-
Notifications
You must be signed in to change notification settings - Fork 11
Release Notes v2.170
Release Date: June 13, 2026
UCM v2.170 is a major technical release focused on standards conformance and observability. It adds certificate conformance linting, ACME Renewal Information (ARI), an opt-in Prometheus metrics endpoint, per-webhook delivery history with retry, an admin scheduler view, and functional scheduled backups — plus a round of UI layout fixes and an internal notifications refactor.
A per-certificate Lint action checks a certificate against X.509 standards and shows structured findings. Informative only — it never blocks issuance.
- Profiles: RFC 5280 (always relevant) and CA/Browser Forum Baseline Requirements (public TLS server certs).
-
Severities:
fatal/error/warning/notice/info. - Engine: pkilint (pure-Python, optional dependency) plus zlint when its binary is present. Degrades gracefully when no linter is installed.
See Certificate Operations → Conformance Linting.
The local ACME server now advertises a renewalInfo resource so clients learn the ideal moment to renew each certificate and spread renewals over time. Revoked certificates return a window in the past so compliant clients renew immediately. The endpoint is an unauthenticated GET /acme/renewalInfo/<certID>.
See ACME Support → Renewal Information.
An opt-in, bearer-gated /metrics endpoint in the Prometheus exposition format, configurable from Settings → General → Prometheus metrics (generate / rotate / disable the token). Exposes certificate, CA, scheduler, webhook and ACME counters.
See Monitoring → Prometheus Metrics.
Webhook deliveries now run from a durable async queue with exponential backoff (up to 5 attempts), and each endpoint keeps a delivery history (status, attempts, last HTTP code/error) with a manual retry button.
See Notifications → Delivery, retries and logs.
Settings → System → Scheduler lists UCM's background tasks with their status, last run, duration and failure count, and lets an admin Run now on demand.
Built-in automatic, encrypted database backups on a configurable cadence (daily / weekly / monthly) with retention, run from the background scheduler. See Backup & Restore → Built-in Scheduled Backups.
- Notifications event bus — email and WebSocket notifications are now fanned out through a single in-process event bus, removing duplicated call-sites.
- In-app help — contextual help panels and guides now document all of the above, in every supported language.
- Pagination — list pages that paginated client-side (Users, Templates, SCEP, SSH CAs, CRL/OCSP, CSRs, ACME accounts, Discovery) now page through their rows correctly instead of rendering the full list on one page.
- Layout — list tables and toolbars no longer overflow into a horizontal scrollbar in split view, modals no longer show a double scrollbar, and the CA "columns" view wraps to fill the width instead of scrolling sideways.
- Lifecycle events — issuing, renewing or revoking a certificate (or creating/updating a CA) no longer risks an intermittent error when a webhook endpoint is configured, which could previously surface as a 500.
-
Migration 041 — new
webhook_deliveriestable backing the durable delivery queue. Dual-backend (SQLite + PostgreSQL), applied automatically on upgrade.
- Drop-in replacement for v2.169. The
webhook_deliveriesmigration applies automatically. - Certificate linting requires the optional
pkilintpackage on the server; the DEB/RPM/Docker builds include it. Without it, the Lint panel reports the linter as unavailable. - RC validated 6/6 on DEB + RPM + Docker × SQLite + PostgreSQL.