New

• @zgcwkj submittted DNS validation plugins for Tencent and Alibaba Cloud, which brings us to 18 supported DNS providers, thanks!

Enhancements

• When using the setting Store.CertificateStore.PrivateKeyExportable (or it legacy version: Security.PrivateKeyExportable) the program will now automatically grant read access to the private key to the administrators group. On recent version of Windows this appears to be required to allow the administrator to actually export the certificate after a renewal run by the Task Scheduler under the SYSTEM account. Reported by @mont-foray in #2529.
• English names administrators and network service provided to --acl-fullcontrol or --acl-read are now automatically translated to appropriate local names on international versions of Windows. Also it's now possible to providate SIDs (e.g. S-1-5-...) for other advanced scenarios. Inspired by feedback provided by @rgomezc in #2529.
• Updated various third party dependencies.
• Updated the static version of the public suffix list for systems that are not permitted to download it.

Bugfixes

• In version 2.2.7 it was not possible to generate certificates with an IDN as the common name, reported by @jari-e21 in #2532.
• Errors in the DnsMadeEasy plugin were not logged properly, reported by @Wlad-R in #2528.

Enhancements

• Renewed code signing certificate.
• Forced background color disabled by default, must now specifically be enabled in settings.json by configuring UI.Color.Background to "black". So far this is the one and only option available.

Bugs

• Fixed typo in settings ParellelBatchSize > ParallelBatchSize, as noticed by @sunstarjeff in #2509).
• Disable VT100 color coding on Windows 2012 or lower (#2513, first reported by @SistemasMabisy)
• Fix crash on redirected console output (#2519, reported by @davist)
• DeleteStaleFiles had been set to true by default, but is supposed to be false (seen by @North3rnL1ght in #2518)

New

• Added support for a new type of plugin to send notifications to custom channels. For years win-acme has supported sending email notifications, but many organisations prefer different channels like Slack, Discourse or even Teams. If you're familiar with C#, you can implement the INotificationTarget interface with just a handful of functions to send notifications however you want. If you're willing to show and share your work, contributions are obviously welcome!
• Example script for SQL Server contributed by @zivillian (#2458)

Enhancements

• Force black background for TUI rendering, to accomodate people with custom console themes with light backgrounds (#2451, requested by @prensing)
• Log all HTTP requests that do not return a success code as warnings to make potential API/connection problems easier to spot (#2505, based on feedback by @djoris)
• Software name and version now displayed in console title.
• Add --acl-read parameter for the CertificateStore plugin, granting local principals read access to the private key, complementing the pre-existing --acl-fullcontrol parameter.
• Add a new setting Validation.ParallelBatchSize that can be used to limit the number of simultaneous validations happening. In extreme cases, unlimited parallelism can lead to problems like overrunning the maximum size of a DNS response. Default for existing installations is 100 and for new installations 20.
• Use DER instead of BER encoding for internal certificate processing in hopes of avoiding "Bad Data" errors reported by some users (#2493)
• Add support for certificates without common name which have been supported by Let's Encrypt since November. Also added addional validation to prevent attempts to order certificates with common names longer than 64 characters.
• @christaylorcodes added a retry mechanism to the ImportRSDFull.ps1 example, thanks for helping!
• Update various third-party dependencies.

Bugfixes

• Crash when sorting on due date in the renewal manager (#2449, thanks @nrcionline!)
• Crash when the settings.json file cannot be (fully) parsed.
• Superfluous prevalidation checks could be done when using multithreaded validation (#2485, discovered by @JensSpanier)
• Renewal information from services outside Let's Encrypt could not be retrieved due to missing / in url (#2498, reported by @grindsa)
• TransIP DNS validation plugin would not handle errors during initial authentication properly (#2505, found by @djoris)

Sponsors

This release was funded by

One gold sponsor:

• eGov Strategies

Two silver sponsors:

• Insurance Technology Services
• Enzure

And four bronze sponsors:

• e-shop LTD
• The Proof Group @proofgroup
• imagenia.fr
• Certify the web

Support

If you want professional support for win-acme, your company up here in the release notes, or just want to buy me (@WouterTinus) a beer for maintaining this tool, please sponsor using GitHub Sponsors, Patreon or PayPal.

Features

• The FTP validation plugin gained an option to use the GnuTLS library for FTPS connections, as the default TLS implementation provided in .NET/Windows suffers from compatibility issues with various Unix-based FTP servers. For more background on this subject check this page by the FluentFTP project. Using this requires:

  • A change in config: Validation.Ftp.UseGnuTls = true
  • The pluggable x64 release of win-acme (it is not available for x86 or ARM due to limitiations of the upstream package, and also doesn't work on the trimmed build)
  • Download and extract the additonal artifact gnutls.v{build}.x64.zip

  We recommend you only do this as a last resort when other validation methods fail, because there are some limitations of this connection method documented on the link above. This all initiated based on feedback by @cuper6.

Enhancements

• A new toggle has been added to settings.json which allows you to disable certificate validation for the ACME endpoint, useful for people running their own ACME CA using a self-signed certificate (requested by @100110010111 in #2431).
• The Azure DNS validation plugin no longer requires permissions to the Resource Group that hosts the DNS zone. Thanks to @sveng-r for testing in #2372).
• @jcazier-umich improved the ImportJKS.ps1 example script by using $env:JAVA_HOME instead of a hardcoded path (#2408).
• Improved documentation an validation for the Google Cloud DNS plugin, based on feedback from @timothydilbert
• When customizing the notAfter settings, fractional seconds are no longer sent to the server, because that level of accuracy is overkill and some providers throw errors upon receiving them (thanks for testing @timothyd09 in #2394)
• Update various third party dependencies (Autofac, FluentFTP, MailKit, Serilog, etc.)
• More verbose logging for DNS pre-validation in case of query failures

Bug fixes

• Filter illegal characters from the ClientName setting when creating the scheduled task, preventing failures (reported by @andrewsauder in #2410).
• In rare circumstances sorting the renewals in the Renewal Manager could result in an error (reported by @nrcionline in #2401).
• The Central Certificate Store plugin was broken for international domain names (noticed by @Nelo-cool in #2434).
• The PFX file plugin didn't properly update pre-existing files, which may have caused corruption upon renewal (noticed by @efficiondave in #2397).
• The --nocache switch (and interactive menu option) could still reuse previously generated private keys.

Bug fixes

• Event and disk logging was broken in v2.2.5 due to a Serilog change that affected single-file publishing and therefore only showed up after the final redistributable was compiled. Thanks for the heads-up @tsimmons (#2395).
• Round notAfter dates to whole hours, as at least Secigo doesn't accept anything smaller, based on feedback from @timothyd09 (#2394)

New features

• New command line argument --register which can be used to set up a new ACME account in unattended mode without the need to immediately create a certificate. Based on feedback from @ArthurHNL (#2391).
• A new setting Order.DefaultValidDays can now be used to request certificates that are valid for a shorter time than the default offered by the server. Note that this is not supported by Let's Encrypt at this point, but it should work for Sectigo among others. Requested by @timothyd09 (#2394)
• Customize the CSR signature algorithm using the settings Csr.Rsa.SignatureAlgorithm and Csr.Ec.SignatureAlgorithm. The defaults remain unchanged at SHA512withRSA and SHA512withEHDSA respectivky. As requested by @julieolson-gs (#2385).

Enhancements

• The DNS resolver has been refactored to fall back to the default servers whenever authoritative servers cannot be found or contacted. This makes the algorithm more robust in firewalled, misconfigured or other exceptional network environments. On a related note, for new installations, we now also default to the local system DNS instead of trusted external ones like Google (8.8.8.8), which will also prevent users in secured environments from running into issues (based on feedback by @jamesarbrown #2389).
• When the program fails to send an email notification, the SMTP messages will be shown to allow for easier troubleshooting. Suggested by @Zennate (#2388).
• GoDaddy DNS validation makes it mandatory to provide an API secret. Legacy authentication using only an API key appears to have been deprecated by this provider. Noticed by @rafalsk in #2376.
• Amazon/AWS Route53 DNS validation prompts and messaging is now more clear about expecting an IAM name instead of an ARN, preventing users like @TheSkorm from getting headaches while trying to guess at this (#2378).
• RFC2136 DNS validation has learned to lookup server host names, so that it's no longer required to configure an IP address (#2364, thanks for testing @JensSpanier).
• RFC2136 DNS validation will now try to update/create records in different zones. E.g. if the record _acme-challenge.www.example.com cannot be created in the zone example.com (e.g. because it doesn't exist), it will also try to created it in the zone www.example.com (based on feedback by @jamesarbrown #2389).
• Update various third party dependencies and remove some superfluous ones.

Bug fixes

• The "More options" menu can be used to do inital account setup again, a feature that got lost in v2.2.3 (#2367, reported by @amuen2b).
• Setting ScheduledTask.RenewalMinimumValidDays didn't have the desired effect anymore since v2.3.3 (#2371, reported by @marconfus).
• In some rare cases the error message The added or subtracted value results in an un-representable DateTime could appear when loading renewals after an upgrade, reported by @akuropa.
• The private key would not be including in generated certificate if/when an ACME server decides to preface the PEM data with a comment, as was the case for @Moechen in #2342.
• The program would fail to parse certificates when Windows is configured to use the Thai locale. Thanks to @baxing for reporting this (#2370).
• RFC2136 DNS validation would not clean up records after validation (#2364, thanks for testing @JensSpanier).
• The program would did not import intermediate certificates since v2.1.18, thanks for the PR and bug report @AlexanderS.

New features

• Experimental/beta version of RFC2136 validation (i.e. standard dynamic DNS updates), as requested by @loxK (#1741). The code is untested but based on a simple example provided by the author of ARSoft.Tools.Net, which we use to implement it. Would love to receive feedback on the working of the plugin.

Enhancements

• Update various third party dependencies, including move to the official .NET Core version of Bouncy Castle that was released earlier this year.

Bug fixes

• Renewals using a regular expression to filter IIS bindings created in version 2.1.x would not load properly in version 2.2.x, thanks @FootStark for the bug report! (#2361)
• Set TTL=60 for Azure DNS validation when creating new RecordSet to prevent BadRequest error, noticed by @tenscrolls (#2359)

Bugfixes

• Error decoding the (empty) response returned from ARI updates (#2353, thanks for the PR @jre-lsft)
• Duplicate menu shortcut, making it impossible to select the second option (#2352, thanks @UweKeim)

New features

• This release implements ARI, a draft extension proposal for ACME currently being deployed by Let's Encrypt that enabled tighter integration between servers and clients. For example, the server can now tell the client when it feels a certificate should be renewed, both to spread load and to respond to security incidents. For now win-acme will only renew certificate earlier based ARI suggestions, but not later. On the other side of the coin, the client can now tell the server if or when it stops caring about a certificate. When you cancel a renewal or a certificate is replaced by one with a different shape, we now let the server know. Note that this feature is enabled by default, but can be disabled using the RenewalDisableServerSchedule setting.
• It's now possible to use multiple accounts for one ACME endpoint, which could come in handy for advanced EAB scenarios like @elitegoodguys (#2308), or if you'd like to fine-tune who recieves server-sent notification emails about specific certificates. Besides the default account which everyone has or gets, you can now specify --account somename on the command line to create a certificate using a named account.
• Added a DNS validation plugin for Infomaniak, (#2332, thanks @fa18swiss)

Enhancements

• When configuring a default password in settings.json for various plugins, the interactive menu will select it by default, so that a simple will confirm its use (#2345, suggested by @rboy1)
• Handling of certificate revokation has significantly improved. The revoke event is now recorded in the renewal history and causes the renewal to immediately become due. Also we force issuing a new certificate with a new private key, even if/when the previous certificate is still within the cache period and/or the --reuse-privatekey parameter has been set.
• For renewals using an order plugin to split the source into multiple certificates, we now show more (accurate) information. E.g. how many orders have been created, when each of them is due, when each of them was last renewed and what all of their most recent thumbprints were.
• For renewals using a spread renewal period (either caused by the RenewalDaysRange setting or ARI information) we show both the start and end of the period.

Bug fixes

• Fixed an issue that may have caused subtle misbehaviours in validation plugins that are not designed with parallelism in mind. Instead of creating a new instance of the plugin for every domain, the instances were re-used. This led to bug #2343 reported by @bluecompassinteractive, but may have manifested itself in other places as well.
• Fixed multiple issues with the Azure DNS validation plugin (#2341, #2346). Thanks for helping @matthew-campbell-aranzmedical and @rgroenewoudt.
• Fixed an issue that caused all certificates to be renewed pre-maturely when upgrading win-acme from version 2.1 to 2.2 (#2320, thanks @AliDodd and @jmcook).
• Fixed a bug that prevented renewals with >100 domains from working. While that is not legal for a single certificate, it should be allowed when the renewal is split into different orders with less than 100 domains each (#2333, thanks @cvocvo)

Bug fixes

• Fixes "CryptographicException - Unable to store certificate" error that occurs when both PrivateKeyExportable and UseNextGenerationCryptoApi are disabled (#2329, #1350), introduced in 2.2.2 and reported by many users, first by @douglassimaodev
• Fixes verbose mode not enabled when /verbose syntax instead of --verbose
• Fixes sensitive arguments echoed back to logs when using /secret syntax instead of --secret