The FTP validation plugin gained an option to use the GnuTLS library for FTPS connections, as the default TLS implementation provided in .NET/Windows suffers from compatibility issues with various Unix-based FTP servers. For more background on this subject check this page by the FluentFTP project. Using this requires:
- A change in config:
Validation.Ftp.UseGnuTls = true
- The pluggable x64 release of win-acme (it is not available for x86 or ARM due to limitiations of the upstream package, and also doesn't work on the trimmed build)
- Download and extract the additonal artifact
We recommend you only do this as a last resort when other validation methods fail, because there are some limitations of this connection method documented on the link above. This all initiated based on feedback by @cuper6.
- A change in config:
- A new toggle has been added to
settings.jsonwhich allows you to disable certificate validation for the ACME endpoint, useful for people running their own ACME CA using a self-signed certificate (requested by @100110010111 in #2431).
- The Azure DNS validation plugin no longer requires permissions to the Resource Group that hosts the DNS zone. Thanks to @sveng-r for testing in #2372).
- @jcazier-umich improved the
ImportJKS.ps1example script by using
$env:JAVA_HOMEinstead of a hardcoded path (#2408).
- Improved documentation an validation for the Google Cloud DNS plugin, based on feedback from @timothydilbert
- When customizing the
notAftersettings, fractional seconds are no longer sent to the server, because that level of accuracy is overkill and some providers throw errors upon receiving them (thanks for testing @timothyd09 in #2394)
- Update various third party dependencies (Autofac, FluentFTP, MailKit, Serilog, etc.)
- More verbose logging for DNS pre-validation in case of query failures
- Filter illegal characters from the
ClientNamesetting when creating the scheduled task, preventing failures (reported by @andrewsauder in #2410).
- In rare circumstances sorting the renewals in the Renewal Manager could result in an error (reported by @nrcionline in #2401).
- The Central Certificate Store plugin was broken for international domain names (noticed by @Nelo-cool in #2434).
- The PFX file plugin didn't properly update pre-existing files, which may have caused corruption upon renewal (noticed by @efficiondave in #2397).
--nocacheswitch (and interactive menu option) could still reuse previously generated private keys.
This release was funded by
One gold sponsor:
Two silver sponsors:
And four bronze sponsors:
If you want professional support for win-acme, your company up here in the release notes, or just want to buy me (@WouterTinus) a beer for maintaining this tool, please sponsor using GitHub Sponsors, Patreon or PayPal.
- Event and disk logging was broken in v2.2.5 due to a Serilog change that affected single-file publishing and therefore only showed up after the final redistributable was compiled. Thanks for the heads-up @tsimmons (#2395).
notAfterdates to whole hours, as at least Secigo doesn't accept anything smaller, based on feedback from @timothyd09 (#2394)
- New command line argument
--registerwhich can be used to set up a new ACME account in unattended mode without the need to immediately create a certificate. Based on feedback from @ArthurHNL (#2391).
- A new setting
Order.DefaultValidDayscan now be used to request certificates that are valid for a shorter time than the default offered by the server. Note that this is not supported by Let's Encrypt at this point, but it should work for Sectigo among others. Requested by @timothyd09 (#2394)
- Customize the CSR signature algorithm using the settings
Csr.Ec.SignatureAlgorithm. The defaults remain unchanged at
SHA512withEHDSArespectivky. As requested by @julieolson-gs (#2385).
- The DNS resolver has been refactored to fall back to the default servers whenever authoritative servers cannot be found or contacted. This makes the algorithm more robust in firewalled, misconfigured or other exceptional network environments. On a related note, for new installations, we now also default to the local system DNS instead of trusted external ones like Google (18.104.22.168), which will also prevent users in secured environments from running into issues (based on feedback by @jamesarbrown #2389).
- When the program fails to send an email notification, the SMTP messages will be shown to allow for easier troubleshooting. Suggested by @Zennate (#2388).
- GoDaddy DNS validation makes it mandatory to provide an API secret. Legacy authentication using only an API key appears to have been deprecated by this provider. Noticed by @rafalsk in #2376.
- Amazon/AWS Route53 DNS validation prompts and messaging is now more clear about expecting an IAM name instead of an ARN, preventing users like @TheSkorm from getting headaches while trying to guess at this (#2378).
- RFC2136 DNS validation has learned to lookup server host names, so that it's no longer required to configure an IP address (#2364, thanks for testing @JensSpanier).
- RFC2136 DNS validation will now try to update/create records in different zones. E.g. if the record
_acme-challenge.www.example.comcannot be created in the zone
example.com(e.g. because it doesn't exist), it will also try to created it in the zone
www.example.com(based on feedback by @jamesarbrown #2389).
- Update various third party dependencies and remove some superfluous ones.
- The "More options" menu can be used to do inital account setup again, a feature that got lost in v2.2.3 (#2367, reported by @amuen2b).
ScheduledTask.RenewalMinimumValidDaysdidn't have the desired effect anymore since v2.3.3 (#2371, reported by @marconfus).
- In some rare cases the error message
The added or subtracted value results in an un-representable DateTimecould appear when loading renewals after an upgrade, reported by @akuropa.
- The private key would not be including in generated certificate if/when an ACME server decides to preface the PEM data with a comment, as was the case for @Moechen in #2342.
- The program would fail to parse certificates when Windows is configured to use the Thai locale. Thanks to @baxing for reporting this (#2370).
- RFC2136 DNS validation would not clean up records after validation (#2364, thanks for testing @JensSpanier).
- The program would did not import intermediate certificates since v2.1.18, thanks for the PR and bug report @AlexanderS.
- Experimental/beta version of RFC2136 validation (i.e. standard dynamic DNS updates), as requested by @loxK (#1741). The code is untested but based on a simple example provided by the author of ARSoft.Tools.Net, which we use to implement it. Would love to receive feedback on the working of the plugin.
- Update various third party dependencies, including move to the official .NET Core version of Bouncy Castle that was released earlier this year.
- This release implements ARI, a draft extension proposal for ACME currently being deployed by Let's Encrypt that enabled tighter integration between servers and clients. For example, the server can now tell the client when it feels a certificate should be renewed, both to spread load and to respond to security incidents. For now win-acme will only renew certificate earlier based ARI suggestions, but not later. On the other side of the coin, the client can now tell the server if or when it stops caring about a certificate. When you cancel a renewal or a certificate is replaced by one with a different shape, we now let the server know. Note that this feature is enabled by default, but can be disabled using the
- It's now possible to use multiple accounts for one ACME endpoint, which could come in handy for advanced EAB scenarios like @elitegoodguys (#2308), or if you'd like to fine-tune who recieves server-sent notification emails about specific certificates. Besides the default account which everyone has or gets, you can now specify
--account somenameon the command line to create a certificate using a named account.
- Added a DNS validation plugin for Infomaniak, (#2332, thanks @fa18swiss)
- When configuring a default password in
settings.jsonfor various plugins, the interactive menu will select it by default, so that a simple will confirm its use (#2345, suggested by @rboy1)
- Handling of certificate revokation has significantly improved. The revoke event is now recorded in the renewal history and causes the renewal to immediately become due. Also we force issuing a new certificate with a new private key, even if/when the previous certificate is still within the cache period and/or the
--reuse-privatekeyparameter has been set.
- For renewals using an order plugin to split the source into multiple certificates, we now show more (accurate) information. E.g. how many orders have been created, when each of them is due, when each of them was last renewed and what all of their most recent thumbprints were.
- For renewals using a spread renewal period (either caused by the
RenewalDaysRangesetting or ARI information) we show both the start and end of the period.
- Fixed an issue that may have caused subtle misbehaviours in validation plugins that are not designed with parallelism in mind. Instead of creating a new instance of the plugin for every domain, the instances were re-used. This led to bug #2343 reported by @bluecompassinteractive, but may have manifested itself in other places as well.
- Fixed multiple issues with the Azure DNS validation plugin (#2341, #2346). Thanks for helping @matthew-campbell-aranzmedical and @rgroenewoudt.
- Fixed an issue that caused all certificates to be renewed pre-maturely when upgrading win-acme from version 2.1 to 2.2 (#2320, thanks @AliDodd and @jmcook).
- Fixed a bug that prevented renewals with >100 domains from working. While that is not legal for a single certificate, it should be allowed when the renewal is split into different orders with less than 100 domains each (#2333, thanks @cvocvo)
- Fixes "CryptographicException - Unable to store certificate" error that occurs when both
UseNextGenerationCryptoApiare disabled (#2329, #1350), introduced in 2.2.2 and reported by many users, first by @douglassimaodev
- Fixes verbose mode not enabled when
/verbosesyntax instead of
- Fixes sensitive arguments echoed back to logs when using
/secretsyntax instead of
- Windows has two ways to handle private key material stored in the Certificate Store. There is the legacy method which stems from ancient history and the "Next-Generation" method (CNG) that was introduced in Windows Server 2008 and Vista. This program uses the legacy method by default, because some old software depends on it. For example, some older versions of Exchange are known to fail if the mail certificate is stored using CNG. Also, certificates stored using CNG cannot be directly exported from the IIS Manager regardless of the "exportable" settting (even though they are exportable in other ways). Those use cases are obviously limited and probably don't outweigh the security and flexibility benefits of using the CNG system for most users, so this release offers a new configuration settting
UseNextGenerationCryptoApito enable it.
- The disk log now always contains full verbose information, which will make it much easier for us to diagnose difficult to reproduce issues for user.
PrivatekeyExportablesetting was moved from the
Securitysection to the
Store.CertificateStoresection, because it's only relevant there. Having the setting present at the old location will still work to preserve backwards compatibility, but the default
settings.jsonlooks different now.
- The CSR source plugin was broken in release 2.2.0 (#2324, reported by @wldlkh)
- The GoDaddy validation plugin was broken in release 2.2.1 (#2323, reported by @LeeThompson)
--acl-fullcontroldidn't work for EC private keys.
- Certificates were using CNG by default, but were supposed to use the legacy method for backwards compatibility (#2321, reported by @sunstarjeff)
- Add Linode (Akamai) plugin for DNS validation, contributed by @RedFox4
- Implemented plugin system for the secret vault. This should be considered an experimental feature, but it allows developers to create backends for secret management that can run side-by-side with the built in JSON-file, making it possible to integrate third party solutions like Hashicorp or others into win-acme. All it takes is to implement the
ISecretServiceinterface and include the .dll in the program directory.
--validationmode tls-alpn-01work without also having to specify
- Set TTL=60 for Cloudflare and GoDaddy DNS validation for faster updates (#2312)
- DNS prevalation finetuning: better logging, check all nameservers on each pass, randomize order
- Support TLS-APLN-01 validation on IPv6, requested by @no1d (#2307)
Note: some of these fixes were already included in later builds of version 2.2.0.
- Fix validation error messages returned by the server not showing properly
- Fix broken Azure plugin due to forwarding synchronous http requests to asychrounous handler, discoverd by @ditchcode (#2311)
- Fix DNS and TLS-ALPN-01 validation plugins not selectable from the command line
- Fix TLS-ALPN-01 validation for multiple host names in one pass, discovered by @no1d (#2307)
- Fix broken filesystem/ftp/webdev validation, reported by @SteffenAL (#2305)
- Fix broken external plugins, first reported by @aadnehovda (#2304)
- Fix DNS pre-validation disabled by default for new installations (#2312)
- Fix DNS pre-validation using cached results, causing it to always fail when long TTL is used (#2312)
- DnsMadeEasy plugin is now actually built by CI/CD and included in the release assets
- Add missing
--friendlynameparameter to command line description
- Never delete cache files before the renewal period as defined by
ScheduledTask.RenewalDayshas passed, regardless of user setting for
Cache.DeleteStaleFilesDays, based on feedback by @AliDodd (#2319)
- The full options menu now exposes the 'order' step, which allows you to split your source into multiple certificates. This can be useful when you run into limits imposed by your ACME provider (e.g. Let's Encrypt only supports 100 host names per certificate), want to generate certificates for many websites without micro-managing the associated renewals, and/or want to prevent information disclose through the SAN list. This feature has been available through the command line for a long time, but is now considered mature enough for a broader audience.
- With the new global validation options it's possible to create certificates with a mix of different validation options. You might for example use HTTP-01/FTP validation for
www.example.comand DNS validation for
*.contoso.net. Inspired by an idea coined by @JensSpanier (#2032). This also makes it easier to handle complicated validation settings. For example Azure requires some five pieces of difficult to remember information to do DNS validation, which until now had to be provided and maintained for each renewal seperately.
- Added a new external plugin to store certificates in the CurrentUser store instead of the LocalSystem store, as requested by @cvalka2 and others (#2213).
- Added a new external plugin for DNS Made Easy, contributed by @cboyce428 (#2230)
- It's now possible to customize the file name used in the PFX and PEM store plugins, instead of that being hardwired to reflect the common name of the certificate, as requested by @Dezeptor (#2231).
- When disabling the certificate cache (setting it to 0 days) no private key material will be stored anywhere except when and where specifically requested. @florian-re brought this need to our attention (#2286).
- The renewal manager now includes an option to show the command line arguments that may be used to (re)create the renewal. This is not a 100% water tight solution because some things can only be done by going through the menu's interactively, but should help the discoverability of unattended mode and provide an easier path for people getting into automation. Suggested by @elitegoodguy and @cesarchefino.
- Plugins have seen many changes in this release, which is the reason this release is designated as version 2.2.0 instead of 2.1.24. If you've built your own plugin, you'll have to adapt it to use the new interfaces designed for this release. Generally this will increase code quality by reducing redundancy and resolving several awkward bits that sneaked in over the years as demands for the previous system shifted. As an end-user, this should have no noticable effect, except for more meaningful and context-aware error messages in several places.
- The program is now built using .NET7, keeping up to date with the latest and greatest from Microsoft and improving the file size and reliability of the self-contained executable (e.g. #2192). Several of the larger classes have been refactored into smaller pieces to improve code readability and maintainability, and the whole solution has been cleaned of warnings.
- Download size of the trimmed package has been reduced by about 2MB.
Newtonsoft.Jsonhas been removed in favor of Microsofts own
- Azure plugins for DNS and KeyVault have been updated to use the next-generation ResourceManager packages, as well as various other third party dependency updates.
- Added a "no cache" (
--nocache) switch and renewal manager menu option to be specifically different from "force" (
--force). The latter ensures that renewals are always due, while the former temporarily disables the cache. This resolves some illogical behaviour, as pointed out by @aleekso in #2257.
- Intermediate certificates will no longer be installed to the Windows Certificate Store in
--testmode, as per Let's Encrypts security recommendations. This helps to prevent your machine from trusting other test certificates.
- If an error happens during an otherwise succesful renewal (e.g. triggered by an installation script), the notification system will still send a high priority notification, as requested by @baconliker in #2283.
- You will no longer be able to pick the IIS installation step more than once. There is currently never any need to do this, but the possibility led users to believe that it may be needed or useful (e.g. #2236).
- For ACME services that provide long-lived certificates, it's now possible to change the cache system to keep files longer than 120 days, as requested by @FISHMANPET (#2255).
- @mike6715b contributed an example script for the Veeam Cloud Gateway.
- An option has been added to
settings.jsonto disable the datetimestamp that is normally appended to the friendly name of certificates, increasing the level of control over the final outcome, as requested by @willt (#2298).
- Attempting first-time setup with EAB credentials at ZeroSSL would fail due to the program asking for user input.
- Encrypt/decrypt private keys stored in the order cache when calling
--encrypt, this was previously ignored.
- Don't show message "Test message sent" when it actually fails, reported by @kostamoisidis (#2208)
- The IIS FTP service would not always be detected properly, reported by @morhans (#2272)
- When cancelling a certificate using the command line, the cache would not be cleared.