| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
### Added
- Support for obtaining wildcard certificates and a newer version of the ACME
protocol such as the one implemented by Let's Encrypt's upcoming ACMEv2
endpoint was added to Certbot and its ACME library. Certbot still works with
older ACME versions and will automatically change the version of the protocol
used based on the version the ACME CA implements.
- The Apache and Nginx plugins are now able to automatically install a wildcard
certificate to multiple virtual hosts that you select from your server
configuration.
- The `certbot install` command now accepts the `--cert-name` flag for
selecting a certificate.
- `acme.client.BackwardsCompatibleClientV2` was added to Certbot's ACME library
which automatically handles most of the differences between new and old ACME
versions. `acme.client.ClientV2` is also available for people who only want
to support one version of the protocol or want to handle the differences
between versions themselves.
- certbot-auto now supports the flag --install-only which has the script
install Certbot and its dependencies and exit without invoking Certbot.
- Support for issuing a single certificate for a wildcard and base domain was
added to our Google Cloud DNS plugin. To do this, we now require your API
credentials have additional permissions, however, your credentials will
already have these permissions unless you defined a custom role with fewer
permissions than the standard DNS administrator role provided by Google.
These permissions are also only needed for the case described above so it
will continue to work for existing users. For more information about the
permissions changes, see the documentation in the plugin.
### Changed
- We have broken lockstep between our ACME library, Certbot, and its plugins.
This means that the different components do not need to be the same version
to work together like they did previously. This makes packaging easier
because not every piece of Certbot needs to be repackaged to ship a change to
a subset of its components.
- Support for Python 2.6 and Python 3.3 has been removed from ACME, Certbot,
Certbot's plugins, and certbot-auto. If you are using certbot-auto on a RHEL
6 based system, it will walk you through the process of installing Certbot
with Python 3 and refuse to upgrade to a newer version of Certbot until you
have done so.
- Certbot's components now work with older versions of setuptools to simplify
packaging for EPEL 7.
### Fixed
- Issues caused by Certbot's Nginx plugin adding multiple ipv6only directives
has been resolved.
- A problem where Certbot's Apache plugin would add redundant include
directives for the TLS configuration managed by Certbot has been fixed.
- Certbot's webroot plugin now properly deletes any directories it creates.
|
|
### Added
- Support for the HTTP-01 challenge type was added to our Apache and Nginx
plugins.
- IPv6 support was added to the Nginx plugin.
- Support for automatically creating server blocks based on the default server
block was added to the Nginx plugin.
- The flags --delete-after-revoke and --no-delete-after-revoke were added
allowing users to control whether the revoke subcommand also deletes the
certificates it is revoking.
### Changed
- We deprecated support for Python 2.6 and Python 3.3 in Certbot and its ACME
library.
- We split our implementation of JOSE (Javascript Object Signing and
Encryption) out of our ACME library and into a separate package named josepy.
- We updated the ciphersuites used in Apache to the new values recommended by
Mozilla
### Fixed
- An issue with our Apache plugin on Gentoo due to differences in their
apache2ctl command have been resolved.
|
|
0.20.0 - 2017-12-06
- Certbot's ACME library now recognizes URL fields in challenge
objects in preparation for Let's Encrypt's new ACME endpoint.
- The Apache plugin now parses some distro specific Apache
configuration files on non-Debian systems allowing it to get a
clearer picture on the running configuration.
- Certbot better reports network failures by removing information
about connection retries from the error output.
- An unnecessary question when using Certbot's webroot plugin
interactively has been removed.
- Certbot's NGINX plugin no longer sometimes incorrectly reports that
it was unable to deploy a HTTP->HTTPS redirect when requesting
Certbot to enable a redirect for multiple domains.
- Problems where the Apache plugin was failing to find directives and
duplicating existing directives on openSUSE have been resolved.
- An issue running the test shipped with Certbot and some our DNS
plugins with older versions of mock have been resolved.
- On some systems, users reported strangely interleaved output
depending on when stdout and stderr were flushed.
0.19.0 - 2017-10-04
- Certbot now has renewal hook directories where executable files can
be placed for Certbot to run with the renew subcommand.
- After revoking a certificate with the revoke subcommand, Certbot
will offer to delete the lineage associated with the certificate.
- When using Certbot's Google Cloud DNS plugin on Google Compute
Engine, you no longer have to provide a credential file to Certbot
if you have configured sufficient permissions for the instance which
Certbot can automatically obtain using Google's metadata service.
- When deleting certificates interactively using the delete
subcommand, Certbot will now allow you to select multiple lineages
to be deleted at once.
- Certbot's Apache plugin no longer always parses Apache's
sites-available on Debian based systems and instead only parses
virtual hosts included in your Apache configuration.
- The plugins subcommand can now be run without root access.
- certbot-auto now includes a timeout when updating itself so it no
longer hangs indefinitely when it is unable to connect to the
external server.
- An issue where Certbot's Apache plugin would sometimes fail to
deploy a certificate on Debian based systems if mod_ssl wasn't
already enabled has been resolved.
- A bug in our Docker image where the certificates subcommand could
not report if certificates maintained by Certbot had been revoked
has been fixed.
- Certbot's RFC 2136 DNS plugin (for use with software like BIND) now
properly performs DNS challenges when the domain being verified
contains a CNAME record.
|
|
### Added
- Support in our nginx plugin for modifying SSL server blocks that do
not contain certificate or key directives.
- A `--max-log-backups` flag to allow users to configure or even completely
disable Certbot's built in log rotation.
- A `--user-agent-comment` flag to allow people who build tools around Certbot
to differentiate their user agent string by adding a comment to its default
value.
### Changed
- Due to some awesome work by cryptography project, compilation can now be
avoided on most systems when using certbot-auto.
- The `--renew-hook` flag has been hidden in favor of `--deploy-hook`.
- We have started printing deprecation warnings in certbot-auto for
experimentally supported systems with OS packages available.
- A certificate lineage's name is included in error messages during renewal.
### Fixed
- Encoding errors that could occur when parsing error messages from the ACME
server containing Unicode have been resolved.
- certbot-auto no longer prints misleading messages about there being a newer
pip version available when installation fails.
- Certbot's ACME library now properly extracts domains from critical SAN
extensions.
|
|
Use ALTERNATIVES to handle different Python versions better.
0.14.0 - 2017-05-04
Added
- Python 3.3+ support for all Certbot packages. certbot-auto still
currently only supports Python 2, but the acme, certbot,
certbot-apache, and certbot-nginx packages on PyPI now fully support
Python 2.6, 2.7, and 3.3+.
- Certbot's Apache plugin now handles multiple virtual hosts per file.
- Lockfiles to prevent multiple versions of Certbot running
simultaneously.
Changed
- When converting an HTTP virtual host to HTTPS in Apache, Certbot
only copies the virtual host rather than the entire contents of the
file it's contained in.
- The Nginx plugin now includes SSL/TLS directives in a separate file
located in Certbot's configuration directory rather than copying the
contents of the file into every modified server block.
Fixed
- Ensure logging is configured before parts of Certbot attempt to log
any messages.
- Support for the --quiet flag in certbot-auto.
- Reverted a change made in a previous release to make the acme and
certbot packages always depend on argparse. This dependency is
conditional again on the user's Python version.
- Small bugs in the Nginx plugin such as properly handling empty
server blocks and setting server_names_hash_bucket_size during
challenges.
|
|
|
|
|
|
No concise changelog found. ~30 bugs/issues fixed.
|
|
All py-certbot self tests pass.
39 self test failures in py-acme (running py.test), one core dump
in openssl (running make test).
Changes:
Test bug fixes
|
|
No changelog released, commits closed for 0.10.0:
- Stop IDisplay AssertionErrors
- Add update_symlinks to "--help manage"
- Hide rename command for 0.10.0
- Disable rename command for 0.10.0
- Break on failure to deploy cert
- Incorrect success condition in nginx
- certbot delete and rename evoke IDisplay
- Put update_symlinks in certbot --help manage
- Fix Error Message for invalid FQDNs
- pyopenssl inject workaround
- pyparsing.restOfLine is not a function, don't call it
- Add information on updating [certbot|letsencrypt]-auto
- Remove quotes so tilde is expanded
- Correctly report when we skip hooks during renewal
- Add line number to Augeas syntax error message
- Mention line in (Apache) conf file in case of Augeas parse/syntax
error
- Fixes #3954 and adds a test to prevent regressions
- Further OCSP improvements
- `-n` doesn't like `force_interactive`?
- Save allow_subset_of_names in renewal conf files
- I promise checklists are OK (fixes #3934)
- Return domains for _find_domains_or_certname
- --cert-name causes explosions when trying to use "run" as an installer
- Interactivity glitch in git master
- Document some particularities of the revoke subcommand
- test using os.path.sep not hardcoded /
- Save --pre and --post hooks in renewal conf files, and run them in a
sophisticated way
- Don't add ServerAlias directives when the domain is already covered by
a wildcard
- Mitigate problems for people who run without -n
- Use relative paths for livedir symlinks
- Implement delete command
- Use isatty checks before asking new questions
- Ensure apt-cache is always running in English if we're going to grep
- Sort the names by domain (then subdomain) before showing them
- Merge the manual and script plugins
- --allow-subset-of-names should probably be a renewalparam
- Fix certbox-nginx address equality check
- Implement our fancy new --help output
- Make renew command respect the --cert-name flag
- Error when using non-english locale on Debian
- Document defaults
- Improve simple --help output
- Add pyasn1 back to le-auto
- Mark Nginx vhosts as ssl when any vhost is on ssl at that address
- Fully check for Nginx address equality
- Preserve --must-staple in configuration for renewal (#3844)
- Git master certbot is making executable renewal conf files?
- Improve the "certbot certificates" output
- Renewal: Preserve 'OCSP Must Staple' (option --must-staple)
- Security enhancement cleanup
- Parallalelise nosetests from tox
- "certbot certificates" is API-like, so make it future-proof
- Fix LE_AUTO_SUDO usage
- Remove the sphinxcontrib.programout [docs]dependency
- No more relative path connection from live-crt to archive-crt files
- Ensure tests pass with openssl 1.1
- Output success message for revoke command
- acme module fails tests with openssl 1.1
- Pin pyopenssl 16.2.0 in certbot-auto
- Fixed output of `certbot-auto --version`(#3637).
- Take advantage of urllib3 pyopenssl rewrite
- Busybox support
- Fix --http-01-port typo at source
- Implement the --cert-name flag to select a lineage by its name.
- Fix reinstall message
- Changed plugin interface return types (#3748).
- Remove letshelp-letsencrypt
- Bump pyopenssl version
- Bump python-cryptography to 1.5.3
- Remove get_all_certs_keys() from Apache and Nginx
- Further merge --script-* with --*-hook
- Certbot opens curses sessions for informational notices, breaking
automation
- Fix writing pem files with Python3
- Strange reinstallation errors
- Don't re-add redirects if one exists
- Use subprocess.Popen.terminate instead of os.killpg
- Generalize return types for plugin interfaces
- Don't re-append Nginx redirect directive
- Cli help is sometimes wrong about what the default for something is
- [certbot-auto] Bump cryptography version to 1.5.2
- python-cryptography build failure on sid
- Remove sphinxcontrib-programoutput dependency?
- Allow notification interface to not wrap text
- Fix non-ASCII domain check.
- Add renew_hook to options stored in the renewal config, #3394
- Where oh where has sphinxcontrib-programoutput gone?
- Remove some domain name checks.
- Allowing modification check to run using "tox"
- How to modify *-auto
- Don't crash when U-label IDN provided on command line
- Add README file to each live directory explaining its contents.
- Allow user to select all domains by typing empty string at checklist
- Fix issue with suggest_unsafe undeclared
- Update docs/contributing.rst to match display behavior during release.
- Referencing unbound variable in certbot.display.ops.get_email
- Add list-certs command
- Remove the curses dialog, thereby deprecating the --help and --dialog
command line options
- Remove the curses dialog, thereby deprecating the --help and --dialog
command line options
- Specify archive directory in renewal configuration file
- 0.9.1 fails in non-interactive use (pythondialog, error opening
terminal)
- Allow certbot to get a cert for default_servers
- [nginx] Cert for two domains in one virtaulhost fails
- [nginx] --hsts and --uir flags not working?
- `certbot-auto --version` still says `letsencrypt 0.9.3` (should say
`certbot 0.9.3`?)
- Add a cli option for "all domains my installer sees"
- Stop rejecting punycode domain names
- Standalone vs. Apache for available ports
- nginx-compatibility-weirdness
- Support requesting IDNA2008 Punycode domains
- Cert Management Improvement Project (C-MIP)
- Add --lineage command line option for nicer SAN management.
- Fix requirements.txt surgery in response to shipping certbot-nginx
- Use correct Content-Types in headers.
- Missing Content-Type 'application/json' in POST requests
- Script plugin
- Inconsistent error placement
- Server alias [revision requested]
- When getopts is called multiple time we need to reset OPTIND.
- certbot-auto: Print link to doc on debugging pip install error
[revision requested]
- Update ACME error namespace to match the new draft.
- Update errors to match latest ACME version.
- Testing the output of build.py against lea-source/lea
- Make return type of certbot.interfaces.IInstaller.get_all_keys_certs()
an iterator
- Fix requirements file surgery for 0.10.0 release
- Update Where Are My Certs section.
- Hooks do not get stored in renewal config file
- Multiple vhosts
- Bind to IPv6, fix the problem of ipv6 site cannot generate / renew
certificate [revision requested]
- Warning message for low memory servers
- Run simple certbot-auto tests with `tox`
- letsencrypt-auto-source/letsencrypt-auto should be the output of
build.py
- DialogError should come with --text instructions
- Support correct error namespace
- Verification URL after successful certificate configuration can't be
opened from terminal
- Use appropriate caution when handling configurations that have complex
rewrite logic
- `revoke` doesn't output any status
- adding -delete option to remove the cert files
- Stop using simple_verify in manual plugin
- Ways of specifying what to renew
- Allow removing SAN from multidomain certificate when renewing
- Dialog is sometimes ugly
- Allow user to override sudo as root authorization method [minor
revision requested]
- Add a README file to each live directory explaining its contents
- ExecutableNotFound
|
|
No changelog available, issues closed since 0.8.1:
certbot 0.9.1
- Make --quiet reduce the logging level
certbot 0.9.0
- Allow tests to pass without dnspython
- Remove psutil dep
- Renew symlink safety
- Update Nginx redirect enhancement process to modify appropriate
blocks
- If lineages are in an inconsistent (non-deployed) state, deploy
them
- Restructure how Nginx parser re-finds vhosts, and disable
creating new server blocks.
- Remove pointless question
- Tie Nginx OCSP stapling to enhancements system
- Nginx server block selection: Handle non-80/443 ports
- Include log retention count to 1000.
- Make parser.py: add_server_directives documentation consistent
with functionality
- Fix Nginx prompt
- Make Nginx error out if no matching server block is found
- Only suggest names LE will accept
- Implement Nginx server block selection
- should_autorenew ignores symlinks
- Fixes cffi errors in Travis during oldest tests
- DNS challenge support in the manual plugin and general purpose
--preferred-challenges flag
- Fixed hash_bucket_size detection for nginx
- Support both invalidEmail and invalidContact errors
- Removes duplication between README.rst and resources.rst
- Psutil tests
- Allow tests to run when psutil isn't available
- Tests fail on Certbot package due to missing psutil dependency
- Hide the Nginx plugin
- Add the Nginx plugin to certbot-auto
- OCSP stapling in Nginx
- Nginx plugin selection
- Add certbot-nginx to certbot-auto
- Missing links in README
- clarify invalid email error in non-interactive
- Replace '-' with '_' before filtering plugin settings
- Fix extra or lack of spacing between words in help for renew
flags
- Fix Travis tests
- Avoid importing conflicting security policy directives
- Change log rotation scheme
- Plugins with hyphens do not receive their args during renewal
- Handle dns01 challenge into the manual plugin [see #3466]
- Enable unit tests of certbot core on Python 3
- Add os-release ID_LIKE parsing if original distribution mapping
not found in constants
- Fix README typo
- Nginx plugin domain selection
- Fix spacing of nginx redirect blocks
- Rationalise challenge and port selection flags
- Remove psutil from requirements.txt
- prevent Github commits from modifying certbot-auto and
letsencrypt-auto
- Gradually remove psutil dependency, bugfix [URGENT]
- psutil fails to install because hash is missing when running
certbot-auto
- Failure to start Nginx after configuring redirect
- Prepare docs to turn off the wiki
- Certbot apache plugin fails with TypeError: 'NoneType' object
has no attribute '__getitem__'
- Change fatal warning to a fatal message
- Fatal warnings
- Apache default default
- Deprecation fixes
- New docs structure and introduction
- Nginx charset_map and ${VARIABLE_SUBSTITUTION} parsing
- Unclear error about invalid email in non-interactive mode
- Use simple socket test for port availability if psutil not found
- Python 3 support for certonly
- Set dialog widgets to use autowidgetsize
- Errors when run without root
- Apache plugin PATH fallback
- Automatically enable EPEL after prompting users
- Multi-topic help listings
- Installer error
- Explain why Apache [appears] not to be installed
- ErrorHandler causing errors
- Update FreeBSD package name
- Comment out corresponding RewriteConds for filtered RewriteRule
- Permissive parsing of nginx map blocks
- add nginx round-trip tests to tox/travis
- Fix Unix signal handling in certbot.error_handler.ErrorHandler
- Resuming error handling functions after a signal
- Only write nginx config files if they've been modified
- If the user picks "cancel" from the Apache vhost selection menu,
Certbot doesn't exit
- certbot removes http->https rules corrupts ruleset
- Fix typo
- Better document plugins and reversion
- Nginx parser apparently can't parse "map"
- Nginx plugin shouldn't write files it hasn't changed
- Fix Nginx reversion
- Merge Augeas fix for comment line continuations
- Remove warning about nginx options file
- Explain the most likely cause of a missing replay nonce error
- Bump pyca package versions
- Don't add wildcard listen if user has more specific
configuration
- Remove unused nosexcover dependency
- Cleanup dev setup
- Nginx space preservation
- Set dialog widgets to use autowidgetsize
- Printing pip output to terminal when -v is used
- Log new cert and cert renewal
- Log whether renewing or obtaining a new certificate
- Added the argument --quiet and -q so then when used with a
regular user there is no output to the screen.
- certbot-auto not quiet when used with regular user
- Adding sensible UI logging for typical user
- Replace psutils dependency
- Display DialogError details correctly
- -v implies --text
- Fix FQDN checks, closes #3057 and #3056
- Bug in FQDN detection: installer wrongly interprets _
- Installer thinks bare TLD is not a valid FQDN
- Limiting tox envlist to really needed tests
- trouble with Listen directives in CentOS 7 / ssl.conf
- Remove dangling footnote
- certbot-apache fails to parse files with comma in the filename
- pip and verbosity
- Dialog error messages
- NcursesDisplay.menu: treat ESC as cancel
- More useful error when running as non-root?
- -v should imply --text
- Update tox/instructions
- Error that results when run without root is unclear
- Enable EPEL in RPM bootstrapper
- Add dns-01 challenge support to the ACME client
- Apache plugin fails to parse OWASP's ModSecurity ruleset
- Audit nginx plugin for guaranteed config reversion in case of
error
- NoInstallationError() from Apache plugin within renewal cron
jobs due to /usr/sbin not being in the PATH
- nginx http redirect
- "No installers" error message not clear
- HelpfulArgumentParser should know about flags that are relevant
to several topics
- Nginx configurator should preserve whitespace on output
- server blocks added to nginx.conf
- Nginx fails if ssl_session_cache already defined
- nginx leaves dirty/modified config files
- Sensible UI logging for typical user
- nginx plugin issue with server block containing multiple
servernames
|
|
Certbot, previously the Let's Encrypt Client, is EFF's tool to
obtain certs from Let's Encrypt, and (optionally) autoenable HTTPS
on your server. It can also act as a client for any other CA that
uses the ACME protocol.
|
