- An issue where Certbot's ACME module would raise an AttributeError
trying to create self-signed certificates when used with pyOpenSSL
17.3.0 has been resolved. For Certbot users with this version of
pyOpenSSL, this caused Certbot to crash when performing a TLS SNI
challenge or when the Nginx plugin tried to create an SSL server
block.
- The Nginx plugin now configures Nginx to use 2048-bit Diffie-Hellman
parameters.
- certbot-auto now installs Certbot in directories under /opt/eff.org.
- The Nginx plugin can now be selected in Certbot's interactive output.
- Output verbosity of renewal failures when running with --quiet has
been reduced.
- The default revocation reason shown in Certbot help output now is a
human readable string instead of a numerical code.
- Plugin selection is now included in normal terminal output.
- A newer version of ConfigArgParse is now installed when using
certbot-auto causing values set to false in a Certbot INI
configuration file to be handled intuitively.
- New naming conventions preventing certbot-auto from installing OS
dependencies on Fedora 26 have been resolved.
### Added
- The Nginx plugin now configures Nginx to use 2048-bit Diffie-Hellman
parameters.
### Changed
- certbot-auto now installs Certbot in directories under `/opt/eff.org`.
- The Nginx plugin can now be selected in Certbot's interactive output.
- Output verbosity of renewal failures when running with `--quiet` has
been reduced.
- The default revocation reason shown in Certbot help output now is a
human readable string instead of a numerical code.
- Plugin selection is now included in normal terminal output.
### Fixed
- A newer version of ConfigArgParse is now installed when using
certbot-auto causing values set to false in a Certbot INI
configuration file to be handled intuitively.
- New naming conventions preventing certbot-auto from installing OS
dependencies on Fedora 26 have been resolved.
### Added
- Support in our nginx plugin for modifying SSL server blocks that do
not contain certificate or key directives.
- A `--max-log-backups` flag to allow users to configure or even completely
disable Certbot's built in log rotation.
- A `--user-agent-comment` flag to allow people who build tools around Certbot
to differentiate their user agent string by adding a comment to its default
value.
### Changed
- Due to some awesome work by cryptography project, compilation can now be
avoided on most systems when using certbot-auto.
- The `--renew-hook` flag has been hidden in favor of `--deploy-hook`.
- We have started printing deprecation warnings in certbot-auto for
experimentally supported systems with OS packages available.
- A certificate lineage's name is included in error messages during renewal.
### Fixed
- Encoding errors that could occur when parsing error messages from the ACME
server containing Unicode have been resolved.
- certbot-auto no longer prints misleading messages about there being a newer
pip version available when installation fails.
- Certbot's ACME library now properly extracts domains from critical SAN
extensions.
Added
- A plugin for performing DNS challenges using dynamic DNS updates as
defined in RFC 2316 (available separately).
- Plugins for performing DNS challenges for the providers DNS Made
Easy and LuaDNS (available separately).
- Support for performing TLS-SNI-01 challenges when using the manual
plugin.
- Automatic detection of Arch Linux in the Apache plugin providing
better default settings for the plugin.
Changed
- The text of the interactive question about whether a redirect from
HTTP to HTTPS should be added by Certbot has been rewritten to
better explain the choices to the user.
- Simplified HTTP challenge instructions in the manual plugin.
Fixed
- Problems performing a dry run when using the Nginx plugin have been
fixed.
- Resolved an issue where certbot-dns-digitalocean's test suite would
sometimes fail when ran using Python 3.
- On some systems, previous versions of certbot-auto would error out
with a message about a missing hash for setuptools.
- A bug where Certbot would sometimes not print a space at the end of
an interactive prompt has been resolved.
- Nonfatal tracebacks are no longer shown in rare cases where Certbot
encounters an exception trying to close its TCP connection with the
ACME server.
Added
- Plugins for performing DNS challenges for popular providers
- IPv6 support in the standalone plugin.
- A mechanism for keeping your Apache and Nginx SSL/TLS configuration
up to date.
- --http-01-address and --tls-sni-01-address flags for controlling the
address Certbot listens on when using the standalone plugin.
- The command certbot certificates that lists certificates managed by
Certbot now performs additional validity checks to notify you if
your files have become corrupted.
Changed
- Messages custom hooks print to stdout are now displayed by Certbot
when not running in --quiet mode.
- jwk and alg fields in JWS objects have been moved into the protected
header causing Certbot to more closely follow the latest version of
the ACME spec.
Fixed
- Permissions on renewal configuration files are now properly
preserved when they are updated.
- A bug causing Certbot to display strange defaults in its help output
when using Python <= 2.7.4 has been fixed.
- Certbot now properly handles mixed case domain names found in custom
CSRs.
- A number of poorly worded prompts and error messages.
Removed
- Support for OpenSSL 1.0.0 in certbot-auto has been removed as we now
pin a newer version of cryptography which dropped support for this
version.
0.14.2
- Certbot 0.14.0 included a bug where Certbot would create a temporary
log file (usually in /tmp) if the program exited during argument parsing.
0.14.1
- Certbot now works with configargparse 0.12.0.
- Issues with the Apache plugin and Augeas 1.7+ have been resolved.
- A problem where the Nginx plugin would fail to install certificates on
systems that had the plugin's SSL/TLS options file from 7+ months ago
has been fixed.
Use ALTERNATIVES to handle different Python versions better.
0.14.0 - 2017-05-04
Added
- Python 3.3+ support for all Certbot packages. certbot-auto still
currently only supports Python 2, but the acme, certbot,
certbot-apache, and certbot-nginx packages on PyPI now fully support
Python 2.6, 2.7, and 3.3+.
- Certbot's Apache plugin now handles multiple virtual hosts per file.
- Lockfiles to prevent multiple versions of Certbot running
simultaneously.
Changed
- When converting an HTTP virtual host to HTTPS in Apache, Certbot
only copies the virtual host rather than the entire contents of the
file it's contained in.
- The Nginx plugin now includes SSL/TLS directives in a separate file
located in Certbot's configuration directory rather than copying the
contents of the file into every modified server block.
Fixed
- Ensure logging is configured before parts of Certbot attempt to log
any messages.
- Support for the --quiet flag in certbot-auto.
- Reverted a change made in a previous release to make the acme and
certbot packages always depend on argparse. This dependency is
conditional again on the user's Python version.
- Small bugs in the Nginx plugin such as properly handling empty
server blocks and setting server_names_hash_bucket_size during
challenges.
0.13.0 - 2017-04-06
Added
- --debug-challenges pauses Certbot after setting up challenges for
debugging.
- The Nginx parser can handle all valid directives in configuration
files.
- Nginx ciphersuites changed to Mozilla Intermediate.
- certbot-auto --no-bootstrap won't install OS dependencies.
Fixed
- --register-unsafely-without-email respects --quiet.
- Hyphenated renewalparams are now saved in renewal config files.
- --dry-run no longer persists keys and csrs.
- No longer hangs when trying to start Nginx in Arch Linux.
- Apache rewrite rules no longer double-encode characters.
0.12.0 - 2017-03-02
Added
- Allow non-camelcase Apache VirtualHost names
- Allow more log messages to be silenced
Fixed
- Fix a regression around using --cert-name when getting new
certificates
All py-certbot self tests pass.
39 self test failures in py-acme (running py.test), one core dump
in openssl (running make test).
Changes:
Test bug fixes
No changelog released, commits closed for 0.10.0:
- Stop IDisplay AssertionErrors
- Add update_symlinks to "--help manage"
- Hide rename command for 0.10.0
- Disable rename command for 0.10.0
- Break on failure to deploy cert
- Incorrect success condition in nginx
- certbot delete and rename evoke IDisplay
- Put update_symlinks in certbot --help manage
- Fix Error Message for invalid FQDNs
- pyopenssl inject workaround
- pyparsing.restOfLine is not a function, don't call it
- Add information on updating [certbot|letsencrypt]-auto
- Remove quotes so tilde is expanded
- Correctly report when we skip hooks during renewal
- Add line number to Augeas syntax error message
- Mention line in (Apache) conf file in case of Augeas parse/syntax
error
- Fixes#3954 and adds a test to prevent regressions
- Further OCSP improvements
- `-n` doesn't like `force_interactive`?
- Save allow_subset_of_names in renewal conf files
- I promise checklists are OK (fixes#3934)
- Return domains for _find_domains_or_certname
- --cert-name causes explosions when trying to use "run" as an installer
- Interactivity glitch in git master
- Document some particularities of the revoke subcommand
- test using os.path.sep not hardcoded /
- Save --pre and --post hooks in renewal conf files, and run them in a
sophisticated way
- Don't add ServerAlias directives when the domain is already covered by
a wildcard
- Mitigate problems for people who run without -n
- Use relative paths for livedir symlinks
- Implement delete command
- Use isatty checks before asking new questions
- Ensure apt-cache is always running in English if we're going to grep
- Sort the names by domain (then subdomain) before showing them
- Merge the manual and script plugins
- --allow-subset-of-names should probably be a renewalparam
- Fix certbox-nginx address equality check
- Implement our fancy new --help output
- Make renew command respect the --cert-name flag
- Error when using non-english locale on Debian
- Document defaults
- Improve simple --help output
- Add pyasn1 back to le-auto
- Mark Nginx vhosts as ssl when any vhost is on ssl at that address
- Fully check for Nginx address equality
- Preserve --must-staple in configuration for renewal (#3844)
- Git master certbot is making executable renewal conf files?
- Improve the "certbot certificates" output
- Renewal: Preserve 'OCSP Must Staple' (option --must-staple)
- Security enhancement cleanup
- Parallalelise nosetests from tox
- "certbot certificates" is API-like, so make it future-proof
- Fix LE_AUTO_SUDO usage
- Remove the sphinxcontrib.programout [docs]dependency
- No more relative path connection from live-crt to archive-crt files
- Ensure tests pass with openssl 1.1
- Output success message for revoke command
- acme module fails tests with openssl 1.1
- Pin pyopenssl 16.2.0 in certbot-auto
- Fixed output of `certbot-auto --version`(#3637).
- Take advantage of urllib3 pyopenssl rewrite
- Busybox support
- Fix --http-01-port typo at source
- Implement the --cert-name flag to select a lineage by its name.
- Fix reinstall message
- Changed plugin interface return types (#3748).
- Remove letshelp-letsencrypt
- Bump pyopenssl version
- Bump python-cryptography to 1.5.3
- Remove get_all_certs_keys() from Apache and Nginx
- Further merge --script-* with --*-hook
- Certbot opens curses sessions for informational notices, breaking
automation
- Fix writing pem files with Python3
- Strange reinstallation errors
- Don't re-add redirects if one exists
- Use subprocess.Popen.terminate instead of os.killpg
- Generalize return types for plugin interfaces
- Don't re-append Nginx redirect directive
- Cli help is sometimes wrong about what the default for something is
- [certbot-auto] Bump cryptography version to 1.5.2
- python-cryptography build failure on sid
- Remove sphinxcontrib-programoutput dependency?
- Allow notification interface to not wrap text
- Fix non-ASCII domain check.
- Add renew_hook to options stored in the renewal config, #3394
- Where oh where has sphinxcontrib-programoutput gone?
- Remove some domain name checks.
- Allowing modification check to run using "tox"
- How to modify *-auto
- Don't crash when U-label IDN provided on command line
- Add README file to each live directory explaining its contents.
- Allow user to select all domains by typing empty string at checklist
- Fix issue with suggest_unsafe undeclared
- Update docs/contributing.rst to match display behavior during release.
- Referencing unbound variable in certbot.display.ops.get_email
- Add list-certs command
- Remove the curses dialog, thereby deprecating the --help and --dialog
command line options
- Remove the curses dialog, thereby deprecating the --help and --dialog
command line options
- Specify archive directory in renewal configuration file
- 0.9.1 fails in non-interactive use (pythondialog, error opening
terminal)
- Allow certbot to get a cert for default_servers
- [nginx] Cert for two domains in one virtaulhost fails
- [nginx] --hsts and --uir flags not working?
- `certbot-auto --version` still says `letsencrypt 0.9.3` (should say
`certbot 0.9.3`?)
- Add a cli option for "all domains my installer sees"
- Stop rejecting punycode domain names
- Standalone vs. Apache for available ports
- nginx-compatibility-weirdness
- Support requesting IDNA2008 Punycode domains
- Cert Management Improvement Project (C-MIP)
- Add --lineage command line option for nicer SAN management.
- Fix requirements.txt surgery in response to shipping certbot-nginx
- Use correct Content-Types in headers.
- Missing Content-Type 'application/json' in POST requests
- Script plugin
- Inconsistent error placement
- Server alias [revision requested]
- When getopts is called multiple time we need to reset OPTIND.
- certbot-auto: Print link to doc on debugging pip install error
[revision requested]
- Update ACME error namespace to match the new draft.
- Update errors to match latest ACME version.
- Testing the output of build.py against lea-source/lea
- Make return type of certbot.interfaces.IInstaller.get_all_keys_certs()
an iterator
- Fix requirements file surgery for 0.10.0 release
- Update Where Are My Certs section.
- Hooks do not get stored in renewal config file
- Multiple vhosts
- Bind to IPv6, fix the problem of ipv6 site cannot generate / renew
certificate [revision requested]
- Warning message for low memory servers
- Run simple certbot-auto tests with `tox`
- letsencrypt-auto-source/letsencrypt-auto should be the output of
build.py
- DialogError should come with --text instructions
- Support correct error namespace
- Verification URL after successful certificate configuration can't be
opened from terminal
- Use appropriate caution when handling configurations that have complex
rewrite logic
- `revoke` doesn't output any status
- adding -delete option to remove the cert files
- Stop using simple_verify in manual plugin
- Ways of specifying what to renew
- Allow removing SAN from multidomain certificate when renewing
- Dialog is sometimes ugly
- Allow user to override sudo as root authorization method [minor
revision requested]
- Add a README file to each live directory explaining its contents
- ExecutableNotFound
No changelog available, issues closed since 0.8.1:
certbot 0.9.1
- Make --quiet reduce the logging level
certbot 0.9.0
- Allow tests to pass without dnspython
- Remove psutil dep
- Renew symlink safety
- Update Nginx redirect enhancement process to modify appropriate
blocks
- If lineages are in an inconsistent (non-deployed) state, deploy
them
- Restructure how Nginx parser re-finds vhosts, and disable
creating new server blocks.
- Remove pointless question
- Tie Nginx OCSP stapling to enhancements system
- Nginx server block selection: Handle non-80/443 ports
- Include log retention count to 1000.
- Make parser.py: add_server_directives documentation consistent
with functionality
- Fix Nginx prompt
- Make Nginx error out if no matching server block is found
- Only suggest names LE will accept
- Implement Nginx server block selection
- should_autorenew ignores symlinks
- Fixes cffi errors in Travis during oldest tests
- DNS challenge support in the manual plugin and general purpose
--preferred-challenges flag
- Fixed hash_bucket_size detection for nginx
- Support both invalidEmail and invalidContact errors
- Removes duplication between README.rst and resources.rst
- Psutil tests
- Allow tests to run when psutil isn't available
- Tests fail on Certbot package due to missing psutil dependency
- Hide the Nginx plugin
- Add the Nginx plugin to certbot-auto
- OCSP stapling in Nginx
- Nginx plugin selection
- Add certbot-nginx to certbot-auto
- Missing links in README
- clarify invalid email error in non-interactive
- Replace '-' with '_' before filtering plugin settings
- Fix extra or lack of spacing between words in help for renew
flags
- Fix Travis tests
- Avoid importing conflicting security policy directives
- Change log rotation scheme
- Plugins with hyphens do not receive their args during renewal
- Handle dns01 challenge into the manual plugin [see #3466]
- Enable unit tests of certbot core on Python 3
- Add os-release ID_LIKE parsing if original distribution mapping
not found in constants
- Fix README typo
- Nginx plugin domain selection
- Fix spacing of nginx redirect blocks
- Rationalise challenge and port selection flags
- Remove psutil from requirements.txt
- prevent Github commits from modifying certbot-auto and
letsencrypt-auto
- Gradually remove psutil dependency, bugfix [URGENT]
- psutil fails to install because hash is missing when running
certbot-auto
- Failure to start Nginx after configuring redirect
- Prepare docs to turn off the wiki
- Certbot apache plugin fails with TypeError: 'NoneType' object
has no attribute '__getitem__'
- Change fatal warning to a fatal message
- Fatal warnings
- Apache default default
- Deprecation fixes
- New docs structure and introduction
- Nginx charset_map and ${VARIABLE_SUBSTITUTION} parsing
- Unclear error about invalid email in non-interactive mode
- Use simple socket test for port availability if psutil not found
- Python 3 support for certonly
- Set dialog widgets to use autowidgetsize
- Errors when run without root
- Apache plugin PATH fallback
- Automatically enable EPEL after prompting users
- Multi-topic help listings
- Installer error
- Explain why Apache [appears] not to be installed
- ErrorHandler causing errors
- Update FreeBSD package name
- Comment out corresponding RewriteConds for filtered RewriteRule
- Permissive parsing of nginx map blocks
- add nginx round-trip tests to tox/travis
- Fix Unix signal handling in certbot.error_handler.ErrorHandler
- Resuming error handling functions after a signal
- Only write nginx config files if they've been modified
- If the user picks "cancel" from the Apache vhost selection menu,
Certbot doesn't exit
- certbot removes http->https rules corrupts ruleset
- Fix typo
- Better document plugins and reversion
- Nginx parser apparently can't parse "map"
- Nginx plugin shouldn't write files it hasn't changed
- Fix Nginx reversion
- Merge Augeas fix for comment line continuations
- Remove warning about nginx options file
- Explain the most likely cause of a missing replay nonce error
- Bump pyca package versions
- Don't add wildcard listen if user has more specific
configuration
- Remove unused nosexcover dependency
- Cleanup dev setup
- Nginx space preservation
- Set dialog widgets to use autowidgetsize
- Printing pip output to terminal when -v is used
- Log new cert and cert renewal
- Log whether renewing or obtaining a new certificate
- Added the argument --quiet and -q so then when used with a
regular user there is no output to the screen.
- certbot-auto not quiet when used with regular user
- Adding sensible UI logging for typical user
- Replace psutils dependency
- Display DialogError details correctly
- -v implies --text
- Fix FQDN checks, closes#3057 and #3056
- Bug in FQDN detection: installer wrongly interprets _
- Installer thinks bare TLD is not a valid FQDN
- Limiting tox envlist to really needed tests
- trouble with Listen directives in CentOS 7 / ssl.conf
- Remove dangling footnote
- certbot-apache fails to parse files with comma in the filename
- pip and verbosity
- Dialog error messages
- NcursesDisplay.menu: treat ESC as cancel
- More useful error when running as non-root?
- -v should imply --text
- Update tox/instructions
- Error that results when run without root is unclear
- Enable EPEL in RPM bootstrapper
- Add dns-01 challenge support to the ACME client
- Apache plugin fails to parse OWASP's ModSecurity ruleset
- Audit nginx plugin for guaranteed config reversion in case of
error
- NoInstallationError() from Apache plugin within renewal cron
jobs due to /usr/sbin not being in the PATH
- nginx http redirect
- "No installers" error message not clear
- HelpfulArgumentParser should know about flags that are relevant
to several topics
- Nginx configurator should preserve whitespace on output
- server blocks added to nginx.conf
- Nginx fails if ssl_session_cache already defined
- nginx leaves dirty/modified config files
- Sensible UI logging for typical user
- nginx plugin issue with server block containing multiple
servernames
No changelog provided, Github issues touched:
- Update the autos in response to 0.8.1 release
- Fix default detection
- Provide nonroot guidance when logging gets EACCES.
- Add additional warning with actual exception message during
renewal
- Interactive webroot values not stored in renewal config file
- Preserve common name during renewal
- Mageia Bootstrap
- Initialize Augeas in a different method to be able to react to
ImportError
- Renew changes common name
- Update letsencrypt-auto in response to Arch package rename
- On Mac OSX: "ValueError: Invalid header value"
- Strip "\n" from end of OS version string for OS X.
- Revert "Use --force-reinstall to fix bad virtualenv package"
- Exit if cannot bootstrap in certbot-auto
- Add --disable-hook-validation
- --post-hook validation too strict
- letsencrypt-auto gives "sudo" is not available
- mageia bootstrap [needs revision]
- Install/compile fails of letsencrypt-auto on Smartos/Illumos
Changes in 0.8.0
- The main new feature in this release is the register subcommand
which can be used to register an account with the Let's Encrypt
CA. Additionally, you can run certbot register
--update-registration to change the e-mail address associated
with your registration.
Full commit log since 0.7.0:
https://github.com/certbot/certbot/compare/v0.7.0...v0.8.0
Changes in 0.7.0:
- --must-staple to request certificates from Let's Encrypt with the
OCSP must staple extension
- automatic configuration of OSCP stapling for Apache
- requesting certificates for domains found in the common name
of a custom CSR
- a number of bug fixes
Full commit log since 0.6.0
https://github.com/certbot/certbot/compare/v0.6.0...v0.7.0
Certbot, previously the Let's Encrypt Client, is EFF's tool to
obtain certs from Let's Encrypt, and (optionally) autoenable HTTPS
on your server. It can also act as a client for any other CA that
uses the ACME protocol.
