v2.1.22

Features

@rmja contributed a DNS validation plugin for Simply DNS.

Enhancements

• Greatly enhanced the practical usability of Order plugins, which can be used to split a single renewal into multiple certificates. You can use this for example to very easily get a seperate certificate for each website in IIS, without spending a lot of time creating and managing seperate renewals. Order plugins are still a somewhat "hidden" feature because from interactive mode you automatically choose the "single order" plugin, even when you go through the full options menu. But they are documented and usable through the command line.
  • It's now possible to validate different orders from the same renewal in parallel, saving a lot of time when using one of the DNS methods. Note that not every DNS plugin supports this parallel mode of operation, but some of more popular ones (Azure and AWS) do. This requires DisableMultiThreading to be set to false in setttings.json.
  • The cache mechanism has improved to better handle renewals with multiple orders, both in terms of correctness and performance.
  • Fix a bug where IIS installation might not work properly when combined with an Order plugin.
  • Fix a bug where Order plugins should not be available when using a manual CSR.
  • Fix a bug where the program would complain about >100 SAN names, even though the renewal was going to split.
  • Better feedback through log messages.
• It's now possible to randomize the date when the renewal should run. This is useful for anyone worried about the impact of updating a large amount of certificates all at once. This works both with renewals and with specific orders withing the renewal. E.g. if you have 1000 certificates to manage, you can configure the program to randomly renew ~100 of them every day over a 10 day period, by setting RenewalDaysRange to 10 in settings.json. The default behaviour remains identical to previous versions.
• The PfxFile store plugin now uses the BouncyCastle library instead of native .NET code to export the archive, which makes the key identifiers predictable and therefor easier to consume.
• @skacurt made the CloudFlare plugin a bit more efficient by requesting 50 zones per page instead of 20.
• Improved logging and exception handling around certificate downloads.
• @SysAdmLS made it possible to use .cmd as an extension for the script installer.
• #2081 - For DNS pre-validation the program will no longer try to communicate with the root servers, because we found a case where there was an unexplainable difference between the root servers replies and replies by all major public providers.
• The FTP(S) validation plugin is now based on FluentFtp.NET instead of (recentely deprated) FtpWebRequest from .NET. This modern library makes the plugin much more reliable and able to talk to more types of servers.
• #2085 - When using the Script DNS validation plugin, it's not possible enable parallel operations using the --dnsscriptparallelism parameter or by answering a question in the UI. This allows multiple records to be validated simultaneously, which can be a big time saver due to propagation delay issues. Requested by @LumKitty.
• Update various NuGet packages

Bugs

• #2084 - Using a manual CSR was broken in one of the recent release. Thanks for the report @navels!
• #2076 - Fix superfluous warning messages about "Existing https binding ... not updated" when targeting multiple IIS sites for installation, thanks @Duber888 and @ppetrov for helping to reproduce this issue.
• #1970 - It was not possible to combine --renew with --friendlyname to filter which certificate should be renewed. Found by @roddharris.
• When using the IIS Central Certificate Store, the program would sometimes fail to create new bindings, even though they were needed.