v0.21.4

We've made several improvements across the board, notably:

• Storage is temporarily a required field, until we implement a zerossl issuer that doesn't require storage. I'm hoping this will be optional again before v1.0.
• New exported function GetRenewalInfo(), useful for issuers that support ARI.
• Better logging related to account loading and creation, and CSR generation; useful for troubleshooting.
• ACME account registration is now synced across a cluster.
• ARI fetching is now synced across a cluster.
• Normalization fix for IDNs.
• Writes to the filesystem (default) storage now use temporary files, which provides greater concurrency safety. This should improve the very rare and sporadic corrupted certificate or metadata (JSON) files that have been observed and reported.

Thank you to everyone who contributed!

What's Changed

• Move looking up info for HTTP validation to warn level by @mbardelmeijer in #290
• Sync ACME account registration by @mholt in #293
• fix: use a tempfile to write files in filestorage. by @elee1766 in #300
• Add .internal to internal-only hostnames by @nickubels in #305

New Contributors

• @mbardelmeijer made their first contribution in #290
• @elee1766 made their first contribution in #300
• @nickubels made their first contribution in #305

Full Changelog: v0.21.2...v0.21.4

v0.21.2

This is apparently the same as v0.21.1, for some reason I thought there were new commits. Oh well, enjoy!

What's Changed

• Apply DefaultServerName more broadly during handshake by @mholt in #287
• downgrade minimum Go version by @mohammed90 in #289

Full Changelog: v0.21.0...v0.21.2

v0.21.0

CertMagic v0.21 introduces some big changes:

• Draft support for draft-03 of ACME Renewal Information (ARI) which assists with deciding when to renew certificates. This augments CertMagic's already-advanced logic using cert lifetime and OCSP/revocation status.
• New ZeroSSLIssuer uses the ZeroSSL API to get certificates. ZeroSSL also has an ACME endpoint, which can still be accesed using the existing ACMEIssuer, as always. Their proprietary API is paid, but has extra features like IP certificates, better reliability, and support.
• DNS challenges should be smoother in some cases as we've improved propagation checking.
• In the odd case your ACME account disappears from the ACME server, CertMagic will automatically retry with a new account. (This happens in some test/dev environments.)
• ACME accounts are identified only by their public keys, but CertMagic maps accounts by CA+email for practical/storage reasons. So now you can "pin" an account key to use by specifying your email and the account public key in your config, which is useful if you need to absolutely be sure to use a specific account (like if you get rate limit exemptions from a CA).

Please try it out and report any issues!

Thanks to @framer for their contributions to this release!

What's Changed

• Bump golang.org/x/crypto from 0.14.0 to 0.17.0 by @dependabot in #264
• Demote "storage cleaning happened too recently" from WARN to INFO by @francislavoie in #270
• Check DNS propagation at authoritative nameservers only with default resolvers by @pgeh in #274
• Retry with new account if account disappeared remotely by @mholt in #269
• Update readme examples to use TLS-ALPN const from ACMEz by @goksan in #277
• Initial implementation of ZeroSSL API issuer by @mholt in #279
• Allow deleting directories via FileStorage by @goksan in #282
• Use the email configuration in the ACME issuer to "pin" an account to a key by @ankon in #283
• Initial implementation of ARI by @mholt in #286

New Contributors

• @pgeh made their first contribution in #274
• @goksan made their first contribution in #277

Full Changelog: v0.20.0...v0.21.0

v0.20.0

This release vastly improves storage cleaning as well improving a few smaller things. There is a minor breaking change as we get ever closer to v1.0.

• ⚠️ The DecisionFunc for On-Demand TLS now takes a context.Context value as its first argument. The context carries the ClientHelloInfo value (keyed by ClientHelloInfoCtxKey) for logging purposes.
• Storage cleaning is now synchronized across the cluster, including process restarts. The state of cleaning expired certificates and OCSP staples is written to storage, and distributed locking is used to ensure that only 1 instance does it at a time. This greatly reduces costs for expensive storage backends! Cleaning is also done less often when the process is frequently restarted because the state is written to storage, so it is not forgotten after shutting down.
• .home.arpa is now considered an internal suffix.
• Backoff timings have been tuned based on real-world experience.

What's Changed

• README: Add hint about NextProtos for certmagic.TLS by @oliverpool in #251
• Bump golang.org/x/net from 0.11.0 to 0.17.0 by @dependabot in #253
• Optionally pass the context argument down to the OnDemand decision func by @ankon in #255
• Retain the error stack if checkIfCertShouldBeObtained returns an error by @ankon in #256
• Add OCSP stapling unit tests by @kenjenkins in #259

New Contributors

• @oliverpool made their first contribution in #251

Full Changelog: v0.19.2...v0.20.0

v0.19.2

This release fixes a couple of bugs in on-demand TLS and also improves the context used during handshakes for cert operations. (Contexts assist with timeouts and cancellation.)

What's Changed

• Create a new context when renewing a certificate in the background by @ankon in #248
• Use context from ClientHello during GetCertificate by @mholt in #249

Full Changelog: v0.19.1...v0.19.2

v0.19.1

A minor patch that fixes a race condition when NewAccountFunc changes the ACMEIssuer it is called on.

A new error value is also exposed: ErrNoOCSPServerSpecified to help users determine whether stapling failed only because the certificate doesn't support OCSP.

What's Changed

• Define a NoOCSPServerSpecified error by @kenjenkins in #245

New Contributors

• @kenjenkins made their first contribution in #245

Full Changelog: v0.19.0...v0.19.1

v0.19.0

This release has a few (relatively minor) API changes and additions to enable substantial performance improvements for large certificate deployments; for example, large and busy servers can now update a certificate cache's settings without having to make a new cache. This enables certificates already decoded into memory to remain even after a config change downstream.

⚠️ As we are still pre-1.0, there are some breaking API changes in this release. Please take note 😃

Highlights

• The Config.Manage*() methods are now (basically) a no-op if a managed certificate for the name(s) passed in is already present in the cache. It doesn't really make sense to reload the certificate from storage and decode it and replace it in the cache, because it is managed it will do that automatically when it gets renewed.
• Removed Config.Unmanage() since it does not actually rely on the config at all. Replaced with Cache.RemoveManaged(). Removing a managed cert from the cache stops maintenance.
• Also added Cache.Remove() which removes a certificate from the cache given its hash.
• The methods which load unmanaged certs into the cache now return the cert hash.
• Added Cache.SetOptions() to update a cache's config while active.
• Clarified the semantics around the Storage and Locker interfaces. This should be useful for implementers.
• Fixed a performance bug when On-Demand TLS was used with lots of specified domains (this is uncommon, as most uses of on-demand TLS don't know the domain names ahead of time).

What's Changed

• README: fix typo in sample code by @bitfehler in #243

New Contributors

• @bitfehler made their first contribution in #243

Full Changelog: v0.18.2...v0.19.0

v0.18.2

This patch release actually has some notable new features but nothing that affects existing API surface:

• New private keys are generated for every renewal (unless the new config property ReusePrivateKeys is set to true) -- previously, they were reused by default.
• New IssuerPolicy field to configure how to choose from multiple issuers. By default, the first issuer that successfully provided a certificate is used. (This is unchanged.) Now, however, the issuers can be shuffled to implement basic load balancing before trying them in succession.
• File storage locking mechanism is now more robust against short-lived locks in slow storage.
• The cert_obtained event info was fixed.

(Skip v0.18.1, as it contains a bug caught by integration tests downstream.)

What's Changed

• Generate new private keys for new certificates by @mholt in #237
• Issuer policies that can randomize issuer used by @mholt in #238

Full Changelog: v0.18.0...v0.18.2

v0.18.0

This update brings several optimizations and improvements:

• Don't access storage during on-demand TLS unless the subject is allowed in the first place
• Managers moved into on-demand config, since they operate only at handshake-time
• Experimental FallbackServerName that is like DefaultServerName, except this one applies even if a ServerName is specified in the handshake
• Several bug fixes, especially related to on-demand TLS and Managers

What's Changed

• Allow specifying http proxy via config by @georgmu in #212
• Allow the default cache logger to be set by @pwilloughby in #213
• Bump golang.org/x/text from 0.3.7 to 0.3.8 by @dependabot in #216
• Bump golang.org/x/net from 0.0.0-20220805013720-a33c5aa5df48 to 0.7.0 by @dependabot in #218
• obtain instead of renew cert if it does not exist in storage by @shitz in #221
• Use recursive query when checking for TXT records by @kizmc in #224
• Update & Improve CI by @wusatosi in #227
• chore: Skip slow tests on Windows by @francislavoie in #229
• Add a GetCertificateWithContext function by @ankon in #225
• Refactor certificate Managers by @mholt in #231
• Fix advanced cache initialization in README by @s111 in #198

New Contributors

• @georgmu made their first contribution in #212
• @pwilloughby made their first contribution in #213
• @dependabot made their first contribution in #216
• @shitz made their first contribution in #221
• @kizmc made their first contribution in #224
• @wusatosi made their first contribution in #227
• @s111 made their first contribution in #198

Full Changelog: v0.17.2...v0.18.0

v0.17.2

What's Changed

• Avoid nil dereferencing on errors by @ankon in #206
• Fix a panic when attempting to log when certificate should not be renewed by @antoniomika in #207

New Contributors

• @ankon made their first contribution in #206
• @antoniomika made their first contribution in #207

Full Changelog: v0.17.1...v0.17.2