Skip to content

@WouterTinus WouterTinus released this Apr 25, 2021

Breaking (but not really)

  • #1799 - If the script started by the script installation plugin returns an error, the renewal will now be considered to have failed and logged/notified as such. The program will however still attempt to run any additional installation steps, so there are no functional changes, except that previously this kind of error was invisible/ignored and now it won't be. So after upgrading, existing users may be notified about errors that have been happening for a long time already and may not require immediate attention or changes. In these cases it's probably easiest to silence the error from the script by using a try { } catch { } block. Thanks @rob-vangelder for noticing this.

New features

  • #1792 - The secret manager is a new component in the program that can be used to store and update secrets (e.g. passwords and API keys) in a central location. This is an alternative to the current system that stores them individually for each renewal, which works fine but makes rotating them painful. For now the secret manager uses a .json file in the configuration folder as its storage mechanism. As was already the case, the secrets for renewals are encrypted using the Windows Data Protection API. So while there is no immediately improvement in security, it does improve managability. In the future the plan is to make it possible to support external storage providers such as Azure KeyVault as well using the same mechanism. In this release all built-in features have been updated to support the secret manager. The plan is to add support to the plugins as well in the next release.
  • #1813 - A new validation plugin for Google Cloud DNS was contributed by @derhally, the second one they've built!

Enhancements

  • #1800/#1807 - It is no longer possible to run two instances of win-acme simultaneously (even for different configuration folders, which was previously allowed) to avoid two copies fighting over the use of shared system resources (e.g. network ports and IIS). To avoid this becoming a breaking change, the second copy will wait until the first copy is finished, and then run as usual. @emilstojanov submitted the bug report which led to this idea.
  • Command line arguments like *key*, *password*, *secret* and *token* are not logged anymore to avoid leaking sensitive information.
  • #1795 - A debug build of the program will now log full http requests and responses in --verbose mode. This is not enabled in release builds for security reasons to avoid leaking sensitive information, so you will need to build the progam yourself using Visual Studio if you want to use this feature. Thanks for the idea @DavidLaClair.
  • #1808 - When setting up a new certificate for the Windows Certificate Store with the "full options" menu, users are now asked which specific store they want to use. Previously this could only be specified through the command line or as a global default in settings.json. Thanks for the suggestion @BrianCanFixIT!

Bug fixes

  • #1794/#1797 - The GoDaddy plugin release in the previous version turned out to have some issues, which prompted us to remove the download from the releases page even after the first hotfix. Those issues have been fully resolved now and the current implementation has been confirmed to work now by several users. Thanks @DavidLaClair in particular for working with us to test.
  • In very specific cases win-acme would decide not create a new IIS binding, even though it was in fact possible.
  • #1791 - The health check for the scheduled task could cause a crash in specific cases, making the program unusable until the task was deleted or modified. Thanks @thesushil for the report!
  • #1810 - @Virinium improved logging in the DNS lookup system, thanks for the contribution!

Sponsors

This release was funded by

One gold sponsor:

Two silver sponsors:

And four bronze sponsors:

Support

If you want professional support for win-acme, your company up here in the release notes, or just want to buy me (@WouterTinus) a beer for maintaining this tool, please sponsor using GitHub Sponsors, Patreon or PayPal.

Assets 19

@WouterTinus WouterTinus released this Mar 18, 2021

Bug fixes

  • #1788 - Setting up new renewals using the Azure DNS plugin was broken in version 2.1.16, thanks @Sokmunki for the report
  • Fix AppVeyor build script to actually publish the GoDaddy plugin 🤡, thanks for pointing that out @ChrisIsidora

Update

  • The GoDaddy plugin is temporarly unavailable due to users reporting issues, we are currently investigating and will update the release when the problems are ironed out.
Assets 16

@WouterTinus WouterTinus released this Mar 14, 2021

New features

  • A new store plugin has been created for Azure KeyVault, which lets you store certificates there for easier access from the Microsoft cloud.
  • A new DNS validation plugin has been created for GoDaddy, thanks for the contribution @LuanNg!

Enhancements

  • #1771 - Improved handling of the scenario when an ACME server throws an error that requires user interaction, e.g. updated terms of service that need to be accepted, reported by @december1990 in response to such errors accidentally being triggered by ZeroSSL.
  • #1769 - Version checker will also provider user feedback when the latest version is running, thanks @Virinium for noticing.
  • #1779 - Improve labels in renewal manager, suggested by @zachol72
  • Update various NuGet packages to their latest versions, potentially fixing upstream bugs.
  • Various documentation improvements, e.g. #1740 by @PsychoData and #1780 by @uhlhosting

Bug fixes

  • #1773 - Interactive creation of certificates would crash with a wildcard binding present in IIS, thanks @dichternebel for the report!
  • Fix potential crash on systems without IIS.
Assets 16
  • v2.1.15
  • 9e5829a
  • Compare
    Choose a tag to compare
    Search for a tag
  • v2.1.15
  • 9e5829a
  • Compare
    Choose a tag to compare
    Search for a tag

@WouterTinus WouterTinus released this Feb 21, 2021

New features

  • The program can now check for the availability of a new version, either from the "Extra options" menu, or automatically on every run by setting Client.VersionCheck to true in settings.json. This is disabled by default for privacy reasons.
  • The PemFiles store plugin can now optionally password-protect the -key.pem file. A default password can be set in settings.json and it can be specified on the command line via the --pemfilespassword

Enhancements

  • The TransIP-plugin can now be used from the command line using --transip-privatekeyfile or --transip-privatekey.
  • #1756 - To protect users from themselves, the CertificateStore plugin will now refuse to delete the previous version of the certificate from the store if it detects that it's still in use by IIS. This bites new users that manually bind the certificate to IIS instead of using the appropriate installation plugin. If the installation plugin is not chose, the certificate will still expire though.
  • #1761 - Sorting of bindings now happens in a DNS aware way instead of purely alphabetically, making it easier to find the binding(s) that you're looking for, thanks @jscarle for the idea.

Bug fixes

  • #1747 - Do not give a warning about an unhealthy task if the user includes --verbose in the arguments, thanks @tsimmons.
  • #1718 - Fix crash bugs on alternative ACME services (non-Let's Encrypt), thanks @Stan-Tastic and @Thomas-Stu for collabating on this.
  • #1749 - "Manual" renewals were not always properly imported from v1.9.x, discovered by @tommykoch.
Assets 15
  • v2.1.14
  • ff00b05
  • Compare
    Choose a tag to compare
    Search for a tag
  • v2.1.14
  • ff00b05
  • Compare
    Choose a tag to compare
    Search for a tag

@WouterTinus WouterTinus released this Jan 10, 2021

New features

  • #1719/#1730 - Add a command line option --setuptaskscheduler to forcibly (re)create the scheduled task and also force the (re)creation upon using the --import feature, requested by @xorinzor.

Enhancements

  • #1718 - Account creation code was refactored to enable fallback to a RS256 key if the server doesn't support using a ES256 key (which is in violation of the ACME RFC). Reported by @Stan-Tastic.
  • #1722 - Reduce timeout and attempt to resolve potential deadlock issue on the connectivity check that happens at initial startup (reported by @acanivano).
  • Add arm64 binaries to the build and release process, preparing for an eventual release of Windows Server on ARM.
  • #1708 - When pre-validation fails for the manual DNS plugin, the certificate creation process would be unable to proceed. Now instead the user is offered the option to retry, abort or igorne the error. Reported by @LeonardMichalas.

Bug fixes

  • #1690 - Fix yes/no prompts not working on remote terminals from Apple operating systems (macOS/iPadOS/iOS).
  • #1718 - Handle ACME servers that do not return a new nonce when reporting an error message.
  • #1732 - Fix typo reported by @Virinum.

Sponsors

This release was funded by

One gold sponsor:

Two silver sponsors:

And four bronze sponsors:

Support

If you want professional support for win-acme, your company up here in the release notes, or just want to buy me (@WouterTinus) a beer for maintaining this tool, please sponsor using GitHub Sponsors, Patreon or PayPal.

Assets 16
  • v2.1.13
  • 6a751b3
  • Compare
    Choose a tag to compare
    Search for a tag
  • v2.1.13
  • 6a751b3
  • Compare
    Choose a tag to compare
    Search for a tag

@WouterTinus WouterTinus released this Dec 5, 2020

New features

  • A new setting allows you to specify the preferred root authority. On January 11th Let's Encrypt will switch over to their own root certifiticate which is not trusted by older Android versions and perhaps other (older) software. As a fallback, until September 30th it will still be possible to get certificates using the old root. In settings.json you can configure Acme.PreferredIssuer to be "ISRG Root X1" if you want to start testing with the new root today or "DST Root CA X3" to keep using the fallback as long as it will last.
  • A DNS validation plugin for Dutch hosting company TransIP is now available from the releases page. Note that this provider is not very fast updating its records after their API has accepted the changes, so it's highly recommended to roughly double either PreValidateDnsRetryCount and/or PreValidateDnsRetryInterval in settings.json.

Enhancements

  • The program is now built on .NET 5.0 instead of .NET Core 3.1. This should not have much user impact, but allows us to keep up to date with the latest Microsoft technologies and should solve some annoying issues like certain startup problems like #1632 reported by @MarcoMiltenburg.
  • The program will now refuse to start when it detects that another instance on the same machine is already working on the same configuration path. A warning will be logged when it detects that another instance is running for a different configuration path. Running multiple instances in parallel can cause issues in certain scenarios, for example when both try to make changes to IIS at the same time.
  • It's now possible to use plugins when using win-acme as a dotnet tool. To use them they need to be unpacked to %userprofile%\.dotnet\tools\.store\win-acme\{version}\win-acme\{version}\tools\net5.0\any. We realize this is not the most user friendly experience and might come up with better solutions in the future. Requested by @rprouse in #1691.
  • The path to the program used for a newly created scheduled task is now quoted when necessary, reported by @Phil-G in #1704.
  • An example PowerShell script to use win-acme for the Windows Admin Center was submitted by Matthew Barreiro, thanks!

Bug fixes

  • #1706 - Crash fix for the DigitalOcean plugin when using domain substitution for the acme-challenge subdomain. Thanks for the contribution @Skulblaka.
  • #1700 - It was not possible to use TLS-ALPN-01 validation from the command line, reported by @andrianovSupplerus.
Assets 14
  • v2.1.12
  • 44b401c
  • Compare
    Choose a tag to compare
    Search for a tag
  • v2.1.12
  • 44b401c
  • Compare
    Choose a tag to compare
    Search for a tag

@WouterTinus WouterTinus released this Nov 2, 2020

New features

  • #1648 - This release adds update for ZeroSSL as a (free) alternative to Let's Encrypt, further broadening the range of service providers that win-acme can be used with. ZeroSSL account can be created using email signup, EAB credentials or an API key from an existing account. Requested by @trekmp.
  • #1684 - win-acme is now available as a .NET tool, so it can be installed or updated from the command line if you have .NET Core installed on your system using dotnet tool install win-acme --global. Note that it currently only works as a global tool and plugin support has not been tested yet. Idea from @jachin84.

Enhancements

  • Update various NuGet packages for upstream bugfixes
  • Update the Public Suffix List for uses that cannot download it dynamically each run
  • Add a random delay of 2 hours to the scheduled task to help alleviate potential performance issues for service providers. E.g. for new installs the scheduled task will run sometime beteen 9 am and 11 am. This does not affect existing installs and of course it is still configurable and customizable.
  • We now log if we're running as a 32 bit or a 64 bit build.
  • Add extra logging to track down possible bug #1678

Bug fixes

  • #1680 - Fixed a bug that caused partially validated orders to fail in multithreaded mode, reported by @alexhass.
  • Fixed a bug that caused multithreaded mode to be enabled by default for people upgrading from 2.1.8 or below
  • #1675 - @Skulblaka fixed a bug in the DigitalOcean plugin that allows it to validate sub domains, reported by @wsaca. Thanks both!
  • #1676 - Version 2.1.11 would exit the process with code -1 (error) if one or more renewals were not due, thanks @RealAmes for noticing!
Assets 13
  • v2.1.11
  • 160ed1a
  • Compare
    Choose a tag to compare
    Search for a tag
  • v2.1.11
  • 160ed1a
  • Compare
    Choose a tag to compare
    Search for a tag

@WouterTinus WouterTinus released this Oct 2, 2020

Enhancements

  • #1659 - The --webroot argument can now be used to override the path read from an IIS target, suggested @Vershner
  • #1651 - Outgoing http requests now include a user-agent header, contributed by @monomosc
  • #1668 - grantemsley contributed an example script that updates the Azure AD Application Proxy
  • Log/print 64b or 32b builds at startup, along with the version information
  • More specific error messages for InvalidOperationExceptions
  • When a renewal fails, the exit code for the scheduled task no longer indicates success

Bug fixes

  • #1661 - The Digital Ocean plugin was missing RestSharp.dll in its package, thanks @viktor2097 for the report.
  • #1665 - Fix crash when the program is unable to place an order for whichever reason (e.g. invalid nonce, rate limit, etc.).
  • #1669 - Fix logic bug where folders are not cleaned up properly, thanks @Franciscorp
  • #1657 - Fix bug in DNS script validation reported by @belope
  • A validation failure would not be considered fatal in all cases, causing the program to unnecessarily try to continue
Assets 12