This is a high-level summary of the most important changes. For a full list of changes, see the git commit log and pick the appropriate release branch.
Features and Improvements:
- refactored NCLM ca handler using the external REST-API
- ca handler using the DigiCert CertCentral API
- ca handler using the Entrust ECS Enterprise APIl
- EAB Profiling support in Microsoft CA handlers
- #187 url option for mscertsrv ca handler
- subject profiling feature
- strip down python-impacket module in docker images
- strip down impacket RPM package
- YAML config file format supported in EAB-Profiling feature
- Upgrade Container images to Ubuntu 24.04
Bugfixes:
- openssl-ca-handler: basicConstraints extension will not be marked as critical anymore
- openssl-ca-handler: subjectkeyidentifier extension will not be marked as critical anymore
- fall-back option to python-openssl for Redhat deployments
- detect and handle django installations on Debian/Ubunto systems
- automated schema updates in case of RPM updates
Features and Improvements:
- #153 Kerberos support in mscertsrv_handler
- allowed_domainlist checking in mswcce_handler
timeout
parameter in ms-wcce_handler to specify an enrollment timeout- new tool to validate eab-files
- #165 EAB profiling for ejbca_handler
- #166 EAB profiling for acme_ca_handler
- documentation for active/active setup on Alma9 and Ubuntu 22.04
- #165 documentaion of external database support via django_handler
Bugfixes:
acme_srv.cfg
will be preserved in case of RPM updates- apache2_wsgi docker image will be tagged with
latest
- #166 workaround for failed account lookups on smallstep-ca
Features and Improvements:
- Enrollment profiling via external account binding
- #144 configuration option to supress product name
- #143 template name as part of the user-agent field in wcce/wes handler
- configuration option to limit the number of identifiers in a single order request
burst
parameter in example nginx.conf to ratelimit incoming requests- container images for arm64 plattforms
- regression tests on arm64 plattforms
Bugfixes:
- #147 correct content-type for problem+json message
- updated eab-example files as hmac must be longer than 256bits
- identifier sanitizing
Features and Improvements:
- some smaller modifications run flawless on Redhat8 and derivates
- Workflows to test rpm-deployment on RHEL8 and RHEL9
Upgrade notes:
- database scheme gets updated. Please run either
tools/db_update.py
when using the wsgi_handler ortools/django_update.py
in case you are using the django_handler
Bugfixes:
- 134 - acme_srv_housekeeping" -> value too long for "name" field
- 135 - acme_srv_housekeeping dbversion ist set back to 0.23.1 after container restart
Bugfixes:
- 132 - returning serial numbers in hex-format with leading zero
Upgrade notes:
- database scheme gets updated. Please run either
tools/db_update.py
when using the wsgi_handler ortools/django_update.py
in case you are using the django_handler
Features and Improvements:
- Support draft-ietf-acme-ari-02: Renewal Information (ARI) Extension
- First version of Insta ASA CA handler
- winacme renewal-info workaround
- better logging to ease troubleshootnig of eab
- code refactoring to improve f-string handling
Features and Improvements:
- #114
cert_validity_adjust
parameter in openssl_ca_handler.py to limi cartificate validity so that a certificate is never valid longer than any ca certificate in the certificate chain
Features and Improvements:
- refactor
opennssl_ca_handler.py
andxca_ca_handler.py
to replace pyopenssl - type hints for large parts of the project
Upgrade notes:
-
database scheme gets updated. Please run either
tools/db_update.py
when using the wsgi_handler ortools/django_update.py
in case you are using the django_handler
Features and Improvements:
- use http-header attributes to pass data from acme-client to ca-handler
- ProfileID support in
certifier_ca_handler.py
- Kerberos support in
mswcce_ca_handler.py
- #122 support of
sectigo-email-01
challenges
Bugfixes:
- #119 - handling of utf-8 encoded parameters in
acme_srv.cfg
- adding
python3-requests-ntlm
dependency in control file for debian packages - multiple smaller fixes in workflow files
- withdrawn as released by mistake
Upgrade notes:
- database scheme gets updated. Please run either
tools/db_update.py
when using the wsgi_handler ortools/django_update.py
in case you are using the django_handler
Features and Improvements:
- Support RFC 8738: Certificates for IP addresses
- Support draft-ietf-acme-ari-01: Renewal Information (ARI) Extension
- Interoperability testing with Caddy as part of regular regression
Features and Improvements:
- input validation in django deployments
- return account status when querying the account endpoint or sending a request to
new-account
with empty payload - merge codescanning workflows into a single file
Bugfixes:
Features and Improvements:
- interoperability testing with traefik
- refactor revocation function in openxpki_ca_handler to support revocation operation in certbot
- support pkcs7 loading in der format
- obsolete pyopenssl in various helper functions, est_ca_handler and mscertserv_ca_handler
Bugfixes:
- sending alpn-extension in ClientHello message during tls-alpn-01 challenge validation
- removed misleading debug messages in
openxpki_ca_handler.py
- support existing acme-accounts in
acme_ca_hander.py
- address codesmells in dockerfiles
Features and Improvements:
- support ClientAuthentication in
openxpki_ca_handler.py
andest_ca_handler.py
by using pkcs12 files - provide pkcs12 passphrases for
ejbca_ca_handler.py
,openxpki_ca_handler.py
andest_ca_handler.py
as environment variables
Bugfixes:
- #104 - conffile support in debian package to avoid overriding configuration files
Bugfixes:
- replace obsoleted
dns.resolver.query()
withdns.resolver.resolve()
Features and Improvements:
Bugfixes:
- adding missing python modules to RPM spec file
- add revocation operations to CA handler regression test suite
Features and Improvements:
- reduce number of layers in docker images
- Workflows are using checkout@v3 actions
- default nginx ssl config file in rpm package corrected
- delete seclinux configuration files after rpm installation
- delete obsolete files from repo
- rpm package tests during regression
- sbom generation as part of docker image create worflow
- rpm and deb package generatation as part of create release workflow
- nginx django test workflows
Features and Improvements:
Bugfixes:
Features and Improvements:
- Healthcheck in directory ressource #94
- check
acme_srv.cfg
for options starting with "
Bugfixes:
- #95
- workflow django psql workflow
- some more linting
Features and Improvements:
- containers got migrated to Ubuntu 22.04
- nclm handler supporting NCLM 22 and above
Bugfixes:
- pycodestyle 2.9.1 linting
- time adjustment in CMPv2 workflow to avoid race condition related timeouts
- link updates in README.md
- attribute type in error responses #92
Features and Improvements:
- support of enrollment hooks
challenge_validation_timeout
parameter in acme_srv.cfg- cmpv2_ca_handler using the inbuilt cmp feature from openssl 3.0
- Github action to test certificate enrollment using CMPv2 protocol
- Github action to test certificate enrollment from NetGuard Certificate Lifecycle Manager
Bugfixes:
- RFC compliant content-type in error responses
Features and Improvements:
- CA handler using Microsoft Windows Client Certificate Enrollment Protocol
- asynchronous enrollment workflow using threading module
- option to re-use certificates enrolled within a certain time window
- workflow using Posh-ACME
Bugfixes:
- return challenge status when creating/polling Authorization resources
- remove duplicated certificate extension in openssl_ca_handler.py
- change challenge status to 'invalid' in case enrollment fails
Features and Improvements:
- disable TLSv1.0 and TLSv1.1 fallback when conduction TLS-ALP=1 challenge validation
- python3-cryptography will be installed via pip to fulfill dependencies from pyOpenssl
- Changed encoding detection library from chardet to charset_normalizer
- lgtm conformance
Features and Improvements:
- support for django 3.x
- workflow for application testing using win-acme
- additional linting and pep8 conformance checks
Features and Improvements:
- pep8 conformance
- time adjustments in certmanager and django workflows
- addressing code-scanning alerts from bandit and CodeQL
Bugfixes:
- Authorization polling does not trigger challenge validation anymore
- Overcome database locking situations in django environments using sqlite3 backends
Features and Improvements:
Bugfixes:
Features and Improvements:
- absolute path support for CA- and EABhandler
Bugfixes:
- fixed race condition in push_to_docker workflow
Upgrade notes:
- database scheme gets updated. Please run either
tools/db_update.py
when using the wsgi_handler ortools/django_update.py
in case you are using the django_handler
Features and Improvements:
- proxy support for http and tls-alpn challenge validation and in several ca-handlers
- acme_ca_handler
- support for account registration and http_challenge validation
- openssl_ca_handler:
cn_enforce
parameter to enfore setting a common name in certificatewhitelist
parameter got renamed toallowed_domainlist
blocklist
parameter got renamed toblocked_domainlist
- xca_ca_handler:
cn_enforce
parameter to enfore setting a common name in certificate
Bugfixes:
- python request module - version pinning to 2.25.1
Upgrade notes:
- database scheme gets updated. Please run either
tools/db_update.py
when using the wsgi_handler ortools/django_update.py
in case you are using the django_handler
Features:
- Generic ACME protocol handler
- CA handler for acme2dfn
- wsgi_db_handler: allow DB file path configuration
- allow setting config file location via environment variable
Improvements:
acme
module has been renamed toacme_srv
to avoid naming clashes with acme-python- allow GET method for newnonce
- don't verify SSL certificate during http-01 challenge validation
Features:
- CA-Handler configuration via environment variables:
- cmp_ca_handler: ref-num and passphrase
- certifier_ca_handler: api_user, api_password
- est_ca_handler: est_host, est_user, est_password
- mscertsrv_ca_handler: host, user, password
- nclm_ca_handler: api_user, api_password
- openssl_ca_handler: passphrase
- xca_ca_handler: passphrase
Bugfixes:
- don't overwrite group ownership for volume folder
- don't copy ca_handler file if a valid ca_handler was defined under
CAhandler
section in acme_srv.cfg - django migrations files will get stored on volume
- avoidance of KU/EKU duplicates when using templates in xca_ca_handler
- alpn challenge handling in django deployments
- fix for handling of empty challenges
- more robust DNS challenge validation
Other improvements:
- CodeCoverage measurement via codecov.io
- Switch to acme.sh:latest in CI pipeline
- Regression test-cases for django deployments using either mariadb or postgres backends
- experimental CLI framework (not yet useable)
Upgrade notes:
- database scheme gets updated. Please run either
tools/db_update.py
when using the wsgi_handler ortools/django_update.py
in case you are using the django.handler
Bugfixes:
- fix for
type
field length inChallenge
table
Bugfixes:
- additional fixes for dns-01 challenge validation (handling for *.foo.bar and foo.bar in the same csr)
Bugfixes:
- fixes for dns-01 challenge validation
- default ku settings when using xca templates
Upgrade notes:
- You need to run the upgrade-script after updating the package
Features:
- support for tls-alpn-01 challenges
- eab kid logging and reporting
Bugfixes:
- database scheme versioning
Upgrade notes:
- You need to run the upgrade-script after updating the package
Features:
- support for External Account Binding
Bugfixes:
acme2certifier_wsgi.py
- newaccount() - initializeAccount()
class as context handler
Upgrade notes:
- You need to run the upgrade-script after updating the package
Bugfixes:
helper.py
- fqdn_resolve() - resolve AAAA recordshelper.py
- url_gete() - ipv4 fallback during http challenge validation
Features:
- template support in
xca_handler.py
andnclm_ca_handler.py
- docker images at ghcr.io
Bugfixes/Improvements:
- refactor
nclm_ca_handler.py
- refactor
certifier_ca_handler.py
- workflows for
- code-scanning (CodeQL and Bandit)
- ca_handler tests
- phonito security scans
Upgrade notes:
- You need to run the upgrade-script after updating the package
Bugfixes:
helper.py
- fqdn_resolve() - resolve AAAA records
Upgrade notes:
- its enough to run the upgrade script. Depending on your configuration you need to either run
tools/db_update.py
when using the wsgi_handler ortools/django_update.py
in case you are using the django.handler
Features:
- docker images containing nginx
- readymade images at dockerhub
Bugfixes/Improvements:
- several fixes in unit-tests
- unit-tests are split into separate files
- unittests for
certifier_ca_handler.py
- documentation updates
- Github actions to test
- certificate enrollment for all four containerized deployment options
- tnauth functionality
- image creation and dockerhub upload
Bugfixes:
cmp_ca_handler.py
- avoid crash if tmp_dir has not been specified in config-filesorder.py
- expiry date will be added during authz creationauthorization.py
- corner cases handling in case authz expiry is set to 0wiki-update.yml
- checkout fromgrindsa/github-wiki-publish-action@customize_wiki_title
*.md
- meta tag "wiki-name" added
Upgrade notes:
- take a backup of your
acme_srv.db
before doing the upgrade - update your
db_handler.py
with the latest version from theexamples/db_handler
directory - database scheme gets updated. Please run either
tools/db_update.py
when using the wsgi_handler ortools/django_update.py
in case you are using the django.handler
- orders and authorization expire based on (pre)configured timers
- default expiration timer is 86400 seconds and can be adjusted in
acme_srv.cfg
. - auto expiration can be disabled in
acme_srv.cfg
. Check docs/acme_srv.md for further information. - the expiration checks and order/authorization invalidation will be triggered in case a client accesses an
order
orauthorization
resource. It is recommended to run the scripttools/invalidator.py
after the upgrade to manually check and invalidate expired authorizations and orders and update issuing- and expiration date in the certificate table.
Features:
- ca_handler kann be specified in
acme_srv.cfg
- certifier_ca_handler.py - handling of der encoded certificates in trigger() method
- issuing date and expiration date will be stored in the
certificate
table xca_ca_handler
: new variableissuing_ca_key
- basic reporting and housekeeping
- order and authorization expiration
- method to remove expired certificates from database. Check the
certificate_cleanup
method docs/housekeeping.md for further information - database versioning and error logging in case of version mismatch
Bugfixes*:
- Base64 encoding
certifier_trigger.sh
(removed blanks by using-w 0
) - improved exception handling in case of database-errors
Upgrade notes:
- database scheme gets updated. Depending on the db_handler you need to:
- run
py manage.py makemigrations && py manage.py migrate
in case you use the django_handler. - execute the
tools/db_upgrade.py
script when using the wsgi_handler
- run
Features:
- http_x_forward header support
- configurable tos
- option to disable contact check
- option to disable tos check
Bugfixes:
- mscertsrv_ca_handler: #37 - pkcs#7 to pem conversion
- mscertsrv_ca_handler: CRLF to LF conversion
- #35 rfc608 compliant contact checking
- xca_handler: #38 - prevent error message leakage to client
Features:
- option to mandate the usage of ecc keys
- openssl_handler: "save_as_hex" option
- openssl_handler: black/whitlist support
- openssl_hanlder: option to configure customized cert extensions
- option to configure custom dns resolvers
- xca_handler
- Additional client support (lego and win-acme)
Bugfixes:
- updated license
- empty CRL handling
- string parsing in
b64_url_encode()
- py3 support for est_handler
- #9 - base64-parsing of dns challenge
- openssl_handler: set correct x509 version
- openssl_handler: mandentory cert-extensions
- harmonization of apache config files
- migration support for docker_django deployment
Features:
- Challenge polling
- Support for CA polling and call-backs
- Certificate profiling in openssl handler
- Ssl support
- Container deployments
- Django project with mysql as backend database
Features:
- support ECC keys
- key update and key roll-over support
- generic CMPv2 handler
Features:
- EST and certsrv support
Features:
- CSR validation against order identifiers
Features:
- experimental TNAuthList identifier and tkauth-01 challenge support
- compatibility with Python3