Releases: dehydrated-io/dehydrated
Releases · dehydrated-io/dehydrated
v0.7.1
[0.7.1] - 2022-10-31
Changed
--force
no longer forces domain name revalidation by default, a new argument--force-validation
has been added for that- Added support for EC secp521r1 algorithm (works with e.g. zerossl)
EC PARAMETERS
are no longer written to privkey.pem (didn't seem necessary and was causing issues with various software)
Fixed
- Requests resulting in
badNonce
errors are now automatically retried (fixes operation with LE staging servers) - Deprecated
egrep
usage has been removed
Added
- Implemented EC for account keys
- Domain list now also read from domains.txt.d subdirectory (behaviour might change, see docs)
- Implemented RFC 8738 (validating/signing certificates for IP addresses instead of domain names) support (this will not work with most public CAs, if any!)
v0.7.0
[0.7.0] - 2020-12-10
Added
- Support for external account bindings
- Special support for ZeroSSL
- Support presets for some CAs instead of requiring URLs
- Allow requesting preferred chain (
--preferred-chain
) - Added method to show CAs current terms of service (
--display-terms
) - Allow setting path to domains.txt using cli arguments (
--domains-txt
) - Added new cli command
--cleanupdelete
which deletes old files instead of archiving them
Fixed
- No more silent failures on broken hook-scripts
- Better error-handling with KEEP_GOING enabled
- Check actual order status instead of assuming it's valid
- Don't include keyAuthorization in challenge validation (RFC compliance)
Changed
- Using EC secp384r1 as default certificate type
- Use JSON.sh to parse JSON
- Use account URL instead of account ID (RFC compliance)
- Dehydrated now has a new home: https://github.com/dehydrated-io/dehydrated
- Added
OCSP_FETCH
andOCSP_DAYS
to per-certificate configurable options - Cleanup now also removes dangling symlinks
v0.6.5
v0.6.4
v0.6.3
[0.6.3] - 2019-06-25
Changed
- OCSP refresh interval is now configurable
- Implemented POST-as-GET
- Call exit_hook on errors (with error-message as first parameter)
Added
- Initial support for tls-alpn-01 validation
- New hook: sync_cert (for syncing certificate files to disk, see example hook description)
Fixes
- Fetch account information after registration to avoid missing account id
v0.6.2
[0.6.2] - 2018-04-25
Added
- New deploy_ocsp hook
- Allow account registration with custom key
Changed
- Don't walk certificate chain for ACMEv2 (certificate contains chain by default)
- Improved documentation on wildcards
Fixes
- Added workaround for compatibility with filesystem ACLs
- Close unwanted external file-descriptors
- Fixed JSON parsing on force-renewal
- Fixed cleanup of challenge files/dns-entries on validation errors
- A few more minor fixes
v0.6.1
v0.6.0
[0.6.0] - 2018-03-11
Changed
- Challenge validation loop has been modified to loop over authorization identifiers instead of altnames (ACMEv2 + wildcard support)
- Removed LICENSE parameter from config (terms of service is now acquired directly from the CA directory)
Added
- Support for ACME v02 (including wildcard certificates!)
- New hook: generate_csr (see example hook script for more information)
- Calling random hook on startup to make it clear to hook script authors that unknown hooks should just be ignored...
Version 0.5.0
[0.5.0] - 2018-01-13
Changed
- Certificate chain is now cached (CHAINCACHE)
- OpenSSL binary path is now configurable (OPENSSL)
- Cleanup now also moves revoked certificates
Added
- New feature for updating contact information (--account)
- Allow automatic cleanup on exit (AUTO_CLEANUP)
- Initial support for fetching OCSP status to be used for OCSP stapling (OCSP_FETCH)
- Certificates can now have aliases to create multiple certificates with identical set of domains (see --alias and domains.txt documentation)
- Allow dehydrated to run as specified user (/group)
Version 0.4.0
[0.4.0] - 2017-02-05
Changed
- dehydrated now asks you to read and accept the CAs terms of service before creating an account
- Skip challenges for already validated domains
- Removed need for some special commands (BusyBox compatibility)
- Exported a few more variables for use in hook-scripts
- fullchain.pem now actually contains the full chain instead of just the certificate with an intermediate cert
Added
- Added private-key rollover functionality
- Added
--lock-suffix
option for allowing parallel execution - Added
invalid_challenge
hook - Added
request_failure
hook - Added
exit_hook
hook - Added standalone
register
command