v0.18.0

This update brings several optimizations and improvements:

• Don't access storage during on-demand TLS unless the subject is allowed in the first place
• Managers moved into on-demand config, since they operate only at handshake-time
• Experimental FallbackServerName that is like DefaultServerName, except this one applies even if a ServerName is specified in the handshake
• Several bug fixes, especially related to on-demand TLS and Managers

What's Changed

• Allow specifying http proxy via config by @georgmu in #212
• Allow the default cache logger to be set by @pwilloughby in #213
• Bump golang.org/x/text from 0.3.7 to 0.3.8 by @dependabot in #216
• Bump golang.org/x/net from 0.0.0-20220805013720-a33c5aa5df48 to 0.7.0 by @dependabot in #218
• obtain instead of renew cert if it does not exist in storage by @shitz in #221
• Use recursive query when checking for TXT records by @kizmc in #224
• Update & Improve CI by @wusatosi in #227
• chore: Skip slow tests on Windows by @francislavoie in #229
• Add a GetCertificateWithContext function by @ankon in #225
• Refactor certificate Managers by @mholt in #231
• Fix advanced cache initialization in README by @s111 in #198

New Contributors

• @georgmu made their first contribution in #212
• @pwilloughby made their first contribution in #213
• @dependabot made their first contribution in #216
• @shitz made their first contribution in #221
• @kizmc made their first contribution in #224
• @wusatosi made their first contribution in #227
• @s111 made their first contribution in #198

Full Changelog: v0.17.2...v0.18.0

v0.17.2

What's Changed

• Avoid nil dereferencing on errors by @ankon in #206
• Fix a panic when attempting to log when certificate should not be renewed by @antoniomika in #207

New Contributors

• @ankon made their first contribution in #206
• @antoniomika made their first contribution in #207

Full Changelog: v0.17.1...v0.17.2

v0.17.1

This release changes the OnEvent API in a slightly breaking way, so if you are using events, please check out the new doc: https://pkg.go.dev/github.com/caddyserver/certmagic#Config.OnEvent

The new API is more flexible and easier to use. We are also documenting the events in our README.

Some bug fixes and improved logging. Minimum version is now Go 1.18.

Full Changelog: v0.16.2...v0.17.1

v0.16.2

This release primarily improves DNS challenges, making them more efficient and correct (mostly edge cases).

What's Changed

• Fix deadlock and improve efficiency for wildcard DNS challenges by @mholt in dce2de2
• Improve Windows CI cache by @mohammed90 in #189
• Set EDNS0 to 1232 bytes per recommendation by @mohammed90 in #188
• Use OverrideDomain when cleaning up DNS solver by @gjung56 in #193

New Contributors

• @mohammed90 made their first contribution in #189
• @gjung56 made their first contribution in #193

Full Changelog: v0.16.1...v0.16.2

v0.16.1

Minor enhancement allowing customization of the propagation delay/timeout for DNS challenge.

Full Changelog: v0.16.0...v0.16.1

v0.16.0

This release is hopefully one of the last major tags before a more stable CertMagic 1.0. It includes a number of breaking changes (for the better, I promise) -- so please pay attention:

• ⚠️ All storage methods now require context.Context passed in. We also added it to CleanUpOwnLocks() and several other functions that end up calling Storage methods (e.g. CacheUnmanagedTLSCertificate()). Your editor, in combination with gopls (the Go language server) should be able to quickly tell you where context is missing.
• ⚠️ Storage methods now return fs.ErrNotExist if a file or key is not found, instead of certmagic.ErrNotExist, which has been removed. (The io/fs package did not exist when CertMagic was first written.)
• ⚠️ ACMEManager has been renamed to ACMEIssuer, and CertificateManager has been renamed to Manager. These renames make naming more consistent and accurate, and less confusing (since ACMEManager was not a CertificateManager, which is a new type).
• Certificate events now provide more useful, actionable information. See #150.

I have personally submitted PRs to the more popular known storage implementations as a courtesy to help deal with the breaking changes.

The nuances of the logic in preparing for DNS challenges have changed slightly, hopefully it will work in more environments.

Thanks to all who contributed! Sorry for any inconvenience with the breaking changes; that's the joy of pre-1.0 libraries. We're almost there, though. It's been 5 years and we might finally be starting to get good at things.

What's Changed

• storage: Require fs.ErrNotExist (fix #168) by @mholt in #170
• Propagate context in the Storage interface methods by @hairyhenderson in #155
• Fix crash because of a zero value cert in cache by @skeetmtp in #177
• Always call checkDNSPropagation in DNS01Solver by @crccw in #179
• Provide more detailed information in certificate events by @francislavoie in #150

New Contributors

• @hairyhenderson made their first contribution in #155
• @skeetmtp made their first contribution in #177

Full Changelog: v0.15.4...v0.16.0

v0.15.4

What's Changed

• Fixed order of certificate loading so that private keys are loaded first by @sam-lord in #171
• Managers: Ability to call GetCertificate from external certificate sources by @mholt in #163
• Support OverrideDomain is DNS01Solver by @crccw in #160

New Contributors

• @sam-lord made their first contribution in #171
• @crccw made their first contribution in #160

Full Changelog: v0.15.3...v0.15.4

v0.15.3

Enhanced OCSP stapling support. Fixed automatic replacement of revoked certificates for on-demand certificates and some other edge cases.

What's Changed

• duplicate OnDemand default value assign check by @rjbasitali in #153
• Fix cacheAlmostFull calculation by @skirsten in #156
• Fix force-renewing revoked on-demand certs by @mholt in #166

New Contributors

• @rjbasitali made their first contribution in #153
• @skirsten made their first contribution in #156

Full Changelog: v0.15.2...v0.15.3

v0.15.2

Minor tweaks and a minor bug fix.

v0.15.0

This release improves use at large scale:

• Adjusted default internal throttle for ACME transactions from 20 every minute to 10 every 10 seconds. This should allow for higher throughput with busy clients without impacting CA networks too much.
• Clarified in the docs that NextProtos needs to be set by you on a tls.Config if you are not using a CertMagic function that serves an application on top of TLS. In other words, if you're not using the HTTPS() function, you should set NextProtos to the proper values for your application. (This is not new, nor a change. Just a helpful note in the docs.)
• Fixed a bug that affected a small subset of users with lots of on-demand certificates ( > 10,000) and some non-on-demand certificates that would cause the non-on-demand certificates to be evicted from the cache. They are now reloaded later if this happens. (Note: the non-on-demand certs must be managed; this won't work for manually-managed certs.)
• ⚠️ Changed ManageSync() to take a context.Context as the first argument, so that synchronous operations can also be cancelled and cleaned up. This is a breaking change that may affect a small subset of users.