Skip to content
b881bae
Compare
Choose a tag to compare
a572489
Compare
Choose a tag to compare

New features

  • #1948 - In the menu Manage renewals > Edit renewal is now possible to choose which stage of the renewal you would like to modify. So instead of completely reconfiguring it, you can also change specific behaviour like source, validation, installation, etc.
  • #1760 - FTP bindings can now be automatically read/updated from IIS in the source stage, the sites and host names simply show up in the lists when configuring a renewal. This change required us merge the IISFTP installation plugin into the regular IIS. This was done in a way that's fully backwards compatible with existing renewals. Requested by @luigirosa and others.
  • #1646 - It's now possible to configure global pre- and post renewal scripts, that will be called before and after executing a renewal. The relevant configuration values are Execution.DefaultPreExecutionScript and Execution.DefaultPostExecutionScript in settings.json. The use case for this is to prepare the system to handle validation, e.g. by opening certain firewall ports. Requested by @ThomasCr and many others.

Enhancements

  • An global order cache has been implemented to prevent users from hitting rate limits, even across different and new renewals. This was a tricky feature to implement because each renewal can have different opinions on which (type of) private key they would like to use. Also we still need to keep track of changes in the source since the previously issued certificate, mandating an effective two-level caching structure. So there is now a first-level cache for the renewal itself and a second-level cache at the global level.
  • #1824 - When the server indicates that it's too busy, the client will now gracefully back off in five steps between 8 and 128 seconds before retrying the request. A bug in handling this scenario caused #1824 reported by @nathanajci and many others, especially when running the scheduled task at exactly 9:00 am (as opposed to with a random delay). Special thanks to @xpepos to figuring out the root cause.
  • #1966 - Optimized the place and layout of the possible parameters during interactive setup of the script installation plugin, suggested by @AvrumFeldman.
  • Update a whole range of third party dependencies.

Example script updates

Bug fixes

  • #1947 - GoDaddy validation was broken in 2.1.19 due to an attempted bugfix, reported by @bl-abolis.
  • #1969 - The installation stage would crash if no store option had been selected, reported by @Zennate.
  • #1967 - The Azure KeyVault plugin was missing an assembly causing an (otherwise harmless) error message at startup., reported by @neilsleightholm-paxton.
  • #1968 - In some cases upgrading from a version older than 2.1.18 would trigger all the certiificates to be renewed, reported by @zachol72.
  • #1972 - It was not possible to use the secret vault for the Azure KeyVault plugin, reported by @samrueby.
  • #1980 - It was not possible to set up new renewals using the TransIP plugin due to a validation logic bug, reported by @EddieDemon.
519f26f
Compare
Choose a tag to compare

Bug fixes

#1942 - @luidigo reported a crash issue at startup on a clean install, thanks for that!
#1934 - @tsimmons reported a crash issue at startup on Windows Server 2008 R2. There is no official support for that OS anymore, neither from Microsoft nor from win-acme, but it was an easy fix in this case.

3dfc9ca
Compare
Choose a tag to compare

Enhancements

  • #1917 - It's now possible to globally configure your desired Powershell runtime, enabling you to use Powershell Core. The setting is under ScriptSettings.PowershellExecutablePath and defaults to the old powershell.exe, but you could for example use "C:\Program Files\PowerShell\7\pwsh.exe" instead. Note that this applies to all scripts, including previously configured ones, so make sure to test all of them. Requested by @MarcoEnxuto.
  • #1896 - The --setuptaskscheduler switch is now also valid for use during the creation of a new renewal, forcing the recreation of an existing scheduled task. Requested by @remyblok.
  • During DNS validation of wildcard domains, show the wildcard in the logs. This doesn't impact functionality, but just makes it more clear whether you're looking at the validation for *.example.com or example.com in the same renewal.
  • #1886 - Add a new setting called RenewalMinimumValidDays that works in conjunction with the RenewalDays setting. This ensures that certificates are renewed when they are about to expire, even if they are not yet due according to the RenewalDays setting. It's main purpose is to not get caught off-guard when the servers issues certificates with a lifetime shorter than the RenewalDays setting. Default is 7 days. Based on feedback from @CvW.
  • Cache logic was refactored, so that it now prevents the client from creating orders and running validation unless it's determined to be actually neccessary. This improves performance and helps to prevent people from running into rate limits.

Bug fixes

  • #1872 - The Cloudflare validation plugin would fail if the hosted DNS zone is not the root zone, reported by @cartierinfo.
  • #1843 - The logic to pick between alternative certificate chains was broken for chains longer than two certificates, which happens to be relevant for what Let's Encrypt are doing with their ISGR X1 chain. This will allow the PreferredIssuer setting to work properly for that scenario.
  • #1887 - Use TTL zero for the GoDaddy plugin to prevent cached results from being served. Thanks @vdenisov for the report.
  • Old certificates were not removed from the store if host names were added or removed during the renewal.
  • The program could crash on servers that contained registry keys indicating the presence of IIS, yet not actually having IIS installed.

Sponsors

This release was funded by

One gold sponsor:

Two silver sponsors:

And four bronze sponsors:

Support

If you want professional support for win-acme, your company up here in the release notes, or just want to buy me (@WouterTinus) a beer for maintaining this tool, please sponsor using GitHub Sponsors, Patreon or PayPal.

7fc9d31
Compare
Choose a tag to compare

New features

  • #1801 - Basic support for RFC8738, an extension to ACME that allows servers to issue certificates for IP addresses. They can be input through the Manual and CSR source plugins and validated using tls-alpn or any http method. Installation support for IIS is limited: renewals for ip-only bindings will work after setting up manually for the first time, but the program will not create them automatically yet. Note that this feature can only be used if the ACME service also supports it. So far none of the popular ones do. Brought to our attention by @Virinum.
  • #1865 - @marcoskirchner contributed a remote validation plugin, which pushes validation challenge answers to a REST endpoint of your choice. His corresponding server implementation can be used to recieve the answers and forward them to the ACME server, but you could also develop your own. This allows you to run win-acme on a seperate server from the one that recieves traffic from the domain.

Enhancements

  • We have decided to rename “target plugins” to “source plugins” because that name makes more sense given their function, which is working at the beginning of the pipeline to provide the rest of steps with list of identifiers (DNS names or IP addresses) to work with. To avoid breaking workflows the
    old command line parameter --target continues to be accepted as an alias for the new --source parameter.
  • The previous release added support for secret management in the core program. This release extends that to all extra plugins. To do this properly without duplicating a lot of code the user input subsystem was rewritten, so that will feel a lot more consistent moving forwards, both in the main program and the various plugins. This also makes authoring
    additional plugins easier.
  • The parameter --validation-mode is no longer required if there are no naming conflicts between plugins, e.g. instead of --validation-mode dns-01 --validation azure you can now simply use --validation azure because there is no other plugin with that name.
  • Add proxy support to the Google Cloud DNS plugin.
  • Added basic “Edit renewal” opening in Manage renewals menu, which is basically the same as creating a new renewal (with full options), that overwrites the previously created settings, but maintains history.
  • All plugins and the main program are now built with compile-time nullable checking, improving code quality.
  • Updated various NuGet packages for latest bug fixes from upstream components.
  • Updated local copy of the Public Suffix List for offline installations.
  • The Route53 plugin now supports parallel operations, greatly speeding up the validation proces when including multiple domains in a certificate.

Bug fixes

  • Configuring a Powershell script in a path with spaces and/or single quotes would fail to run.
  • Command line parsing better handles dashes embedded in quoted strings, reported and tested by @wchao.
  • #1849 – PemFiles plugin was asking “PFX password”, which was mislabelled, thanks @MarcoMiltenburg!
  • #1847 – The published build of the Google Cloud DNS plugin didn’t work with the published build of the main program. This has been corrected. Thanks for noticing @ArcanoxDragon!
  • #1831 – The program would crash when providing it with an invalid argument, thanks @johlju for the report!

Sponsors

This release was funded by

One gold sponsor:

Two silver sponsors:

And four bronze sponsors:

Support

If you want professional support for win-acme, your company up here in the release notes, or just want to buy me (@WouterTinus) a beer for maintaining this tool, please sponsor using GitHub Sponsors, Patreon or PayPal.

9895d8a
Compare
Choose a tag to compare

Breaking (but not really)

  • #1799 - If the script started by the script installation plugin returns an error, the renewal will now be considered to have failed and logged/notified as such. The program will however still attempt to run any additional installation steps, so there are no functional changes, except that previously this kind of error was invisible/ignored and now it won't be. So after upgrading, existing users may be notified about errors that have been happening for a long time already and may not require immediate attention or changes. In these cases it's probably easiest to silence the error from the script by using a try { } catch { } block. Thanks @rob-vangelder for noticing this.

New features

  • #1792 - The secret manager is a new component in the program that can be used to store and update secrets (e.g. passwords and API keys) in a central location. This is an alternative to the current system that stores them individually for each renewal, which works fine but makes rotating them painful. For now the secret manager uses a .json file in the configuration folder as its storage mechanism. As was already the case, the secrets for renewals are encrypted using the Windows Data Protection API. So while there is no immediately improvement in security, it does improve managability. In the future the plan is to make it possible to support external storage providers such as Azure KeyVault as well using the same mechanism. In this release all built-in features have been updated to support the secret manager. The plan is to add support to the plugins as well in the next release.
  • #1813 - A new validation plugin for Google Cloud DNS was contributed by @derhally, the second one they've built!

Enhancements

  • #1800/#1807 - It is no longer possible to run two instances of win-acme simultaneously (even for different configuration folders, which was previously allowed) to avoid two copies fighting over the use of shared system resources (e.g. network ports and IIS). To avoid this becoming a breaking change, the second copy will wait until the first copy is finished, and then run as usual. @emilstojanov submitted the bug report which led to this idea.
  • Command line arguments like *key*, *password*, *secret* and *token* are not logged anymore to avoid leaking sensitive information.
  • #1795 - A debug build of the program will now log full http requests and responses in --verbose mode. This is not enabled in release builds for security reasons to avoid leaking sensitive information, so you will need to build the progam yourself using Visual Studio if you want to use this feature. Thanks for the idea @DavidLaClair.
  • #1808 - When setting up a new certificate for the Windows Certificate Store with the "full options" menu, users are now asked which specific store they want to use. Previously this could only be specified through the command line or as a global default in settings.json. Thanks for the suggestion @BrianCanFixIT!

Bug fixes

  • #1794/#1797 - The GoDaddy plugin release in the previous version turned out to have some issues, which prompted us to remove the download from the releases page even after the first hotfix. Those issues have been fully resolved now and the current implementation has been confirmed to work now by several users. Thanks @DavidLaClair in particular for working with us to test.
  • In very specific cases win-acme would decide not create a new IIS binding, even though it was in fact possible.
  • #1791 - The health check for the scheduled task could cause a crash in specific cases, making the program unusable until the task was deleted or modified. Thanks @thesushil for the report!
  • #1810 - @Virinium improved logging in the DNS lookup system, thanks for the contribution!
a857fe2
Compare
Choose a tag to compare

Bug fixes

  • #1788 - Setting up new renewals using the Azure DNS plugin was broken in version 2.1.16, thanks @Sokmunki for the report
  • Fix AppVeyor build script to actually publish the GoDaddy plugin 🤡, thanks for pointing that out @ChrisIsidora

Update

  • The GoDaddy plugin is temporarly unavailable due to users reporting issues, we are currently investigating and will update the release when the problems are ironed out.
Compare
Choose a tag to compare

New features

  • A new store plugin has been created for Azure KeyVault, which lets you store certificates there for easier access from the Microsoft cloud.
  • A new DNS validation plugin has been created for GoDaddy, thanks for the contribution @LuanNg!

Enhancements

  • #1771 - Improved handling of the scenario when an ACME server throws an error that requires user interaction, e.g. updated terms of service that need to be accepted, reported by @december1990 in response to such errors accidentally being triggered by ZeroSSL.
  • #1769 - Version checker will also provider user feedback when the latest version is running, thanks @Virinium for noticing.
  • #1779 - Improve labels in renewal manager, suggested by @zachol72
  • Update various NuGet packages to their latest versions, potentially fixing upstream bugs.
  • Various documentation improvements, e.g. #1740 by @PsychoData and #1780 by @uhlhosting

Bug fixes

  • #1773 - Interactive creation of certificates would crash with a wildcard binding present in IIS, thanks @dichternebel for the report!
  • Fix potential crash on systems without IIS.
9e5829a
Compare
Choose a tag to compare

New features

  • The program can now check for the availability of a new version, either from the "Extra options" menu, or automatically on every run by setting Client.VersionCheck to true in settings.json. This is disabled by default for privacy reasons.
  • The PemFiles store plugin can now optionally password-protect the -key.pem file. A default password can be set in settings.json and it can be specified on the command line via the --pemfilespassword

Enhancements

  • The TransIP-plugin can now be used from the command line using --transip-privatekeyfile or --transip-privatekey.
  • #1756 - To protect users from themselves, the CertificateStore plugin will now refuse to delete the previous version of the certificate from the store if it detects that it's still in use by IIS. This bites new users that manually bind the certificate to IIS instead of using the appropriate installation plugin. If the installation plugin is not chose, the certificate will still expire though.
  • #1761 - Sorting of bindings now happens in a DNS aware way instead of purely alphabetically, making it easier to find the binding(s) that you're looking for, thanks @jscarle for the idea.

Bug fixes

  • #1747 - Do not give a warning about an unhealthy task if the user includes --verbose in the arguments, thanks @tsimmons.
  • #1718 - Fix crash bugs on alternative ACME services (non-Let's Encrypt), thanks @Stan-Tastic and @Thomas-Stu for collabating on this.
  • #1749 - "Manual" renewals were not always properly imported from v1.9.x, discovered by @tommykoch.