We're preparing for many breaking changes, stay tuned!
- Database backend upgrade:
- We're now using SQLite
v3instead of simple file systemsv2 - Upgrade from
v2tov3is automatic, certs database will be migrated if possible - The SQLite file is saved to
.certs/db.sqlite, users is advised to removev2files if migration has been done without problems
- We're now using SQLite
- Stat endpoint:
- We provide
/statendpoint withHOME_DOMAINenv set instead of old separate domain - Should be much faster to execute since we count rows with SQLite
- The domain count is reduced since SQLite only captures domains with correct config
- While old
v2also count domains with failed attempts - This reduces our stat from ~186000 domains to ~46700 domains!
- While old
- We provide
- Depedencies change:
- Upgrade
josefrom v3 to v5 - Removed
pemin favor ofrsa-csrto avoid OpenSSL binaries - Added
better-sqlite3for new SQLite DB backend
- Upgrade
- Added Domain name and CAA Test conforming Let's Encrypt requirements
- CAA and TXT records should be correctly handled when using CNAME
- Fix to handle multiple CAA records. Contributed by @djbe
- Test and code quality improvements
- More complete JSDoc annotations (typescript is overkill for Node)
- Added Unit tests with
bun testto test utility logics - Integrated tests: Use extra test certs instead of ignoring insecure ones
- Added CI for Docker image build. Contributed by @djbe
- Added CI for Linting and Dependabot. Contributed by @djbe
- Add integration tests with Pebble
- Changed few things to make future Let's Encrypt Happy:
- Added
SubjectAltNamein addition toCommonNamewhen doing CSR - Added support for asynchronous Let's Encrypt order flow
- Added
- Changed few things to make future Let's Encrypt Happy:
- Add a domain whitelisting mechanism using
WHITELIST_HOSTSenvar - Removed
pm2anddotenvto make CI's installation faster- Please install
pm2manually if you need that (npx pm2) - Please load
.envmanually with--env-file=.env(Node >= 20)
- Please install
index.jsnow exportsplainServerandsecureServer
- Throw error when directly accessing by IP address
- Add
http-statusTXT record option to set HTTP status code. Contributed by @dzegarra - Improve lock mechanism when a website is verificating certs.
- Fix global service lock when a website is verificating certs.
- Update code deps, refactor imports to ESM.
- Add stat API
s.forwarddomain.net, separate node script.
- Moving all parameters to
.envfile - Add a domain blacklist mechanism (we received a report that this service is used for phising activity, for the first time)
- Configure using
BLACKLIST_HOSTS
- Configure using
- Added
AAAArecord inr.forwarddomain.netfor IPv6 support. (see #2 for apex domains setup)
- Dropped
forward-domain-cert-maintainer=record (as of LE explanation the provider is the bearer). - The software is now keeping LE's account keypair instead of generating new one every restart.
- Changed IPv4 from
206.189.61.89to167.172.5.31(we use DO's floating IP address now) - Changed TXT location to subdomain
_(because TXT can't be put together with CNAME) - Dropped IPv6 record.
- First release