Skip to content

v2.128

Choose a tag to compare

View all tags
@github-actions github-actions released this 21 Apr 12:21
· 388 commits to main since this release
v2.128
eb63c81

What's Changed

Added

  • Custom Extended Key Usage (EKU) OIDs when issuing certificates and signing CSRs (RFC 5280 §4.2.1.12) — the Issue Certificate form and the Sign CSR modal now expose an "Extra EKUs" multi-select that combines a dropdown of well-known EKUs (Microsoft RDP 1.3.6.1.4.1.311.54.1.2, smartcard logon 1.3.6.1.4.1.311.20.2.2, document signing, IPsec, Kerberos PKINIT, etc. — 18 catalog entries via the new GET /api/v2/eku/known endpoint) with a free-text input that accepts any well-formed dotted OID. The cert_type's default EKUs (e.g. serverAuth for server certs) remain locked-in as chips and the extras are merged on top — never replaced. Backend validation (utils/eku_validation.py) enforces a 16-OID cap, the ^[0-2](?:\.(?:0|[1-9]\d*)){1,15}$ OID regex, and explicitly rejects anyExtendedKeyUsage (2.5.29.37.0). For CSR signing, if the CSR already carries an EKU extension it is rebuilt with the merged set. Fixes #76.
  • Active filter state persisted across reloads — applying a filter on Certificates, CAs, Audit Logs, Templates, Policies, TrustStore, HSM, RBAC, SSH Certificates, SSH CAs, Users/Groups, or User Certificates now saves the live selection to localStorage (one key per filter, e.g. ucm-filter-certs-status). Reloading the page or navigating away and back instantly restores the same filter, with no flash of unfiltered data — the new usePersistedState hook reads the value synchronously in the React state initializer. Clearing a filter through the UI also removes the corresponding localStorage entry, so empty state stays clean. Works alongside the existing named filter presets (which keep using a separate …-presets key). Fixes #57.
  • Windows quick-install script for SSH CA trust — the SSH CA setup script endpoint now accepts a ?platform=windows query parameter and returns a PowerShell (.ps1) script that configures the Windows OpenSSH Server to trust the CA (writes the public key to %ProgramData%\ssh, locks down ACLs, adds TrustedUserCAKeys/HostCertificate directives to sshd_config, validates with sshd -T, and restarts the sshd service). Supports both user and host CAs, includes a -DryRun switch, and works on the public unauthenticated /ssh/setup/<refid> endpoint too. The SSH CA detail panel now shows two download buttons (Linux/macOS .sh + Windows .ps1) and two Quick Install one-liners (curl … | bash for Linux/macOS, iwr … | iex for Windows). Fixes #75.
  • User UI preferences persisted server-side — language, theme family, and theme mode are now saved per-user in the database (users.preferences JSON column) instead of only in the browser's localStorage. New endpoints GET/PUT /api/v2/account/preferences (whitelist-validated, admin or self) store the preferences, and /api/v2/auth/verify returns them so they are applied on every page load. Logging in from a fresh browser, a different device, or after clearing site data now restores the user's chosen language and theme instead of falling back to the browser locale and default theme. Migration 022 adds the column on both SQLite and PostgreSQL. Fixes #73.
  • ACME proxy orders linked to local accounts — proxy order rows now record which local AcmeAccount initiated them (FK account_id resolved from the client JWK thumbprint). The proxy order list now displays the account email/short id beside each order, and the account detail "Orders" tab now merges local + proxy orders with a "Proxy" badge so operators can see all activity per account in one place. Migration 021 backfills account_id for existing proxy orders by joining on acme_accounts.jwk_thumbprint. Fixes #71.

Fixed

  • ACME renewal storm with Let's EncryptAcmeClientOrder.expires_at was being set from the ACME order resource's expires field (RFC 8555 §7.1.3, ~7 days for LE) instead of the issued certificate's notAfter (typically 90 days). The renewal scheduler then re-issued the same certificate every tick, hitting the LE production rate limits. finalize_order now stores the leaf certificate's notAfter, and migration 020 backfills expires_at for all already-issued orders. Fixes #74.

Changed

  • No more compilation toolchain required at install timegcc and python3-dev (DEB) / python3-devel (RPM) have been removed from package dependencies. Previously they were needed to build the twofish C extension pulled in transitively by pyjks (Java KeyStore export). Investigation confirmed twofish is only used by pyjks for the BKS UBER keystore format, which UCM never produces — UCM only exports JKS. pyjks is now installed via pip install --no-deps pyjks==20.0.0 in the postinst scripts (with its actual runtime deps javaobj-py3 + pycryptodomex listed in requirements.txt), keeping the install pure-wheel and ~30 MB lighter on RPM systems.

Installation

Docker (Recommended)

# From Docker Hub
docker pull neyslim/ultimate-ca-manager:2.128

# Or from GitHub Container Registry
docker pull ghcr.io/neyslim/ultimate-ca-manager:2.128

# Run
docker run -d -p 8443:8443 \
  -e SECRET_KEY=$(openssl rand -hex 32) \
  --name ucm neyslim/ultimate-ca-manager:2.128

Debian/Ubuntu

wget https://github.com/NeySlim/ultimate-ca-manager/releases/download/v2.128/ucm_2.128_all.deb
sudo dpkg -i ucm_2.128_all.deb
sudo apt-get install -f

Fedora/RHEL

wget https://github.com/NeySlim/ultimate-ca-manager/releases/download/v2.128/ucm-2.128-1.fc43.noarch.rpm
sudo dnf install ./ucm-2.128-1.fc43.noarch.rpm

Silent/Automated Install

# Skip firewall prompts for CI/automation
sudo UCM_PORT=8443 UCM_FIREWALL=no dpkg -i ucm_2.128_all.deb

Default Credentials

  • Username: admin
  • Password: Check /etc/ucm/ucm.env after install, or shown during install

Change the password immediately after first login!

Documentation

Assets 5
Loading