v2.1.6.1

Bug fixes

• #1475 - Improved log messages around domain substition, spotted by @Virinum
• #1476 - Emtpy "From" header in email notifications, also first reported by @Virinum

v2.1.6

New features

• #1466 - The program now supports the use of substitute domains for DNS validation. If your goal is to get a certificate for example.com using DNS validation, but the DNS provider for that domain does not support automation and/or your security policy doesn't allow third party tools like win-acme to access the DNS configuration, then you can set up a CNAME from _acme-challenge.example.com to another (sub)domain under your control that doesn't have these limitations. acme-dns (which we also support) is based on this principle, but now the same trick can be applied to any of the DNS plugins, meaning it can be done for Azure, Route53, Cloudflare, Dreamhost and your own scripts. The program will automatically recognize that you've created a CNAME and instruct the plugin to act accordingly.

Enhancements

• #1435 - It's now possible to get the friendly name and thumbprint of the previously issued certificate as parameters to the script installation plugin. Contributed by @Jaecen, thanks!
• #1437 - We have implemented MailKit to enable support for mail servers that offer implicit TLS (typically on port 465). Previously only servers with explicit TLS (typically port on 587) were supported. Thanks @ktoonsez for bringing this to our attention.
• #1441 - Increased default timeout waiting for ACME server to validate domains and create certificates from ~30 seconds to ~90 seconds. This gives Let's Encrypt and other services more time to do thourough validation. Note that due to the way settings are implemented, the new defaults don't automatically apply to existing installs. If you are faced with this issue please update your settings.json manually.
• #1445 - The IIS FTP installation plugin now also checks and updates the default FTP site settings in IIS, requested by @medialabs-at. Note that it is still not possible to set up a new certificate directly targeting those settings, but they will be updated if the previous certificate has been manually linked there.
• #1459 - For a long time the program has cached issued certificates for each renewal in order to a) provide additional information to the installation steps and b) prevent users from running into rate limits while experimenting with the program. Due to recent changes the latter use became mostly broken. Version 2.1.6 therefor implements a new order cache that works as an extra layer on top of the certificate cache and thus protects users from running in to rate limits even when creating new renewals. Among others this was noted by @barrar.
• #1364 - Solve warning in Cloudflare plugin and improved error messages, thanks to @georg-jung for contributing!

Bug fixes

• #1431 - Improved parsing of common name, reported by @los93sol
• #1434 - --baseuri can now be a direct link to the ACME service directory, we no longer assume that the directory lives under {baseuri}/directory, reported by @Stan-Tastic in regards to DigiCert ACME services
• #1448 - Accept HTTP status 201 as a valid answer in response to the finalizeOrder call. Encountered in the Nexus ACME tooling and not expressly forbidded by the RFC. Reported by @oregano87, thanks!
• #1447 - @oregano87 spotted an issue that caused the renewal setup process to continue even though a fatal error has been encountered in setting up the acme-dns registration.
• #1460 - Preliminary validation would potentially not see the correct TXT record when multiple records are present on the same host, cause it to mistakenly report an error, thanks @lazzaronetu for getting us on the scent of that issue.
• #1473 - Cancelling the certificate creation process in --test mode would incorrecly prompt the user that the process has failed. It will now report that the process has been aborted.

v2.1.5

New features

• For those who hadn't noticed yet, we have moved to our own Github organisation and our own domain name https://win-acme.com/
• Renewal management now offers a feature that analyzes your renewals and tells you when you have multiple renewals set up for the same host names and/or IIS websites, which can be the reason for any number of unexpected behaviours.

Enhancements

• The renewal management menu now provides quick access to a specific renewal by letting you type one or more numbers directly after entering the menu instead of having to through filters to achieve a simple selection.
• #1397 - More specific reasons specified for disabled menu options, instead of only the general suggestion to try running as an administrator.
• Additional verbose logging messages added around the order and authorization steps, removed message about renewals not currently due from the Windows Event Viewer.
• Do not crash at first time startup when unable to create settings.json (e.g. due to not having write access to the program folder when running as non-admin), instead use settings_default.json
• #1409 - Show a friendly and useful error message when settings.json contains invalid json, thanks for the report @LBegnaud
• In some cases (e.g. when using the Central Certificate Store) the program would call CommitChanges to the IIS Manager when no changes were actually made
• Performance improvements
  • #1410 - Better choice of data structures and simple caching mechanisms allows for much fewer and faster scanning of IIS bindings, tested with help of @Levan777.
  • #1407 - When deleting instances of the old certificate from the Central Certificate Store, we no longer scan all files in the folder, but only those potentially matching based on the old certificates' known host names, thanks for bringing this to our attention @redjockey!
• Exceptions happening while writing theweb.config file during HTTP-01 validation are no longer fatal but treated as warnings.
• Increase default file log retention from 31 days to 120 days (covering a certificates complete 90 day validity period plus a 30 days buffer).

Bug fixes

• #1399 - Fix a bug where the program would be unable to continue past the authorization stage if there is a pre-existing valid authorization, but the renewal is re-configured with a different validation method and started using the --force switch, thanks for @henrywol and @cpu for help figuring this out.
• #1414 - The Try in default browser? question in --test mode caused a crash when answered with y, reported by @Valleriani
• #1416 - In the menu Encrypt/decrypt configuration the path to the configuration file shown was incorrect.
• In some specific circumstances when host names are configured in MiXeD cAsE, the program would get confused and attempt to create a duplicate binding in IIS.
• The Run scheduled renewals option in the main menu is no longer disabled when no renewals are due, allowing users to run renewals that are due prematurely due to target changes.
• Renewals created with the legacy IISBinding, IISSite and IISSites target plugins would show duplicate values in the Show details for renewal menu options.
• When unable to connect to the ACME service using operating system defaults for connection security, retry with TLS 1.2 forced. If that works, keep enforcing TLS 1.2 across all outgoing HTTP connections.
• The CleanUp function of the validation plugin would not be called in all scenarios, potentially leaving certain resources in use when they're not needed anymore.

v2.1.4

New features

In our quest to make the program simpler and more powerful at the same time, we've optimized the main menu so that it shows less options to confuse people and more information that administrators are likely to want to see, i.e. the total number of renewals managed, due and in error state.

The renewal management options have been placed in a new section that allows you to sort and filter renewals and apply the actions Run, Cancel, Revoke and Show details on them. The selection is remembered until you leave the management menu, so you can easily apply multiple actions on the same set of renewals. Future updates will increase the number of sorters, filters and actions, please feel free to provide ideas!

Enhancements

• #1360 - It's now possible to skip the store step using the menu or command line (--store none), for scenarios where you fully want to rely on your custom installation script. Thanks @andrewheberle for the idea.
• Added an example script that shows how to create or update a Java Key Store (.jks) file using a custom installation script.
• If we are unable to verify the acme-dns configuration, the validation attempt will continue (with a warning logged) instead of fail, so that we don't block users with environments that make it difficult or impossible to verify the DNS records.
• #1374 - It's now possible to revoke certificates in unatteded mode using the new --revoke parameter. Proposed by @Micrologiciel.
• Increase default timeout for requests to the ACME server from 8 seconds to 25 seconds, to be more tolerant to load issues and network timeouts.
• #1382 - Importing renewals from version 1.9.x has become more user friendly. The program provides more feedback about the proces and ensures the existance of an ACMEv2 account, which was the reason some users got stuck running their scheduled task. The documentation around this has also been clarified. Thanks to several users for sharing their experiences.
• When revoking or cancelling renewals from the command line, it's not possible to use patterns with ? and * to match multiple renewals.
• A basic connectivity check to the ACME server is run at startup to prevent surprises during renewal execution.

Bug fixes

• #1109 - Fix an issue that could cause DNS pre-validation to fail with certain DNS servers, thanks @ericcan for providing a reproducable example case.
• #1366 - The Cloudflare plugin would not properly delete te TXT records it created, thanks @georg-jung for the fix and @Virinum for the report!
• #1371 - The --friendlyname parameter was ignored. First discoverd by @movieghost.
• #1389 - Fix Powershell 2.0 process hanging, reported by @hkmaverick

v2.0.11.1

Caution - this is NOT a general release

See release notes above.

This is release is meant for Windows 2008 users who are unable to run the latest 2.1.x versions, but are forced to upgrade before November because Let's Encrypt will require POST-as-GET from that time. It lacks many bug fixes and quality of life improvements that were implemented in recent versions of the software. See this issue for more information: #1358.

To support Windows 2008 we have had to down-target from .NET Framework 4.7.2 to .NET Framework 4.6.1, which (for some very annoying technical reasons - dotnet/standard#567) means that we are not able to re-use accounts created using previous 2.0.x release. If you're upgrading from 2.0.x to 2.0.11, you therefor have to delete Registration_v2 and Signer_v2 from your ConfigurationPath.

This does not apply to users migrating from 1.9.x, they will create a new account at the ACMEv2 server anyway.

v2.0.11

See release notes above.

v2.1.3.1

Bug fixes

• #1361 - Revert back to the old color scheme on Windows version before 10 / Server 2016

v2.1.3

New features

• #1337 - @georg-jung was so kind to contribute a DNS validation plugin for Cloudflare, which is now available as an extra download just like the Route53 and Azure plugins.

Enhancements

• As per best practices, the versions of the TLS protocol supported are left to be determined by the operating system, for better forwards and backwards compatibility.
• Some progress has been made to enable integration testing, paving the way for future quality improvements
• #1348 - Re-balanced auto-generated friendy names for certificates generated with the IIS plugin, to be more recognizable and potentially less long.
• acme-dns configuration may now be stored in the main configuration folder instead of a subfolder, making it default behaviour to share registrations between different ACME endpoints.
• Improved caching of DNS lookup clients and resolving work, saving a little bit of time and memory.
• Logging
  • Exception stack traces and severity levels are not shown unless running with --verbose
  • A new color scheme is used.
  • Warnings and errors are logged to disk as well
  • #1339 - We now log the command line arguments at startup for future reference, requested by @AGlezB
  • #1339 - The process identifier has been made available for custom logging, also requested by @AGlezB
  • #1345 - Improved error handling for invalid/empty targets, which turned out to be unclear, reported by @busitech
  • When using a custom logging path, a sub folder will be created for each ACME endpoint, as it effectively works with default logging.
• Documentation
  • #1353 - Documentation around Microsoft Azure improved, thanks for the heads up @Mahdi-GoVanguard.
  • #1334 - Documentation about self-hosting plugin improved.
  • Example for custom logging with serilog.config added
  • #1344 - Broken link found by @stevenmyhre
  • #1345 - Improved documentation around RDS

Bug fixes

• #1285 - @pelnarp discovered an issue that could cause an unattened run to get stuck waiting for user input if the scheduled task is not healthy.
• #1333 - Recent versions of Windows introduced several new binding flags in IIS, i.e.
  - Disable TLS 1.3 over TCP
  - Disable Legacy TLS
  - Disable OCSP Stapling
  - Disable QUIC
  - Disable HTTP/2
  Unfortunately these were not properly handled by the program during renewals, causing the flags to be unset after each certificate update. Thanks @brunotl for the report!
• #1336 - In environments with restricted access to DNS, prevalidation and acme-dns configuration validation could fail, thanks @LumKitty for the report.
• #1338 - @dahanc fixed a bug in the path name cleaning which could cause exceptions when using specific endpoints for ACME or acme-dns.
• #1342 - @mahrmediait reported that a .dll was missing from the Azure plugin package.
• #1330/#1346 - After upgrading from 2.x to version 2.1.2, all renewals would be due because of a backwards compatibility issue in the certificate caching mechanism. Discoverd by @Virinum and @Micrologiciel.
• #1347 - The certificate chain was not included in the .pfx files generated for the IIS Central Certificate Store, reported by @art-b-d
• #1350 - The program no longer stops the renewal if it's unable to write an intermediate certificate to the store. It will attempt to fall back to the user-configured store if it's unable to open the system store.

v2.1.2.641

New features

• #1269 - Inspired by an initial idea and PR by @olivermue, this release introduces a new IIS target plugin that superseeds the three different ones that have existed since the dawn of this programs existance (i.e. Single binding of an IIS website, All bindings of an IIS website and All bindings of multiple IIS websites). There were three important goals that have been achieved with this new plugin:
  • Fully backwards compatible. Existing renewals and command line parameters work exactly like before.
  • More user-friendly. Simple mode got easier because users are not immediately confronted with the concept of a "target plugin", and generally the interface got a lot of touches that should help setting up certificates, for example the idea proposed by @MarcoMiltenburg in #1297.
  • More powerful. Instead of "hard-coding" a set of bindings to build a certificate for, it's now possible to use pattern matching and even regular expressions to create dynamic renewals.
• #1074 - It's now possible to use the acl-fullcontrol specify a list of users or groups that should get full permissions on the private key in the Windows Certificate Store. This is of particular interest to Microsoft Exchange admins, because the installation of cumulative updates might fail without these permissions properly configured. The documentation about Exchange has been updated to reflect this. First reported by @janwerner.
• #1309 - It's now possible to connect to an acme-dns endpoint using basic authentication. Requested by @LumKitty.

Enhancements

• #1296 - Handling of the certificate chain has been much improved. It should now work reliably for an arbitrary number of intermediate certificates and no longer depends on Windows to build chains, so there is no more confusion when an older intermediate certificate is still present on the system. Brought to our attention by @hb220.
• #1283 - The program has become slighty more pro-active about creating and updating bindings during initial setup of a new certificate, specifically to accomodate the scenario where IPv4- and IPv6-specific bindings are present on the same website. Reported by @MarcoMiltenburg.
• #1294/#1317 - The handling of the Public Suffix List had some problems discoverd by @lukefoley and @hanschou. It has been improved in three ways. First, there is now a static version redistributed with the application, so that in highly secured environments it's not neccesary to open up another connection. Secondly, the proxy settings are now applied during the download. Lastly, the program creates a cached version in its own configuration folder that remains valid for 30 days to improve startup times.
• Terms of service are now logged and saved to disk even when they have been "pre-accepted" from the command line, just for future reference.
• Runtime upgraded from .NET Core 3.0 to 3.1

Bug fixes

• #1321 - The program could crash for a first-time user when not running as Administrator, due to being unable to create a category in the Windows Event Viewer. Reported bY @439bananas and others.
• #1277 - The program could crash in some cases when redirecting console output.
• #1298 - When changing (properties of) the CSR, for example when switching from RSA to EC keys, the internal certificate cache would not be invalidated, leading to an unexpected and unwanted delay in the application of the change. Reported by @MarcoMiltenburg.
• #1305 - @mindstormsking discovered that settings.config incorrectly contained a "ConfigPath" setting which is supposed to be "ConfigurationPath".
• #1319/#1320 - Fixed a pair of bugs reported by @oregano87 that didn't get triggered by Let's Encrypt but were in violation of the ACME standard.
• Import from 1.9.x still had some issues even after the previous fix in version 2.1.1, should be 100% again now.
• Various possible null reference problems fixed using C# 8.0 Nullable Reference Types

2.1.2.636

Fixes two bugs discovered in the initial 2.1.2 release: #1326 and #1327. Thanks @TylerMitton and @randomevents!

2.1.2.641

Fixes another bug discovered in the initial 2.1.2 release: #1330. Thanks @Virinium.

v2.1.2.636

See release notes above.