v1.9.8.2

@WouterTinus WouterTinus released this Jan 20, 2018 · 1 commit to master since this release

Breaking changes

--forcerenewal does no longer implicitly trigger the --renew parameter, they both have to be supplied to force an unattended renewal. This allows --forcerenewal to also bypass the certificate cache for new certificates (#691)

Enhancements

There are now two ways to create certificates in interactive mode. The mode you know - but don't necessarily love (#699) - from recent version is now the "advanced" mode. A new default mode pre-selects SelfHosting-validation, IIS-installation and doesn't ask difficult questions about scheduled tasks either.

Bug fixes

  • Improved error handling validation methods not being offered anymore. Since Let's Encrypt stopped broadly supporting TLS-SNI-01 validation, this suddenly became a real issue for users (#693, #695, #710).
  • IISBindings target no longer case sensitive about the "S" (all sites) parameter
  • Unattended creation of new certificates without explicitly specifying a validation method would crash (#703)
  • The Azure validation mode was broken due to a misfiring factory class (#708) thanks @jonasoberschweiber!

v1.9.8.1

@WouterTinus WouterTinus released this Jan 9, 2018 · 12 commits to master since this release

  • Fix crash when setting PrivateKeyExportable to false
  • Improve reliability of SelfHosting validation
  • Error handling of unreadable renewals in registry
  • Fix backwards compatibility with renewals created on v1.9.0-v1.9.1
  • Make --warmup actually read the response
  • --forcerenewal can now be used for new certificates to bypass cache
  • Log DNS identifier during authorization phase to help diagnose issues
  • Log # of binding changes and don't commit IIS if none have been made
  • New .config options to set start time, random delay and time limit for scheduled task
  • Hopefully fixes some reported runtime issues on .NET Framework 4.6.1

v1.9.8.0

@WouterTinus WouterTinus released this Jan 2, 2018 · 27 commits to master since this release

This release represents the third and final phase of re-architecting the program from monolithic plugins into smaller components which can be mixed and matched. Where v1.9.7.x dipped a toe into dependency injection, v1.9.8.x has gone all-in and opens the path for more maintainability, extensibility and testability. That's a little background for developers wanting to contribute to future releases, so let's go over the user visible features.

Validation plugins

The reliability of both IIS and SelfHosting validation has been greatly improved since 1.9.7. It's now possible to validate using different site than the target using the --validationsiteid switch. This is also offered as an option in interactive mode.

Store plugins

Stores for certificates are now implemented as plugins. This allows renewals to have more influence on their behaviour than previously possible, such as overriding the global CertificateStore setting with a --certificatestore command line argument, which can be different for each certificate. This was requested in #253 among others. In the future other plugins might be added, e.g. for specific 3rd-party web servers.

Installation plugins

Installation has now also been implemented as plugins. For now there are 'only' two of them (IIS and Script) but they have become more powerful because they are now decoupled from target plugins. So you can install a manual binding to IIS, or run a script after getting a certificate from an IIS target. Multiple installation plugins can even be chained after each other, as requested in #150 and others.

Manual installation (script)

Now comes with example scripts for RD Gateway, RD Listener and Exchange, big thanks to @LBegnaud for contributing the bulk and @WinnME and @nemchik for polishing.

IIS installer

Now capable of detecting and updating default bindings (without hostname) and wildcard bindings according to a new ruleset. It's possible to install to a different site than the target using the --installationsiteid switch. The option is also offered interactive mode. Should help support scenarios described in #330, #349, #356, #590 and others.

Revokation

If you fear your current certificate has been compromised, it's now possible to revoke it. As requested in #78.

Updated libraries

LEWS now targets .NET Framework 4.6.1, allowing us to update our own dependencies, mainly Microsoft.Web.Administration (a critical assembly used to manage IIS).

Smaller fixes

  • #591 - Make all new bindings non-IP specific to prevent 'ghost' bindings
  • #646 - tighter scope for temporary application to avoid conflicts with openid configuration
  • #654 - add command line switch to cancel renewal
  • #656 - don't re-apply SNI flag on IIS binding if administrator removes it
  • #665 - don't re-issue the certificate if the previously issued one is less than 24 hours old
  • Change default renewal to 55 from 60 days, preventing 'expires within 1 month` warnings
  • Reduce size of registry keys by omitting null-values
  • Don't print FTP/WebDav password on screen in interactive mode

v1.9.8.0-beta8

@WouterTinus WouterTinus released this Dec 28, 2017 · 36 commits to master since this release

  • Make re-use of cached certificates much more robust (8,1 even more - #684)
  • Additional error logging for validation plugins
  • Revert back to FileSystem as default validation for backwards compatibility with Apache (#683)
  • Fix success message printed as error (#684)
  • Better detection of cases where no IIS binding update is needed (specifically for Central SSL bindings)
  • Make all new bindings non-IP specific to prevent 'ghost' bindings from appearing that have the potential to break other websites (#94). Note that it's still possible to manually make the binding IP-specific after LEWS creates it and that existing IP-specific bindings will also still be renewed.

v1.9.8.0-beta7

@WouterTinus WouterTinus released this Dec 20, 2017 · 45 commits to master since this release

  • Restore missing metadata (version etc.) from assembly
  • SelfHosting validation plugin fixes
    • Support IDN's
    • Support renewals created with the previous default ValidationPlugin
    • Better logging
  • Log failed authorizations as errors instead of info

v1.9.8.0-beta6

@WouterTinus WouterTinus released this Dec 13, 2017 · 49 commits to master since this release

Hopefully the last beta for 1.9.8, might just tag this final over the weekend.

  • Bugfix for issue introduced in beta 5 with double disposal (#670)
  • Bundled Exchange script should support 2007+ instead of 2013+ now, thanks @nemchik
  • Bundled scripts should work on Powershell 2.0+ now, thanks @WinnME
  • SelfHosting instead of FileSystem is now default when no ValidationPlugin is specified

v1.9.8.0-beta5

@WouterTinus WouterTinus released this Dec 10, 2017 · 61 commits to master since this release

  • Don't re-issue the certificate if the previously issued one is less than 24 hours old (#665)
  • Don't re-apply SNI flag on IIS binding if administrator removes it (#656)
  • Don't print FTP/WebDav password on screen in interactive mode
  • Fix SAN and IDN support broken with Central SSL store (#666)
  • Change how DI is handled during authorization, cleaning code and handling SAN better
  • Change default renewal to 55 from 60 days, preventing 'expires within 1 month` warnings
  • Reduce size of registry keys by omitting null-values

v1.9.8.0-beta4

@WouterTinus WouterTinus released this Dec 2, 2017

  • Add command line switch to cancel renewal (#654)
  • Fix bug that caused modules to survive cleanup by the IIS validation (noted in #653, #643, #627)
  • Improved SelfHosting validation to only intercept requests with /.well-known/acme-challenge/ in the path, keeping port 80 free for normal traffic. Due to this fix the SelfHosting plugin is also promoted to be the new recommended validation mode.

v1.9.8.0-beta3

@WouterTinus WouterTinus released this Dec 1, 2017

Beta 2 was a ninja update because the new .NET Standard references broke the build script, meaning the uploaded binary was pretty much useless. Beta 3 contains the following fixes:

#652 - Huge bug in the main program causing only the first scheduled item to be considered for renewal, thanks @akuropka for finding that one.
#651 - Tweak RDGateway import script - thanks @LBegnaud
#649 - Fix for unattended mode with non-default validation plugin