Releases: caddyserver/certmagic
v0.16.2
This release primarily improves DNS challenges, making them more efficient and correct (mostly edge cases).
What's Changed
- Fix deadlock and improve efficiency for wildcard DNS challenges by @mholt in dce2de2
- Improve Windows CI cache by @mohammed90 in #189
- Set EDNS0 to 1232 bytes per recommendation by @mohammed90 in #188
- Use OverrideDomain when cleaning up DNS solver by @gjung56 in #193
New Contributors
- @mohammed90 made their first contribution in #189
- @gjung56 made their first contribution in #193
Full Changelog: v0.16.1...v0.16.2
v0.16.1
Minor enhancement allowing customization of the propagation delay/timeout for DNS challenge.
Full Changelog: v0.16.0...v0.16.1
v0.16.0
This release is hopefully one of the last major tags before a more stable CertMagic 1.0. It includes a number of breaking changes (for the better, I promise) -- so please pay attention:
⚠️ All storage methods now requirecontext.Context
passed in. We also added it toCleanUpOwnLocks()
and several other functions that end up calling Storage methods (e.g.CacheUnmanagedTLSCertificate()
). Your editor, in combination with gopls (the Go language server) should be able to quickly tell you where context is missing.⚠️ Storage methods now returnfs.ErrNotExist
if a file or key is not found, instead ofcertmagic.ErrNotExist
, which has been removed. (Theio/fs
package did not exist when CertMagic was first written.)⚠️ ACMEManager
has been renamed toACMEIssuer
, andCertificateManager
has been renamed toManager
. These renames make naming more consistent and accurate, and less confusing (since ACMEManager was not a CertificateManager, which is a new type).- Certificate events now provide more useful, actionable information. See #150.
I have personally submitted PRs to the more popular known storage implementations as a courtesy to help deal with the breaking changes.
The nuances of the logic in preparing for DNS challenges have changed slightly, hopefully it will work in more environments.
Thanks to all who contributed! Sorry for any inconvenience with the breaking changes; that's the joy of pre-1.0 libraries. We're almost there, though. It's been 5 years and we might finally be starting to get good at things.
What's Changed
- storage: Require fs.ErrNotExist (fix #168) by @mholt in #170
- Propagate context in the Storage interface methods by @hairyhenderson in #155
- Fix crash because of a zero value cert in cache by @skeetmtp in #177
- Always call checkDNSPropagation in DNS01Solver by @crccw in #179
- Provide more detailed information in certificate events by @francislavoie in #150
New Contributors
- @hairyhenderson made their first contribution in #155
- @skeetmtp made their first contribution in #177
Full Changelog: v0.15.4...v0.16.0
v0.15.4
What's Changed
- Fixed order of certificate loading so that private keys are loaded first by @sam-lord in #171
- Managers: Ability to call GetCertificate from external certificate sources by @mholt in #163
- Support OverrideDomain is DNS01Solver by @crccw in #160
New Contributors
Full Changelog: v0.15.3...v0.15.4
v0.15.3
Enhanced OCSP stapling support. Fixed automatic replacement of revoked certificates for on-demand certificates and some other edge cases.
What's Changed
- duplicate OnDemand default value assign check by @rjbasitali in #153
- Fix cacheAlmostFull calculation by @skirsten in #156
- Fix force-renewing revoked on-demand certs by @mholt in #166
New Contributors
- @rjbasitali made their first contribution in #153
- @skirsten made their first contribution in #156
Full Changelog: v0.15.2...v0.15.3
v0.15.2
v0.15.0
This release improves use at large scale:
- Adjusted default internal throttle for ACME transactions from 20 every minute to 10 every 10 seconds. This should allow for higher throughput with busy clients without impacting CA networks too much.
- Clarified in the docs that
NextProtos
needs to be set by you on atls.Config
if you are not using a CertMagic function that serves an application on top of TLS. In other words, if you're not using theHTTPS()
function, you should setNextProtos
to the proper values for your application. (This is not new, nor a change. Just a helpful note in the docs.) - Fixed a bug that affected a small subset of users with lots of on-demand certificates ( > 10,000) and some non-on-demand certificates that would cause the non-on-demand certificates to be evicted from the cache. They are now reloaded later if this happens. (Note: the non-on-demand certs must be managed; this won't work for manually-managed certs.)
⚠️ ChangedManageSync()
to take acontext.Context
as the first argument, so that synchronous operations can also be cancelled and cleaned up. This is a breaking change that may affect a small subset of users.
v0.14.3
v0.14.0
A few fixes and enhancements:
- An experimental feature was fixed that automatically replaces certificates which have been revoked. Now it actually works.
- If a certificate is revoked specifically due to key compromise, the compromised key will be rotated and out and the replacement certificate will use a new key.
ObtainCert()
andRenewCert()
have been split intoSync
andAsync
versions, similar toManageSync()
andManageAsync()
, to bring consistency to the exported API, as well as to make room for...- ... forced renewals, which is now a boolean argument passed into
RenewCert*()
methods. This will renew a certificate even if it is not expiring. - Obtain operations will reuse existing private keys if already in storage. It is still a no-op if all certificate assets (cert, key, and meta) are already in storage.
- Improved logging of errors between issuers when obtaining and renewing certificates.
- If DNS resolvers are explicitly configured, they will be used exclusively and not fall back to system resolvers. This makes the DNS challenge solvers work better in weird DNS setups.