reliability, and support. - DNS challenges should be smoother in some cases as we've improved propagation checking.
- In the odd case your ACME account disappears from the ACME server, CertMagic will automatically retry with a new account. (This happens in some test/dev environments.)
- ACME accounts are identified only by their public keys, but CertMagic maps accounts by CA+email for practical/storage reasons. So now you can "pin" an account key to use by specifying your email and the account public key in your config, which is useful if you need to absolutely be sure to use a specific account (like if you get rate limit exemptions from a CA).
Please try it out and report any issues!
Thanks to @framer for their contributions to this release!
What's Changed
- Bump golang.org/x/crypto from 0.14.0 to 0.17.0 by @dependabot in #264
- Demote "storage cleaning happened too recently" from WARN to INFO by @francislavoie in #270
- Check DNS propagation at authoritative nameservers only with default resolvers by @pgeh in #274
- Retry with new account if account disappeared remotely by @mholt in #269
- Update readme examples to use TLS-ALPN const from ACMEz by @goksan in #277
- Initial implementation of ZeroSSL API issuer by @mholt in #279
- Allow deleting directories via FileStorage by @goksan in #282
- Use the
email
configuration in the ACME issuer to "pin" an account to a key by @ankon in #283 - Initial implementation of ARI by @mholt in #286
New Contributors
Full Changelog: v0.20.0...v0.21.0
v0.20.0
This release vastly improves storage cleaning as well improving a few smaller things. There is a minor breaking change as we get ever closer to v1.0.
⚠️ TheDecisionFunc
for On-Demand TLS now takes acontext.Context
value as its first argument. The context carries theClientHelloInfo
value (keyed byClientHelloInfoCtxKey
) for logging purposes.- Storage cleaning is now synchronized across the cluster, including process restarts. The state of cleaning expired certificates and OCSP staples is written to storage, and distributed locking is used to ensure that only 1 instance does it at a time. This greatly reduces costs for expensive storage backends! Cleaning is also done less often when the process is frequently restarted because the state is written to storage, so it is not forgotten after shutting down.
.home.arpa
is now considered an internal suffix.- Backoff timings have been tuned based on real-world experience.
What's Changed
- README: Add hint about NextProtos for certmagic.TLS by @oliverpool in #251
- Bump golang.org/x/net from 0.11.0 to 0.17.0 by @dependabot in #253
- Optionally pass the context argument down to the OnDemand decision func by @ankon in #255
- Retain the error stack if
checkIfCertShouldBeObtained
returns an error by @ankon in #256 - Add OCSP stapling unit tests by @kenjenkins in #259
New Contributors
- @oliverpool made their first contribution in #251
Full Changelog: v0.19.2...v0.20.0
v0.19.2
This release fixes a couple of bugs in on-demand TLS and also improves the context used during handshakes for cert operations. (Contexts assist with timeouts and cancellation.)
What's Changed
- Create a new context when renewing a certificate in the background by @ankon in #248
- Use context from ClientHello during GetCertificate by @mholt in #249
Full Changelog: v0.19.1...v0.19.2
v0.19.1
A minor patch that fixes a race condition when NewAccountFunc changes the ACMEIssuer it is called on.
A new error value is also exposed: ErrNoOCSPServerSpecified
to help users determine whether stapling failed only because the certificate doesn't support OCSP.
What's Changed
- Define a NoOCSPServerSpecified error by @kenjenkins in #245
New Contributors
- @kenjenkins made their first contribution in #245
Full Changelog: v0.19.0...v0.19.1
v0.19.0
This release has a few (relatively minor) API changes and additions to enable substantial performance improvements for large certificate deployments; for example, large and busy servers can now update a certificate cache's settings without having to make a new cache. This enables certificates already decoded into memory to remain even after a config change downstream.
Highlights
- The
Config.Manage*()
methods are now (basically) a no-op if a managed certificate for the name(s) passed in is already present in the cache. It doesn't really make sense to reload the certificate from storage and decode it and replace it in the cache, because it is managed it will do that automatically when it gets renewed. - Removed
Config.Unmanage()
since it does not actually rely on the config at all. Replaced withCache.RemoveManaged()
. Removing a managed cert from the cache stops maintenance. - Also added
Cache.Remove()
which removes a certificate from the cache given its hash. - The methods which load unmanaged certs into the cache now return the cert hash.
- Added
Cache.SetOptions()
to update a cache's config while active. - Clarified the semantics around the Storage and Locker interfaces. This should be useful for implementers.
- Fixed a performance bug when On-Demand TLS was used with lots of specified domains (this is uncommon, as most uses of on-demand TLS don't know the domain names ahead of time).
What's Changed
- README: fix typo in sample code by @bitfehler in #243
New Contributors
- @bitfehler made their first contribution in #243
Full Changelog: v0.18.2...v0.19.0
v0.18.2
This patch release actually has some notable new features but nothing that affects existing API surface:
- New private keys are generated for every renewal (unless the new config property
ReusePrivateKeys
is set totrue
) -- previously, they were reused by default. - New
IssuerPolicy
field to configure how to choose from multiple issuers. By default, the first issuer that successfully provided a certificate is used. (This is unchanged.) Now, however, the issuers can be shuffled to implement basic load balancing before trying them in succession. - File storage locking mechanism is now more robust against short-lived locks in slow storage.
- The
cert_obtained
event info was fixed.
(Skip v0.18.1, as it contains a bug caught by integration tests downstream.)
What's Changed
- Generate new private keys for new certificates by @mholt in #237
- Issuer policies that can randomize issuer used by @mholt in #238
Full Changelog: v0.18.0...v0.18.2