v2.2.9.1

New

• @guywyers contributed a new plugin for DNSExit, many thanks!
• @msschl contributed a new plugin for Hetzner, bringing the total number of DNS validation plugins up to 20!
• @mcnc-clovett contributed an example script for AD DS (NTDS) (#2551)

Enhancements

• This release changes the implementation of ARI (ACME Renewal Information) from the draft 1 to draft 3 of the specification, to remain compatible with the leading implementation in Boulder / Let's Encrypt. Previous win-acme releases from 2.2.3 to 2.2.8 are currently reporting non-fatal errors because draft 1 compatibility was dropped by Let's Encrypt (#2582).
• Certificate handling now leans almost exclusively on the BouncyCastle library instead of native .NET methods. Only to store certificates in the Windows Certificate Store a conversion is done, which makes the whole system more robust against the quirky ways that Windows can handle private keys under specific circumstances (e.g. missing/temporary user profiles, group policies, etc.),
• In rare cases the program would hang indefinitely at startup due to a bug in the proxy detection logic somewhere in the Microsoft platform. In this release the first connection attempt times out after 30 seconds and then automatically retries with proxy detection disabled. Reported by @eliassal in #2567, but previously seen a lot in AWS instances (e.g. #1127, #2203)
• Improve support for EnTrust and possibly other not-quite standard ACME implementations. Reported and tested by @danieltintinkarlsson (#2570)
• @cboyce428 improved error logging for various DNS plugins (#2577)
• When using --nocache, any previously succesful validations are discarded before starting the run, suggested by @JT-Moore (#2583)
• Use proper random passwords instead of empty strings or GUIDs for in-memory manipulation of certificates.
• Updated various third party dependencies to their latest versions

Bugs

• @cjs59 fixed a bug in the InstallExchangeHybrid.ps1 example script that caused it to fail for Sectigo and other ACME providers (#2568)
• Version 2.2.8 was missing a new .dll file required for the Azure DNS plugin, first reported by @oeriksen (#2536)
• The Aliyun (Alibaba) plugin was not working for sub domains. Reported by @LEIRONGHUA and fixed by @zgcwkj (#2537)
• Fixed the dreaded CryptographicException: Bad Data error that happened for some users, thanks for @akintali for testing (#2493)
• The --import command now respects the --notaskscheduler option.
• @rmja fixed the Simply plugin for DNS records with empty priority fields

Sponsors

This release was funded by

One gold sponsor:

• eGov Strategies

Two silver sponsors:

• Insurance Technology Services
• Enzure

And four bronze sponsors:

• e-shop LTD
• The Proof Group @proofgroup
• imagenia.fr
• Certify the web

Support

If you want to support the win-acme project, your company up here in the release notes, or just want to buy me (@WouterTinus) a beer for maintaining this tool, please sponsor using GitHub Sponsors, Patreon or PayPal.

v2.2.9

Please refer to v2.2.9.1 instead.

v2.2.8

New

• @zgcwkj submittted DNS validation plugins for Tencent and Alibaba Cloud, which brings us to 18 supported DNS providers, thanks!

Enhancements

• When using the setting Store.CertificateStore.PrivateKeyExportable (or it legacy version: Security.PrivateKeyExportable) the program will now automatically grant read access to the private key to the administrators group. On recent version of Windows this appears to be required to allow the administrator to actually export the certificate after a renewal run by the Task Scheduler under the SYSTEM account. Reported by @mont-foray in #2529.
• English names administrators and network service provided to --acl-fullcontrol or --acl-read are now automatically translated to appropriate local names on international versions of Windows. Also it's now possible to providate SIDs (e.g. S-1-5-...) for other advanced scenarios. Inspired by feedback provided by @rgomezc in #2529.
• Updated various third party dependencies.
• Updated the static version of the public suffix list for systems that are not permitted to download it.

Bugfixes

• In version 2.2.7 it was not possible to generate certificates with an IDN as the common name, reported by @jari-e21 in #2532.
• Errors in the DnsMadeEasy plugin were not logged properly, reported by @Wlad-R in #2528.

v2.2.7.1

Enhancements

• Renewed code signing certificate.
• Forced background color disabled by default, must now specifically be enabled in settings.json by configuring UI.Color.Background to "black". So far this is the one and only option available.

Bugs

• Fixed typo in settings ParellelBatchSize > ParallelBatchSize, as noticed by @sunstarjeff in #2509).
• Disable VT100 color coding on Windows 2012 or lower (#2513, first reported by @SistemasMabisy)
• Fix crash on redirected console output (#2519, reported by @davist)
• DeleteStaleFiles had been set to true by default, but is supposed to be false (seen by @North3rnL1ght in #2518)

v2.2.7

New

• Added support for a new type of plugin to send notifications to custom channels. For years win-acme has supported sending email notifications, but many organisations prefer different channels like Slack, Discourse or even Teams. If you're familiar with C#, you can implement the INotificationTarget interface with just a handful of functions to send notifications however you want. If you're willing to show and share your work, contributions are obviously welcome!
• Example script for SQL Server contributed by @zivillian (#2458)

Enhancements

• Force black background for TUI rendering, to accomodate people with custom console themes with light backgrounds (#2451, requested by @prensing)
• Log all HTTP requests that do not return a success code as warnings to make potential API/connection problems easier to spot (#2505, based on feedback by @djoris)
• Software name and version now displayed in console title.
• Add --acl-read parameter for the CertificateStore plugin, granting local principals read access to the private key, complementing the pre-existing --acl-fullcontrol parameter.
• Add a new setting Validation.ParallelBatchSize that can be used to limit the number of simultaneous validations happening. In extreme cases, unlimited parallelism can lead to problems like overrunning the maximum size of a DNS response. Default for existing installations is 100 and for new installations 20.
• Use DER instead of BER encoding for internal certificate processing in hopes of avoiding "Bad Data" errors reported by some users (#2493)
• Add support for certificates without common name which have been supported by Let's Encrypt since November. Also added addional validation to prevent attempts to order certificates with common names longer than 64 characters.
• @christaylorcodes added a retry mechanism to the ImportRSDFull.ps1 example, thanks for helping!
• Update various third-party dependencies.

Bugfixes

• Crash when sorting on due date in the renewal manager (#2449, thanks @nrcionline!)
• Crash when the settings.json file cannot be (fully) parsed.
• Superfluous prevalidation checks could be done when using multithreaded validation (#2485, discovered by @JensSpanier)
• Renewal information from services outside Let's Encrypt could not be retrieved due to missing / in url (#2498, reported by @grindsa)
• TransIP DNS validation plugin would not handle errors during initial authentication properly (#2505, found by @djoris)

Sponsors

This release was funded by

One gold sponsor:

• eGov Strategies

Two silver sponsors:

• Insurance Technology Services
• Enzure

And four bronze sponsors:

• e-shop LTD
• The Proof Group @proofgroup
• imagenia.fr
• Certify the web

Support

If you want professional support for win-acme, your company up here in the release notes, or just want to buy me (@WouterTinus) a beer for maintaining this tool, please sponsor using GitHub Sponsors, Patreon or PayPal.

v2.2.6

Features

• The FTP validation plugin gained an option to use the GnuTLS library for FTPS connections, as the default TLS implementation provided in .NET/Windows suffers from compatibility issues with various Unix-based FTP servers. For more background on this subject check this page by the FluentFTP project. Using this requires:

  • A change in config: Validation.Ftp.UseGnuTls = true
  • The pluggable x64 release of win-acme (it is not available for x86 or ARM due to limitiations of the upstream package, and also doesn't work on the trimmed build)
  • Download and extract the additonal artifact gnutls.v{build}.x64.zip

  We recommend you only do this as a last resort when other validation methods fail, because there are some limitations of this connection method documented on the link above. This all initiated based on feedback by @cuper6.

Enhancements

• A new toggle has been added to settings.json which allows you to disable certificate validation for the ACME endpoint, useful for people running their own ACME CA using a self-signed certificate (requested by @100110010111 in #2431).
• The Azure DNS validation plugin no longer requires permissions to the Resource Group that hosts the DNS zone. Thanks to @sveng-r for testing in #2372).
• @jcazier-umich improved the ImportJKS.ps1 example script by using $env:JAVA_HOME instead of a hardcoded path (#2408).
• Improved documentation an validation for the Google Cloud DNS plugin, based on feedback from @timothydilbert
• When customizing the notAfter settings, fractional seconds are no longer sent to the server, because that level of accuracy is overkill and some providers throw errors upon receiving them (thanks for testing @timothyd09 in #2394)
• Update various third party dependencies (Autofac, FluentFTP, MailKit, Serilog, etc.)
• More verbose logging for DNS pre-validation in case of query failures

Bug fixes

• Filter illegal characters from the ClientName setting when creating the scheduled task, preventing failures (reported by @andrewsauder in #2410).
• In rare circumstances sorting the renewals in the Renewal Manager could result in an error (reported by @nrcionline in #2401).
• The Central Certificate Store plugin was broken for international domain names (noticed by @Nelo-cool in #2434).
• The PFX file plugin didn't properly update pre-existing files, which may have caused corruption upon renewal (noticed by @efficiondave in #2397).
• The --nocache switch (and interactive menu option) could still reuse previously generated private keys.

v2.2.5.1

Bug fixes

• Event and disk logging was broken in v2.2.5 due to a Serilog change that affected single-file publishing and therefore only showed up after the final redistributable was compiled. Thanks for the heads-up @tsimmons (#2395).
• Round notAfter dates to whole hours, as at least Secigo doesn't accept anything smaller, based on feedback from @timothyd09 (#2394)

v2.2.5

New features

• New command line argument --register which can be used to set up a new ACME account in unattended mode without the need to immediately create a certificate. Based on feedback from @ArthurHNL (#2391).
• A new setting Order.DefaultValidDays can now be used to request certificates that are valid for a shorter time than the default offered by the server. Note that this is not supported by Let's Encrypt at this point, but it should work for Sectigo among others. Requested by @timothyd09 (#2394)
• Customize the CSR signature algorithm using the settings Csr.Rsa.SignatureAlgorithm and Csr.Ec.SignatureAlgorithm. The defaults remain unchanged at SHA512withRSA and SHA512withEHDSA respectivky. As requested by @julieolson-gs (#2385).

Enhancements

• The DNS resolver has been refactored to fall back to the default servers whenever authoritative servers cannot be found or contacted. This makes the algorithm more robust in firewalled, misconfigured or other exceptional network environments. On a related note, for new installations, we now also default to the local system DNS instead of trusted external ones like Google (8.8.8.8), which will also prevent users in secured environments from running into issues (based on feedback by @jamesarbrown #2389).
• When the program fails to send an email notification, the SMTP messages will be shown to allow for easier troubleshooting. Suggested by @Zennate (#2388).
• GoDaddy DNS validation makes it mandatory to provide an API secret. Legacy authentication using only an API key appears to have been deprecated by this provider. Noticed by @rafalsk in #2376.
• Amazon/AWS Route53 DNS validation prompts and messaging is now more clear about expecting an IAM name instead of an ARN, preventing users like @TheSkorm from getting headaches while trying to guess at this (#2378).
• RFC2136 DNS validation has learned to lookup server host names, so that it's no longer required to configure an IP address (#2364, thanks for testing @JensSpanier).
• RFC2136 DNS validation will now try to update/create records in different zones. E.g. if the record _acme-challenge.www.example.com cannot be created in the zone example.com (e.g. because it doesn't exist), it will also try to created it in the zone www.example.com (based on feedback by @jamesarbrown #2389).
• Update various third party dependencies and remove some superfluous ones.

Bug fixes

• The "More options" menu can be used to do inital account setup again, a feature that got lost in v2.2.3 (#2367, reported by @amuen2b).
• Setting ScheduledTask.RenewalMinimumValidDays didn't have the desired effect anymore since v2.3.3 (#2371, reported by @marconfus).
• In some rare cases the error message The added or subtracted value results in an un-representable DateTime could appear when loading renewals after an upgrade, reported by @akuropa.
• The private key would not be including in generated certificate if/when an ACME server decides to preface the PEM data with a comment, as was the case for @Moechen in #2342.
• The program would fail to parse certificates when Windows is configured to use the Thai locale. Thanks to @baxing for reporting this (#2370).
• RFC2136 DNS validation would not clean up records after validation (#2364, thanks for testing @JensSpanier).
• The program would did not import intermediate certificates since v2.1.18, thanks for the PR and bug report @AlexanderS.

v2.2.4

New features

• Experimental/beta version of RFC2136 validation (i.e. standard dynamic DNS updates), as requested by @loxK (#1741). The code is untested but based on a simple example provided by the author of ARSoft.Tools.Net, which we use to implement it. Would love to receive feedback on the working of the plugin.

Enhancements

• Update various third party dependencies, including move to the official .NET Core version of Bouncy Castle that was released earlier this year.

Bug fixes

• Renewals using a regular expression to filter IIS bindings created in version 2.1.x would not load properly in version 2.2.x, thanks @FootStark for the bug report! (#2361)
• Set TTL=60 for Azure DNS validation when creating new RecordSet to prevent BadRequest error, noticed by @tenscrolls (#2359)

v2.2.3.1

Bugfixes

• Error decoding the (empty) response returned from ARI updates (#2353, thanks for the PR @jre-lsft)
• Duplicate menu shortcut, making it impossible to select the second option (#2352, thanks @UweKeim)