diff options
Diffstat (limited to '')
| -rw-r--r-- | CHANGELOG | 166 |
1 files changed, 166 insertions, 0 deletions
diff --git a/CHANGELOG b/CHANGELOG new file mode 100644 index 0000000..42d5761 --- /dev/null +++ b/CHANGELOG @@ -0,0 +1,166 @@ +# Change Log +This file contains a log of major changes in dehydrated + +## [0.7.1] - 2022-10-31 +## Changed +- `--force` no longer forces domain name revalidation by default, a new argument `--force-validation` has been added for that +- Added support for EC secp521r1 algorithm (works with e.g. zerossl) +- `EC PARAMETERS` are no longer written to privkey.pem (didn't seem necessary and was causing issues with various software) + +## Fixed +- Requests resulting in `badNonce` errors are now automatically retried (fixes operation with LE staging servers) +- Deprecated `egrep` usage has been removed + +## Added +- Implemented EC for account keys +- Domain list now also read from domains.txt.d subdirectory (behaviour might change, see docs) +- Implemented RFC 8738 (validating/signing certificates for IP addresses instead of domain names) support (this will not work with most public CAs, if any!) + +## [0.7.0] - 2020-12-10 +## Added +- Support for external account bindings +- Special support for ZeroSSL +- Support presets for some CAs instead of requiring URLs +- Allow requesting preferred chain (`--preferred-chain`) +- Added method to show CAs current terms of service (`--display-terms`) +- Allow setting path to domains.txt using cli arguments (`--domains-txt`) +- Added new cli command `--cleanupdelete` which deletes old files instead of archiving them + +## Fixed +- No more silent failures on broken hook-scripts +- Better error-handling with KEEP_GOING enabled +- Check actual order status instead of assuming it's valid +- Don't include keyAuthorization in challenge validation (RFC compliance) + +## Changed +- Using EC secp384r1 as default certificate type +- Use JSON.sh to parse JSON +- Use account URL instead of account ID (RFC compliance) +- Dehydrated now has a new home: https://github.com/dehydrated-io/dehydrated +- Added `OCSP_FETCH` and `OCSP_DAYS` to per-certificate configurable options +- Cleanup now also removes dangling symlinks + +## [0.6.5] - 2019-06-26 +## Fixed +- Fixed broken APIv1 compatibility from last update + +## [0.6.4] - 2019-06-25 +## Changed +- Fetch account ID from Location header instead of account json + +## [0.6.3] - 2019-06-25 +## Changed +- OCSP refresh interval is now configurable +- Implemented POST-as-GET +- Call exit_hook on errors (with error-message as first parameter) + +## Added +- Initial support for tls-alpn-01 validation +- New hook: sync_cert (for syncing certificate files to disk, see example hook description) + +## Fixes +- Fetch account information after registration to avoid missing account id + +## [0.6.2] - 2018-04-25 +## Added +- New deploy_ocsp hook +- Allow account registration with custom key + +## Changed +- Don't walk certificate chain for ACMEv2 (certificate contains chain by default) +- Improved documentation on wildcards + +## Fixes +- Added workaround for compatibility with filesystem ACLs +- Close unwanted external file-descriptors +- Fixed JSON parsing on force-renewal +- Fixed cleanup of challenge files/dns-entries on validation errors +- A few more minor fixes + +## [0.6.1] - 2018-03-13 +## Changed +- Use new ACME v2 endpoint by default + +## [0.6.0] - 2018-03-11 +## Changed +- Challenge validation loop has been modified to loop over authorization identifiers instead of altnames (ACMEv2 + wildcard support) +- Removed LICENSE parameter from config (terms of service is now acquired directly from the CA directory) + +## Added +- Support for ACME v02 (including wildcard certificates!) +- New hook: generate_csr (see example hook script for more information) +- Calling random hook on startup to make it clear to hook script authors that unknown hooks should just be ignored... + +## [0.5.0] - 2018-01-13 +## Changed +- Certificate chain is now cached (CHAINCACHE) +- OpenSSL binary path is now configurable (OPENSSL) +- Cleanup now also moves revoked certificates + +## Added +- New feature for updating contact information (--account) +- Allow automatic cleanup on exit (AUTO_CLEANUP) +- Initial support for fetching OCSP status to be used for OCSP stapling (OCSP_FETCH) +- Certificates can now have aliases to create multiple certificates with identical set of domains (see --alias and domains.txt documentation) +- Allow dehydrated to run as specified user (/group) + +## [0.4.0] - 2017-02-05 +## Changed +- dehydrated now asks you to read and accept the CAs terms of service before creating an account +- Skip challenges for already validated domains +- Removed need for some special commands (BusyBox compatibility) +- Exported a few more variables for use in hook-scripts +- fullchain.pem now actually contains the full chain instead of just the certificate with an intermediate cert + +## Added +- Added private-key rollover functionality +- Added `--lock-suffix` option for allowing parallel execution +- Added `invalid_challenge` hook +- Added `request_failure` hook +- Added `exit_hook` hook +- Added standalone `register` command + +## [0.3.1] - 2016-09-13 +## Changed +- Renamed project to `dehydrated`. +- Default WELLKNOWN location is now `/var/www/dehydrated` +- Config location is renamed to `dehydrated` (e.g. `/etc/dehydrated`) + +## [0.3.0] - 2016-09-07 +## Changed +- Config is now named `config` instead of `config.sh`! +- Location of domains.txt is now configurable via DOMAINS_TXT config variable +- Location of certs directory is now configurable via CERTDIR config variable +- signcsr command now also outputs chain certificate if --full-chain/-fc is set +- Location of account-key(s) changed +- Default WELLKNOWN location is now `/var/www/letsencrypt` +- New version of Let's Encrypt Subscriber Agreement + +## Added +- Added option to add CSR-flag indicating OCSP stapling to be mandatory +- Initial support for configuration on per-certificate base +- Support for per-CA account keys and custom config for output cert directory, license, etc. +- Added option to select IP version of name to address resolution +- Added option to run letsencrypt.sh without locks + +## Fixed +- letsencrypt.sh no longer stores account keys from invalid registrations + +## [0.2.0] - 2016-05-22 +### Changed +- PRIVATE_KEY config parameter has been renamed to ACCOUNT_KEY to avoid confusion with certificate keys +- deploy_cert hook now also has the certificates timestamp as standalone parameter +- Temporary files are now identifiable (template: letsencrypt.sh-XXXXXX) +- Private keys are now regenerated by default + +### Added +- Added documentation to repository + +### Fixed +- Fixed bug with uppercase names in domains.txt (script now converts everything to lowercase) +- mktemp no longer uses the deprecated `-t` parameter. +- Compatibility with "pretty" json + +## [0.1.0] - 2016-03-25 +### Changed +- This is the first numbered version of letsencrypt.sh |