v2.1.13.1

Bug fixes

• #1715 - Don't use quotes for working directory, thanks @bmasephol!

v2.1.13

New features

• A new setting allows you to specify the preferred root authority. On January 11th Let's Encrypt will switch over to their own root certifiticate which is not trusted by older Android versions and perhaps other (older) software. As a fallback, until September 30th it will still be possible to get certificates using the old root. In settings.json you can configure Acme.PreferredIssuer to be "ISRG Root X1" if you want to start testing with the new root today or "DST Root CA X3" to keep using the fallback as long as it will last.
• A DNS validation plugin for Dutch hosting company TransIP is now available from the releases page. Note that this provider is not very fast updating its records after their API has accepted the changes, so it's highly recommended to roughly double either PreValidateDnsRetryCount and/or PreValidateDnsRetryInterval in settings.json.

Enhancements

• The program is now built on .NET 5.0 instead of .NET Core 3.1. This should not have much user impact, but allows us to keep up to date with the latest Microsoft technologies and should solve some annoying issues like certain startup problems like #1632 reported by @MarcoMiltenburg.
• The program will now refuse to start when it detects that another instance on the same machine is already working on the same configuration path. A warning will be logged when it detects that another instance is running for a different configuration path. Running multiple instances in parallel can cause issues in certain scenarios, for example when both try to make changes to IIS at the same time.
• It's now possible to use plugins when using win-acme as a dotnet tool. To use them they need to be unpacked to %userprofile%\.dotnet\tools\.store\win-acme\{version}\win-acme\{version}\tools\net5.0\any. We realize this is not the most user friendly experience and might come up with better solutions in the future. Requested by @rprouse in #1691.
• The path to the program used for a newly created scheduled task is now quoted when necessary, reported by @Phil-G in #1704.
• An example PowerShell script to use win-acme for the Windows Admin Center was submitted by Matthew Barreiro, thanks!

Bug fixes

• #1706 - Crash fix for the DigitalOcean plugin when using domain substitution for the acme-challenge subdomain. Thanks for the contribution @Skulblaka.
• #1700 - It was not possible to use TLS-ALPN-01 validation from the command line, reported by @andrianovSupplerus.

v2.1.12

New features

• #1648 - This release adds update for ZeroSSL as a (free) alternative to Let's Encrypt, further broadening the range of service providers that win-acme can be used with. ZeroSSL account can be created using email signup, EAB credentials or an API key from an existing account. Requested by @trekmp.
• #1684 - win-acme is now available as a .NET tool, so it can be installed or updated from the command line if you have .NET Core installed on your system using dotnet tool install win-acme --global. Note that it currently only works as a global tool and plugin support has not been tested yet. Idea from @jachin84.

Enhancements

• Update various NuGet packages for upstream bugfixes
• Update the Public Suffix List for uses that cannot download it dynamically each run
• Add a random delay of 2 hours to the scheduled task to help alleviate potential performance issues for service providers. E.g. for new installs the scheduled task will run sometime beteen 9 am and 11 am. This does not affect existing installs and of course it is still configurable and customizable.
• We now log if we're running as a 32 bit or a 64 bit build.
• Add extra logging to track down possible bug #1678

Bug fixes

• #1680 - Fixed a bug that caused partially validated orders to fail in multithreaded mode, reported by @alexhass.
• Fixed a bug that caused multithreaded mode to be enabled by default for people upgrading from 2.1.8 or below
• #1675 - @Skulblaka fixed a bug in the DigitalOcean plugin that allows it to validate sub domains, reported by @wsaca. Thanks both!
• #1676 - Version 2.1.11 would exit the process with code -1 (error) if one or more renewals were not due, thanks @RealAmes for noticing!

v2.1.11

Enhancements

• #1659 - The --webroot argument can now be used to override the path read from an IIS target, suggested @Vershner
• #1651 - Outgoing http requests now include a user-agent header, contributed by @monomosc
• #1668 - grantemsley contributed an example script that updates the Azure AD Application Proxy
• Log/print 64b or 32b builds at startup, along with the version information
• More specific error messages for InvalidOperationExceptions
• When a renewal fails, the exit code for the scheduled task no longer indicates success

Bug fixes

• #1661 - The Digital Ocean plugin was missing RestSharp.dll in its package, thanks @viktor2097 for the report.
• #1665 - Fix crash when the program is unable to place an order for whichever reason (e.g. invalid nonce, rate limit, etc.).
• #1669 - Fix logic bug where folders are not cleaned up properly, thanks @Franciscorp
• #1657 - Fix bug in DNS script validation reported by @belope
• A validation failure would not be considered fatal in all cases, causing the program to unnecessarily try to continue

v2.1.10

New features

• #1565 - Added support for external account binding, meaning that an ACME registration can be linked to a pre-existing account created with the service provider. This can be used by the service provider to provide extra services which cannot be delivered to (semi)anonymous users, e.g. organisation validation or paid certificates. The ACME registration is linked to the external account by means of an HMAC key, which can be provided through the interactive menu upon first use of the service, or from the command line using --eab-key-identifier and --eab-key. Requested by @kgeis.
• #1626 - Added a new DNS validation plugin for DigitalOcean, contributed by @Skulblaka.

Enhancements

• #1485 - @inkahootz updated the Azure plugin to support alternative endpoints, e.g. to be able to use the Germany, US Goverment or China regions, but presumably this should also work for Azure Stack instances at various service providers.
• Audun Skjelnes contributed an example script for KEMP Loadmaster.
• When importing renewals from version 1.9.x, by default those will be configured to use both the PemFiles and the PfxFile store plugins to the certificate cache folder to make their behaviour more similar to that of the legacy release. This should make the upgrade experience smoother.
• Only the most recent ten history entries will be displayed in the "Show details" menu of the renewal manager.
• The process of writing renewals back to disk is now more reliable, due to a sanity check on the JSON serializer and working with a backup/replace mechanism instead of a direct overwrite of the previous file.
• #1618 - When an error occurs early in the startup, the process doesn't immediately exit anymore, making errors messages like corrupted settings.json more easily visible to a user working from the Windows desktop.
• #1628 - The PemFiles store plugin will now output an extra file that contains only the chain certificates, so excluding the actually issued certificate. This improves it's usefulness for some software like Apache Tomcat. Requested by @ShaynaFishman.

Bug fixes

• #1533 - A bug introduced in version 2.1.9 caused the http-01 selfhosting validation to fail in certain conditions, thanks to @Gachpen, @mtnhomes and others for reporting this.
• A bug introduced in version 2.1.9 caused only the first email address in the list to recieve notifications.
• #1614 - Fix a crash when an acme-dns registration cannot be confirmed due to DNS failure, thanks to @LumKitty for the report.
• #1620 - Fix a crash when using multiple store plugins of the same type, reported by @srishmawi.
• #1625 - Fix an ugly warning message when trying to check if a non-existing folder is empty, reported by @djmcfar.
• #1631 - Change the menu shortcut for "Analyze duplicate renewals" because it conflicted with "List all renewals", as noticed by @SistemasMabisy.
• #1623 - Improve support for non-English languages, thanks @fatihkizmaz
• #1623 - When providing invalid input for --installation, the error message would report a problem with --store instead.
• Fix cache bug using DNS domain substitution (CNAME's) in multithreaded mode.

v2.1.9

New features

• Experimental: multithreaded validation. The most difficult part of ordering ACME certificates is to provide proof of ownership for the host name(s) that are to be included. The validation process can take a decent amount of time because services like Let's Encrypt have to be thorough to maintain the trust of the international community. For example, they examine the challenge answers from multiple locations around the world to ensure that some localized network level attack doesn't allow hackers to illegally obtain a certificate. There is nothing we can do to speed up a single validation, but for certificates with multiple host names, we can. We currently validate each host name in serial order, which means there is a lot of unnecessary waiting, because each validation is in theory completely independant of any others. Using the new DisableMultiThreading setting you can now opt in to parallel validation, meaning that your SAN certificates will validate much faster (the setting is named like that because multithreading should become the new default in a future release).
• A similar new feature is batch preparation and cleanup which allows plugins to work more efficiently during the stages before and after validation. DNS validation plugins that want to support multithreaded validation need to be able to manage multiple active TXT records. In some cases it's possible to create and delete these records using a single call instead of one by one, providing an additional performance win. So far this has only been implemented for Azure plugin.

Enhancements

• #1586 - Additional parameters have been made available for custom DNS validation script. Specifically there is {ZoneName} which is replaced with the registerable domain, and {NodeName} which is the part of the {RecordName} remaining after stripping off the registerable domain (or @ they are equal). Requested by @hlsantos.
• #1602 - Searching by friendly name is no longer case sensitive, requested by @Smurgl

Bug fixes

• #1567 - After sending an email, the connection with the SMTP server was not nicely closed, reported by @hlsanton
• #1568 - We were a too strict on the ACME standard for DigiCert, reported by @Stan-Tastic.
• #1569 - Interactive mode now respects command line arguments as overrides for the global defaults, reported by @DamienLaw
• #1578 - The Route53 plugin would crash when multiple zones have been configured for the same host name. It would also potentially attempt to update private zones, which are ignored now, reported by @tsimmons
• #1591 - The default path setting for the PfxFile store plugin was not applied, reported by @cutig3r
• #1593 - The scheduled task health check use case sensitive method of checking the path, reported by @CriteriaFirst
• #1600 - Fix crash when IIS is detected in the registry but not actually installed, reported by @darkworks
• #1603 - Fix mixup between CentralSsl path and PemFiles path introduces in 2.1.8, thanks @yndtrud
• #1605 - Fix annoying "Invalid anti-replay nonce" bug - reported by @morhans and others.

v2.1.8.1

Bugfixes

• #1550 - Disable the order cache (introduced in version 2.1.6) because it could allow certificates to be installed without their private key in certain conditions, thanks @KevinMei-Github for the report! The order cache is non-essential feature designed to prevent users from hitting rate limits while testing or debugging. We will evaluate over the coming weeks whether to redesign or remove it.
• #1558 - Fix edge case in DNS CNAME resolution where multiple hosts are valid to create TXT records, thanks @mohamed-shehata-m for the report!
• #1509 - Improved reliabilty of creating new bindings in IIS, thanks @stevenbarker for the stack trace that led to this fix.

v2.1.8

New features

• #1555 - A new store plugin has been added which simply writes a .pfx file to a folder. This was previously possible using either the CentralSsl plugin or through an installation script, but this is more convenient and easily discovered for beginners. Suggested by @Dolphyn5.
• New order plugins have been added to create seperate certificate for each registerable domain or IIS site covered by the renewal target. These should still be considered beta.
• @FWest98 contributed an example script for updating AD FS services.

Enhancements

• #1543 - It's now possible to configure store and installation plugins of the same type more than once, e.g. if you need to run two scripts or want to store your .pem files in two different locations.
• #1551 - Email notifications now include log output, requested by @Virinum.
• #1530 - When creating an IIS target it's no longer required to first pick "Choose specific bindings" from the menu and then type the indices of the bindings. You can now input the indices immedately. To facilitate this, the other filter options have been given letter shortcuts. Suggested by @BrianCanFixIT.
• #1529 - Instead of only logging selected requests from AcmeSharpCore, now all http requests are logged to make debugging network level issues much easier. Suggested by @MasterChiefJon.
• #1528 - When showing paged lists, space is now the shortcut for going to the next page instead of enter, meaning users will be much less like accidentally trigger the default menu option at the end of the list. Suggested by @BrianCanFixIT.
• Improved feedback and logging on invalid command line input.
• The recursive DNS resolver used for pre-validation is now more reliable when used with delated domains.
• Wildcard bindings are no longer hidden "default settings" mode, because it's no longer hardwired to use HTTP-01 validation.
• Updated NuGet package dependencies.
• Better handling of file system permission issues.

Bug fixes

• #1483/#1553 - Reliability improvement due to fixes for the single file application released by Microsoft in .NET Core SDK release 3.1.4.
• #1524 - Route53 and Azure plugins could pick the wrong DNS zone to update if two zones overlapping names exist in the same resource group. Discovered and fixed by @rvdginste.
• #1534 - The computer name would not show up in the email notification unless it was explicitly configured.
• #1532 - Fix crash when creating a new binding with an IPv6 address, reported by @Conrad-T-Pino.
• Azure DNS validation got various bug fixes for delegated domains.
• The certificate cache was broken for multi-order renewals.
• Enhanced/corrected various log messages.

v2.1.8

New features

• #1555 - A new store plugin has been added which simply writes a .pfx file to a folder. This was previously possible using either the CentralSsl plugin or through an installation script, but this is more convenient and easily discovered for beginners. Suggested by @Dolphyn5.
• New order plugins have been added to create seperate certificate for each registerable domain or IIS site covered by the renewal target. These should still be considered beta.
• @FWest98 contributed an example script for updating AD FS services.

Enhancements

• #1543 - It's now possible to configure store and installation plugins of the same type more than once, e.g. if you need to run two scripts or want to store your .pem files in two different locations.
• #1551 - Email notifications now include log output, requested by @Virinum.
• #1530 - When creating an IIS target it's no longer required to first pick "Choose specific bindings" from the menu and then type the indices of the bindings. You can now input the indices immedately. To facilitate this, the other filter options have been given letter shortcuts. Suggested by @BrianCanFixIT.
• #1529 - Instead of only logging selected requests from AcmeSharpCore, now all http requests are logged to make debugging network level issues much easier. Suggested by @MasterChiefJon.
• #1528 - When showing paged lists, space is now the shortcut for going to the next page instead of enter, meaning users will be much less like accidentally trigger the default menu option at the end of the list. Suggested by @BrianCanFixIT.
• Improved feedback and logging on invalid command line input.
• The recursive DNS resolver used for pre-validation is now more reliable when used with delated domains.
• Wildcard bindings are no longer hidden "default settings" mode, because it's no longer hardwired to use HTTP-01 validation.
• Updated NuGet package dependencies.
• Better handling of file system permission issues.

Bug fixes

• #1483/#1553 - Reliability improvement due to fixes for the single file application released by Microsoft in .NET Core SDK release 3.1.4.
• #1524 - Route53 and Azure plugins could pick the wrong DNS zone to update if two zones overlapping names exist in the same resource group. Discovered and fixed by @rvdginste.
• #1534 - The computer name would not show up in the email notification unless it was explicitly configured.
• #1532 - Fix crash when creating a new binding with an IPv6 address, reported by @Conrad-T-Pino.
• Azure DNS validation got various bug fixes for delegated domains (TTL decrease and creation of @ records).
• The certificate cache was broken for multi-order renewals.
• Enhanced/corrected various log messages.
• Don't continue renewal process after one of the validations has failed.
• Don't continue validation process when no matching DNS zone can be found in Azure or AWS.

v2.1.7

Architecture

This release expands the conceptual framework of the program with a new class of plugins. Until now, if you manage lots of bindings in IIS, you only have roughly two options to make sure they are all accessible through https.

1. Set up a renewal for all bindings. This works but is not a great solution, because you may run into limitations of the ACME server (i.e. the 100 domain limit for Let Encrypt) and it's not adhering to best practices of operational security, because you are disclosing the existance of all other hosts on the server through the certificate shared by each of them.
2. Diligently manage the renewals, adding, updating and cancelling them whenever something changes in IIS.

While we have strived to make this (micro)management easier over the years, I felt that there should be a fundamentally better way. So this release introduces the concept of an "order plugin", which allows multiple certificates to be created and installed from a single renewal.

For now there are two of the plugins, the default and backwards compatible single plugin is there to make sure that nothing changes for those upgrading. The host plugin creates a seperate certificate for each host. This should be considered beta and is accessible from the command line only by adding --order host at startup when you create a certificate. Future releases will add additional options (e.g. a site plugin to create a certificate for each site) and finetuning based on user feedback.

New features

• #1479 - It's now possible to customized the default plugin for each of the six stages through settings.json. The old "simple mode" has been renamed to "default settings" mode to reflect this. Requested by @michaelsmoody.
• #1514 - @albertofustinoni contributed a validation plugin for LuaDNS

Enhancements

• #1481 - The http-01 selfhosting plugin may now be configured to listen to https requests using the --validationprotocol switch. Note that Let's Encrypt will always use plain http and port 80, so this is only useful when those requests are being redirected. Requested by @michaelsmoody.
• #1490 - You may now customize the computer name reported in email notifications. The computer name is also added to the subject so that it's easier for those managing multiple servers with win-acme. Requested by @jon-f-novastor.

Bug fixes

• #1448 - ACME protocol technicalities. Thought to be fixed in 2.1.6 already but not built correctly
• #1487 - The --force switch was broken in 2.1.6, reported by @jon-f-novastore.
• #1492 - Azure and Route53 plugins ignored proxy configuration. Reported by @wesochuck.
• #1503 - When configuration was decrypted, private keys stored for the --reuse-privatekey parameter became inaccessible and new keys were generated. Discovered by @Virinum!
• #1509 - Fix crash on corrupted IIS binding (missing certificate). Reported by @djgamerr.