Releases: certbot/certbot
Certbot 4.2.0
Added
- Added
--eab-hmac-alg
parameter to support custom HMAC algorithm for
External Account Binding.
(#10281)
Changed
- Catches and ignores errors during the directory fetch for ARI checking so
that these errors do not hinder the actual certificate issuance.
(#10342) - Removed the dependency on
pytz
.
(#10350) - Deprecated
acme.crypto_util.probe_sni
(#10386) - Support for Python 3.9 was deprecated and will be removed in our next planned
release. (#10390)
Fixed
- The Certbot snap no longer sets the environment variable PYTHONPATH stopping
it from picking up Python files in the current directory and polluting the
environment for Certbot hooks written in Python.
(#10176,
#10257) - Previously, we claimed to set FAILED_DOMAINS and RENEWED_DOMAINS env
variables for use by post-hooks when certificate renewals fail, but we were
not actually setting them. Now, we are.
(#10259) - Certbot now always uses the server value from the renewal configuration file
for ARI checks instead of the server value from the current invocation of
Certbot. This helps prevent ARI requests from going to the wrong server if
the user changes CAs.
(#10339)
Certbot 4.1.1
Fixed
- When a CA fails to issue a certificate after finalization, print the ACME error from the order
- No longer checks ARI during certbot --dry-run, because --dry-run uses staging when used
with let's encrypt but the cert was issued against the default server. This would emit
a scary warning, even though the cert would renew successfully. - Contacting the CA to check ARI is now skipped for certificate lineages that
have autorenew set to False.
More details about these changes can be found on our GitHub repo.
Certbot 4.1.0
Added
- ACME Renewal Info (ARI) support. https://datatracker.ietf.org/doc/draft-ietf-acme-ari/
certbot renew
will automatically check ARI when using an ACME server that supports it,
and may renew early based on the ARI information. For Let's Encrypt certificates this
will typically cause renewal at around 2/3rds of the certificate's lifetime, even if
the renew_before_expiry field of a lineage renewal config is set a later date.
Changed
- Switched to src-layout from flat-layout to accommodate PEP 517 pip editable installs
- acme.client.ClientNetwork now makes the "key" parameter optional.
- Deprecated
acme.challenges.TLSALPN01Response
- Deprecated
acme.challenges.TLSALPN01
- Deprecated parameter
alpn_protocols
fromacme.crypto_util.probe_sni
- Deprecated
acme.crypto_util.SSLSocket
- Deprecated
acme.standalone.TLSServer
- Deprecated
acme.standalone.TLSALPN01Server
- Deprecated parameter
enforce_openssl_binary_usage
from certbot.ocsp.RevocationChecker. - Dropped support for Python 3.9.0 and 3.9.1 for compatibility with newer
versions of the cryptography Python package. Python 3.9.2+ is still
supported.
Fixed
- Order finalization now catches
orderNotReady
response, polls until order status is
ready
, and resubmits finalization request before polling forvalid
to download
certificate. This conforms to RFC 8555 more accurately and avoids race conditions where
all authorizations are fulfilled but order has not yet transitioned to ready state on
the server when the finalization request is sent. It also respects retry-after when
polling for finalization readiness. - The --preferred-profile and --required-profile flags now have their values stored in
the renewal configuration so the same setting will be used on renewal. - Fixed an unintended change introduced in 4.0.0 where
renew_before_expiry
could not be
shorter than certbot's default renewal time. If the server does not provide an ARI
response,renew_before_expiry
will continue to override certbot's default. However,
an early ARI response will override a laterrenew_before_expiry
time, to account for
notifications in case of certificate revocation, especially with the impending deprecation
of OCSP (https://letsencrypt.org/2024/12/05/ending-ocsp/). To force a later date, users
can replace certbot's default cron job and/or systemd timer with one of their own timing.
More details about these changes can be found on our GitHub repo.
Certbot 4.0.0
Added
- The --preferred-profile and --required-profile flags allow requesting a profile.
https://datatracker.ietf.org/doc/draft-aaron-acme-profiles/
Changed
-
Certificates now renew with 1/3rd of lifetime left (or 1/2 of lifetime left,
if the lifetime is shorter than 10 days). This is a change from a hardcoded
renewal at 30 days before expiration. The config field renew_before_expiry
still overrides this default. -
removed
acme.crypto_util._pyopenssl_cert_or_req_all_names
-
removed
acme.crypto_util._pyopenssl_cert_or_req_san
-
removed
acme.crypto_util.dump_pyopenssl_chain
-
removed
acme.crypto_util.gen_ss_cert
-
removed
certbot.crypto_util.dump_pyopenssl_chain
-
removed
certbot.crypto_util.pyopenssl_load_certificate
Fixed
- Moved
RewriteEngine on
directive added during apache http01 authentication
to the end of the virtual host, so that it overwrites anyRewriteEngine off
directives that already exist and allows redirection to the challenge URL.
More details about these changes can be found on our GitHub repo.
Certbot 3.3.0
Added
Changed
- The --register-unsafely-without-email flag is no longer needed in non-interactive mode.
- In interactive mode, pressing Enter at the email prompt will register without an email.
- deprecated
acme.crypto_util.dump_pyopenssl_chain
- deprecated
acme.crypto_util._pyopenssl_cert_or_req_all_names
- deprecated
acme.crypto_util._pyopenssl_cert_or_req_san
- deprecated
certbot.crypto_util.dump_pyopenssl_chain
- deprecated
certbot.crypto_util.pyopenssl_load_certificate
Fixed
- Fixed a bug introduced in Certbot 3.1.0 where OpenSSL environment variables
needed in our snap configuration were persisted in calls to external programs
like nginx which could cause them to fail to load OpenSSL.
More details about these changes can be found on our GitHub repo.
Certbot 2.11.1
Fixed
- Pinned the version of josepy to <2.0, since 2.0 introduced breaking changes
Certbot 3.2.0
Added
Changed
- certbot-nginx now requires pyparsing>=2.4.7.
- certbot and its acme library now require cryptography>=43.0.0.
- certbot-nginx and our acme library now require pyOpenSSL>=25.0.0.
- Deprecated
gen_ss_cert
inacme.crypto_util
as it uses deprecated
pyOpenSSL API. - Add
make_self_signed_cert
toacme.crypto_util
to replace `gen_ss_cert. - Directory hooks are now run on all commands by default, not just
renew
- Help output now shows
False
as default when it can be set viacli.ini
instead ofNone
- Changed terms of service agreement text to have a newline after the TOS link
- certbot-cloudflare-dns is now pinned to version 2.19 of Cloudflare's python library
- Removed support for Linode API v3 which was sunset at the end of July 203.
Fixed
- Private keys are now saved in PKCS#8 format instead of PKCS#1. Using PKCS#1
was a regression introduced in Certbot 3.1.0. - Allow nginx plugin to parse non-breaking spaces in nginx configuration files.
- Honor --reuse-key when --allow-subset-of-names is set
- Fixed regression in symlink parsing on Windows that was introduced in Certbot
3.1.0. - When adding ssl listen directives in nginx server blocks, IP addresses are now
preserved. - Nginx configurations can now have the http block in files other than the root (nginx.conf)
More details about these changes can be found on our GitHub repo.
Certbot 3.1.0
Added
Changed
- Python 3.8 support was removed.
- certbot-dns-rfc2136's minimum required version of dnspython is now 2.6.1.
- Updated our Docker images to be based on Alpine Linux 3.20.
- Our runtime dependency on setuptools has been dropped from all Certbot
components. - Certbot's packages no longer depend on library importlib_resources.
Fixed
- Included an OpenSSL library that was missing in our Certbot snap fixing
crashes affecting 32-bit ARM users.
More details about these changes can be found on our GitHub repo.
Certbot 3.0.1
Fixed
- Removed a CryptographyDeprecationWarning that was being displayed to users
when checking OCSP status.
More details about these changes can be found on our GitHub repo.
Certbot 3.0.0
Added
Changed
- The update_symlinks command was removed.
- The
csr_dir
andkey_dir
attributes on
certbot.configuration.NamespaceConfig
were removed. - The
--manual-public-ip-logging-ok
command line flag was removed. - The
--dns-route53-propagation-seconds
command line flag was removed. - The
certbot_dns_route53.authenticator
module has been removed. This should
not affect any users of the plugin and instead would only affect developers
trying to develop on top of the old code. - Support for Python 3.8 was deprecated and will be removed in our next planned
release.
Fixed
More details about these changes can be found on our GitHub repo.