v0.18.2

This patch release actually has some notable new features but nothing that affects existing API surface:

• New private keys are generated for every renewal (unless the new config property ReusePrivateKeys is set to true) -- previously, they were reused by default.
• New IssuerPolicy field to configure how to choose from multiple issuers. By default, the first issuer that successfully provided a certificate is used. (This is unchanged.) Now, however, the issuers can be shuffled to implement basic load balancing before trying them in succession.
• File storage locking mechanism is now more robust against short-lived locks in slow storage.
• The cert_obtained event info was fixed.

(Skip v0.18.1, as it contains a bug caught by integration tests downstream.)

What's Changed

• Generate new private keys for new certificates by @mholt in #237
• Issuer policies that can randomize issuer used by @mholt in #238

Full Changelog: v0.18.0...v0.18.2

v0.18.0

This update brings several optimizations and improvements:

• Don't access storage during on-demand TLS unless the subject is allowed in the first place
• Managers moved into on-demand config, since they operate only at handshake-time
• Experimental FallbackServerName that is like DefaultServerName, except this one applies even if a ServerName is specified in the handshake
• Several bug fixes, especially related to on-demand TLS and Managers

What's Changed

• Allow specifying http proxy via config by @georgmu in #212
• Allow the default cache logger to be set by @pwilloughby in #213
• Bump golang.org/x/text from 0.3.7 to 0.3.8 by @dependabot in #216
• Bump golang.org/x/net from 0.0.0-20220805013720-a33c5aa5df48 to 0.7.0 by @dependabot in #218
• obtain instead of renew cert if it does not exist in storage by @shitz in #221
• Use recursive query when checking for TXT records by @kizmc in #224
• Update & Improve CI by @wusatosi in #227
• chore: Skip slow tests on Windows by @francislavoie in #229
• Add a GetCertificateWithContext function by @ankon in #225
• Refactor certificate Managers by @mholt in #231
• Fix advanced cache initialization in README by @s111 in #198

New Contributors

• @georgmu made their first contribution in #212
• @pwilloughby made their first contribution in #213
• @dependabot made their first contribution in #216
• @shitz made their first contribution in #221
• @kizmc made their first contribution in #224
• @wusatosi made their first contribution in #227
• @s111 made their first contribution in #198

Full Changelog: v0.17.2...v0.18.0

v0.17.2

What's Changed

• Avoid nil dereferencing on errors by @ankon in #206
• Fix a panic when attempting to log when certificate should not be renewed by @antoniomika in #207

New Contributors

• @ankon made their first contribution in #206
• @antoniomika made their first contribution in #207

Full Changelog: v0.17.1...v0.17.2

v0.17.1

This release changes the OnEvent API in a slightly breaking way, so if you are using events, please check out the new doc: https://pkg.go.dev/github.com/caddyserver/certmagic#Config.OnEvent

The new API is more flexible and easier to use. We are also documenting the events in our README.

Some bug fixes and improved logging. Minimum version is now Go 1.18.

Full Changelog: v0.16.2...v0.17.1

v0.16.2

This release primarily improves DNS challenges, making them more efficient and correct (mostly edge cases).

What's Changed

• Fix deadlock and improve efficiency for wildcard DNS challenges by @mholt in dce2de2
• Improve Windows CI cache by @mohammed90 in #189
• Set EDNS0 to 1232 bytes per recommendation by @mohammed90 in #188
• Use OverrideDomain when cleaning up DNS solver by @gjung56 in #193

New Contributors

• @mohammed90 made their first contribution in #189
• @gjung56 made their first contribution in #193

Full Changelog: v0.16.1...v0.16.2

v0.16.1

Minor enhancement allowing customization of the propagation delay/timeout for DNS challenge.

Full Changelog: v0.16.0...v0.16.1

v0.16.0

This release is hopefully one of the last major tags before a more stable CertMagic 1.0. It includes a number of breaking changes (for the better, I promise) -- so please pay attention:

• ⚠️ All storage methods now require context.Context passed in. We also added it to CleanUpOwnLocks() and several other functions that end up calling Storage methods (e.g. CacheUnmanagedTLSCertificate()). Your editor, in combination with gopls (the Go language server) should be able to quickly tell you where context is missing.
• ⚠️ Storage methods now return fs.ErrNotExist if a file or key is not found, instead of certmagic.ErrNotExist, which has been removed. (The io/fs package did not exist when CertMagic was first written.)
• ⚠️ ACMEManager has been renamed to ACMEIssuer, and CertificateManager has been renamed to Manager. These renames make naming more consistent and accurate, and less confusing (since ACMEManager was not a CertificateManager, which is a new type).
• Certificate events now provide more useful, actionable information. See #150.

I have personally submitted PRs to the more popular known storage implementations as a courtesy to help deal with the breaking changes.

The nuances of the logic in preparing for DNS challenges have changed slightly, hopefully it will work in more environments.

Thanks to all who contributed! Sorry for any inconvenience with the breaking changes; that's the joy of pre-1.0 libraries. We're almost there, though. It's been 5 years and we might finally be starting to get good at things.

What's Changed

• storage: Require fs.ErrNotExist (fix #168) by @mholt in #170
• Propagate context in the Storage interface methods by @hairyhenderson in #155
• Fix crash because of a zero value cert in cache by @skeetmtp in #177
• Always call checkDNSPropagation in DNS01Solver by @crccw in #179
• Provide more detailed information in certificate events by @francislavoie in #150

New Contributors

• @hairyhenderson made their first contribution in #155
• @skeetmtp made their first contribution in #177

Full Changelog: v0.15.4...v0.16.0

v0.15.4

What's Changed

• Fixed order of certificate loading so that private keys are loaded first by @sam-lord in #171
• Managers: Ability to call GetCertificate from external certificate sources by @mholt in #163
• Support OverrideDomain is DNS01Solver by @crccw in #160

New Contributors

• @sam-lord made their first contribution in #171
• @crccw made their first contribution in #160

Full Changelog: v0.15.3...v0.15.4

v0.15.3

Enhanced OCSP stapling support. Fixed automatic replacement of revoked certificates for on-demand certificates and some other edge cases.

What's Changed

• duplicate OnDemand default value assign check by @rjbasitali in #153
• Fix cacheAlmostFull calculation by @skirsten in #156
• Fix force-renewing revoked on-demand certs by @mholt in #166

New Contributors

• @rjbasitali made their first contribution in #153
• @skirsten made their first contribution in #156

Full Changelog: v0.15.2...v0.15.3

v0.15.2

Minor tweaks and a minor bug fix.