starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-01-11 22:30:44 +01:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity
Files
master
dehydrated/CHANGELOG

190 lines
7.6 KiB
Plaintext
Raw Permalink Blame History

# Change Log
This file contains a log of major changes in dehydrated
## [x.x.x] - xxxx-xx-xx
## Added
- Added a configuration parameter to allow for timeouts during domain validation processing (`VALIDATION_TIMEOUT`, defaults to 0 = no timeout)
## Changed
- Only validate existance of wellknown directory or hook script when actually needed
- Also allow setting `KEEP_GOING` in config file instead of relying on cli arguments
- Allow skipping over OCSP stapling errors, indicate that some CAs no longer support OCSP
- Throw error with information about OCSP deprecation if certificate doesn't indicate OCSP support
## [0.7.2] - 2025-05-18
## Added
- Implemented support for certificate profile selection
- Added a configuration parameter to allow for timeouts during order processing (`ORDER_TIMEOUT`, defaults to 0 = no timeout)
- Allowed for automatic deletion of old files (`AUTO_CLEANUP_DELETE`, disabled by default)
- Added CA presets for Google Trust Services (prod: google, test: google-test)
## Changed
- Renew certificates with 32 days remaining (instead of 30) to avoid issues with monthly cronjobs (`RENEW_DAYS=32`)
## Fixed
- Changed behaviour of `openssl req` stdin handling to fix compatibility with OpenSSL version 3.2+
## [0.7.1] - 2022-10-31
## Changed
- `--force` no longer forces domain name revalidation by default, a new argument `--force-validation` has been added for that
- Added support for EC secp521r1 algorithm (works with e.g. zerossl)
- `EC PARAMETERS` are no longer written to privkey.pem (didn't seem necessary and was causing issues with various software)
## Fixed
- Requests resulting in `badNonce` errors are now automatically retried (fixes operation with LE staging servers)
- Deprecated `egrep` usage has been removed
## Added
- Implemented EC for account keys
- Domain list now also read from domains.txt.d subdirectory (behaviour might change, see docs)
- Implemented RFC 8738 (validating/signing certificates for IP addresses instead of domain names) support (this will not work with most public CAs, if any!)
## [0.7.0] - 2020-12-10
## Added
- Support for external account bindings
- Special support for ZeroSSL
- Support presets for some CAs instead of requiring URLs
- Allow requesting preferred chain (`--preferred-chain`)
- Added method to show CAs current terms of service (`--display-terms`)
- Allow setting path to domains.txt using cli arguments (`--domains-txt`)
- Added new cli command `--cleanupdelete` which deletes old files instead of archiving them
## Fixed
- No more silent failures on broken hook-scripts
- Better error-handling with KEEP_GOING enabled
- Check actual order status instead of assuming it's valid
- Don't include keyAuthorization in challenge validation (RFC compliance)
## Changed
- Using EC secp384r1 as default certificate type
- Use JSON.sh to parse JSON
- Use account URL instead of account ID (RFC compliance)
- Dehydrated now has a new home: https://github.com/dehydrated-io/dehydrated
- Added `OCSP_FETCH` and `OCSP_DAYS` to per-certificate configurable options
- Cleanup now also removes dangling symlinks
## [0.6.5] - 2019-06-26
## Fixed
- Fixed broken APIv1 compatibility from last update
## [0.6.4] - 2019-06-25
## Changed
- Fetch account ID from Location header instead of account json
## [0.6.3] - 2019-06-25
## Changed
- OCSP refresh interval is now configurable
- Implemented POST-as-GET
- Call exit_hook on errors (with error-message as first parameter)
## Added
- Initial support for tls-alpn-01 validation
- New hook: sync_cert (for syncing certificate files to disk, see example hook description)
## Fixes
- Fetch account information after registration to avoid missing account id
## [0.6.2] - 2018-04-25
## Added
- New deploy_ocsp hook
- Allow account registration with custom key
## Changed
- Don't walk certificate chain for ACMEv2 (certificate contains chain by default)
- Improved documentation on wildcards
## Fixes
- Added workaround for compatibility with filesystem ACLs
- Close unwanted external file-descriptors
- Fixed JSON parsing on force-renewal
- Fixed cleanup of challenge files/dns-entries on validation errors
- A few more minor fixes
## [0.6.1] - 2018-03-13
## Changed
- Use new ACME v2 endpoint by default
## [0.6.0] - 2018-03-11
## Changed
- Challenge validation loop has been modified to loop over authorization identifiers instead of altnames (ACMEv2 + wildcard support)
- Removed LICENSE parameter from config (terms of service is now acquired directly from the CA directory)
## Added
- Support for ACME v02 (including wildcard certificates!)
- New hook: generate_csr (see example hook script for more information)
- Calling random hook on startup to make it clear to hook script authors that unknown hooks should just be ignored...
## [0.5.0] - 2018-01-13
## Changed
- Certificate chain is now cached (CHAINCACHE)
- OpenSSL binary path is now configurable (OPENSSL)
- Cleanup now also moves revoked certificates
## Added
- New feature for updating contact information (--account)
- Allow automatic cleanup on exit (AUTO_CLEANUP)
- Initial support for fetching OCSP status to be used for OCSP stapling (OCSP_FETCH)
- Certificates can now have aliases to create multiple certificates with identical set of domains (see --alias and domains.txt documentation)
- Allow dehydrated to run as specified user (/group)
## [0.4.0] - 2017-02-05
## Changed
- dehydrated now asks you to read and accept the CAs terms of service before creating an account
- Skip challenges for already validated domains
- Removed need for some special commands (BusyBox compatibility)
- Exported a few more variables for use in hook-scripts
- fullchain.pem now actually contains the full chain instead of just the certificate with an intermediate cert
## Added
- Added private-key rollover functionality
- Added `--lock-suffix` option for allowing parallel execution
- Added `invalid_challenge` hook
- Added `request_failure` hook
- Added `exit_hook` hook
- Added standalone `register` command
## [0.3.1] - 2016-09-13
## Changed
- Renamed project to `dehydrated`.
- Default WELLKNOWN location is now `/var/www/dehydrated`
- Config location is renamed to `dehydrated` (e.g. `/etc/dehydrated`)
## [0.3.0] - 2016-09-07
## Changed
- Config is now named `config` instead of `config.sh`!
- Location of domains.txt is now configurable via DOMAINS_TXT config variable
- Location of certs directory is now configurable via CERTDIR config variable
- signcsr command now also outputs chain certificate if --full-chain/-fc is set
- Location of account-key(s) changed
- Default WELLKNOWN location is now `/var/www/letsencrypt`
- New version of Let's Encrypt Subscriber Agreement
## Added
- Added option to add CSR-flag indicating OCSP stapling to be mandatory
- Initial support for configuration on per-certificate base
- Support for per-CA account keys and custom config for output cert directory, license, etc.
- Added option to select IP version of name to address resolution
- Added option to run letsencrypt.sh without locks
## Fixed
- letsencrypt.sh no longer stores account keys from invalid registrations
## [0.2.0] - 2016-05-22
### Changed
- PRIVATE_KEY config parameter has been renamed to ACCOUNT_KEY to avoid confusion with certificate keys
- deploy_cert hook now also has the certificates timestamp as standalone parameter
- Temporary files are now identifiable (template: letsencrypt.sh-XXXXXX)
- Private keys are now regenerated by default
### Added
- Added documentation to repository
### Fixed
- Fixed bug with uppercase names in domains.txt (script now converts everything to lowercase)
- mktemp no longer uses the deprecated `-t` parameter.
- Compatibility with "pretty" json
## [0.1.0] - 2016-03-25
### Changed
- This is the first numbered version of letsencrypt.sh
Reference in New Issue View Git Blame Copy Permalink