Releases: caddyserver/certmagic
v0.14.3
v0.14.0
A few fixes and enhancements:
- An experimental feature was fixed that automatically replaces certificates which have been revoked. Now it actually works.
- If a certificate is revoked specifically due to key compromise, the compromised key will be rotated and out and the replacement certificate will use a new key.
ObtainCert()
andRenewCert()
have been split intoSync
andAsync
versions, similar toManageSync()
andManageAsync()
, to bring consistency to the exported API, as well as to make room for...- ... forced renewals, which is now a boolean argument passed into
RenewCert*()
methods. This will renew a certificate even if it is not expiring. - Obtain operations will reuse existing private keys if already in storage. It is still a no-op if all certificate assets (cert, key, and meta) are already in storage.
- Improved logging of errors between issuers when obtaining and renewing certificates.
- If DNS resolvers are explicitly configured, they will be used exclusively and not fall back to system resolvers. This makes the DNS challenge solvers work better in weird DNS setups.
v0.13.1
v0.13.0
Version 0.13 collects about 6 months of improvements to CertMagic. Along with a number of bug fixes, this release:
- Improves performance and logic related to certificate management at scale and On-Demand TLS
- Adds support for alternate chain preferences
- Supports multiple issuers (including automatic fallback for redundancy)
- Adds
Config.Unmanage()
- Adds
Config.ClientCredentials()
(useful for client certificates!) - Makes OCSP stapling configurable
- Enhances ACME account lookup/storage/management
⚠️ This release conforms to a recent change in libdns convention regarding DNS names passed to providers when solving the ACME DNS challenge. Some DNS providers may need to be updated to support this if they were not already.
v0.12.0
v0.12.0 is a major upgrade that significantly lightens the code base and makes ACME operations more efficient and reliable. We now have full control of our ACME stack, which was completely rewritten: we now use ACMEz instead of lego as our underlying ACME library, with some API changes. Please see the latest godoc for details.
v0.10.0
This tag has some significant changes to the exported API and the default certificate storage location.
-
I've separated ACME-specific configuration from the main
Config
struct. Please see the godoc to see the latestConfig
definition, and get familiar with theACMEManager
type. -
The refactoring of the configuration makes CertMagic much more compatible with non-ACME issuers/managers.
-
Certificates are now stored in
<storage base>/certificates/<issuer_key>
, where the<issuer_key>
is derived from the CA URL like before, but now includes the path portion as well. This structure allows for greater versatility in the future. -
The DecisionFunc is now invoked for on-demand TLS renewals (before, it was only queried for initial obtain).
-
The import path has changed! It's now
github.com/caddyserver/certmagic
. More on that later. -
Huge benefits with these changes! CertMagic can work with certificate lifetimes down to less than an hour. It works well with non-ACME certificate sources, it is much more resilient to errors, is more efficient at the scale of hundreds of thousands of certificates, and we've improved distributed locks with active locking in case processes get killed forcefully! You'll love these improvements in production.
Sorry for the breaking changes. It's for the better, I promise! This year I hope to tag a stable 1.0.