v2.9.0

What's Changed

• wfe: return conflict on re-revocation by @jsha in #505
• Set Content-Type / Retry-After for custom ARI resp by @jsha in #506
• Upgrade to go-jose v4.1.2 by @mcpherrinm in #510
• Update test certificates by @jsha in #513
• Replace agreementRequired problem with userActionRequired by @aarongable in #514
• Revert "Add Location header to finalize response (#85)" by @aarongable in #509
• ca: allow the promotion of first domain/IP to CN in profile by @vancluever in #491
• permit Transfer-Encoding: chunked HTTP request bodies by @benburkert in #515
• Allow generating ECDSA roots and intermediates by @aarongable in #518
• Upgrade go-jose to v4.1.3 by @mcpherrinm in #519
• Return invalidProfile error for unsupported profiles by @alebastr in #521
• Upgrade golangci-lint by @mcpherrinm in #522
• Don't try to update the parent order if there is none by @mkauf in #523
• Auto-generate release notes by @aarongable in #526
• Release: include repo name in command by @aarongable in #527

New Contributors

• @vancluever made their first contribution in #491
• @benburkert made their first contribution in #515
• @alebastr made their first contribution in #521
• @mkauf made their first contribution in #523

Full Changelog: v2.8.0...v2.9.0

v2.8.0

What's Changed

• add overriding of ARI response (#501)

Full Changelog: v2.7.0...v2.8.0

v2.7.0

What's Changed

• Reject extra command line args and fix README invocation by @mcpherrinm in #467
• Simplify KU, EKU, and SKID fields of issued certs by @aarongable in #472
• Add support for ACME Profiles by @aarongable in #473
• Various other updates and fixes

Full Changelog: v2.6.0...v2.7.0

v2.6.0

What's Changed

• chore: update golangci-lint workflow by @ldez in #464
• Implement latest draft-ietf-acme-ari spec by @pgporada in #461
• Document exposing API and management ports when not using docker-compose.yaml by @pgporada in #465

Full Changelog: v2.5.2...v2.6.0

v2.5.2

What's Changed

This fixes EAB which was broken in v2.5.0 and v2.5.1, and adds dns-account-01 support

• ci: remove AppVeyor file by @ldez in #449
• Add "dns-account-01" support from draft-ietf-acme-scoped-dns-challenges by @sheurich in #435
• Update README.md for ghcr.io docker images by @mcpherrinm in #450
• Fix broken externalAcountBinding config by @pgporada in #457
• build(deps): bump golang.org/x/net from 0.21.0 to 0.23.0 by @dependabot in #458
• docs: missing ghcr.io source for docker image by @buchdag in #460
• Require HS256, HS384, or HS512 for EAB by @mcpherrinm in #459

New Contributors

• @buchdag made their first contribution in #460

Full Changelog: v2.5.0...v2.5.2

v2.5.1

Identical to v2.5.0

v2.5.0

What's Changed

• add 'processing' state to challenges by @alexzorin in #382
• Validate CSR signatures and check signature type by @mcpherrinm in #386
• Fix compilation for 32bit by @a16bitsysop in #388
• Add Retry-After header when responding to Order and Authorization object by @moratori in #380
• Update install instructions by @jsha in #389
• Readme: Clarify HTTPS-only text by @aarongable in #397
• Add subproblems by @alexzorin in #383
• Replace deprecated ioutil calls by @pgporada in #400
• fix readme by @n98gt in #410
• README.md: Remove execute bit by @joshtriplett in #413
• Explicitly set the certificate validity period in config by @pgporada in #417
• challtestsrv: implement DoH by @jsha in #423
• Update challtestsrv to 1.3.2 by @jsha in #424
• chisel2.py fixes by @sheurich in #426
• Clarify github and go commands by @zyphlar in #429
• Upgrade Go and dependencies; CI and Docker fixes by @sheurich in #434
• Remove CommonName from issued certificates by @mcpherrinm in #420
• ca: fix regression with newCertificate by @ldez in #441
• Use GitHub Actions by @ldez in #442
• GolangCI-Lint Fixes by @sheurich in #439
• Switch to go-jose v4 by @mcpherrinm in #445
• ca: Pass OCSP Must-Staple from CSR into generated certificate by @wgreenberg in #436
• build(deps): bump github.com/go-jose/go-jose/v4 from 4.0.0 to 4.0.1 by @dependabot in #446
• CI: Travis -> GitHub Actions; Create Release Binaries and Container Images by @sheurich in #444

New Contributors

• @mcpherrinm made their first contribution in #386
• @a16bitsysop made their first contribution in #388
• @moratori made their first contribution in #380
• @pgporada made their first contribution in #400
• @n98gt made their first contribution in #410
• @joshtriplett made their first contribution in #413
• @sheurich made their first contribution in #426
• @zyphlar made their first contribution in #429
• @wgreenberg made their first contribution in #436

Full Changelog: v2.4.0...v2.5.0

Pebble v2.3.1

Features

• Add CORS support to the frontend.
• Add ability to control the length of Pebble's issuance chains (i.e. add or remove intermediates between the root and the end-entity certificate).
• Add support for honoring NotBefore/NotAfter in issuance requests.

Fixes

• Seed PRNG with current time to prevent predictable nonce rejection patterns.

Our heartfelt thanks to @ldez, @alexzorin, @szepeviktor, @cpu, and @meyskens for their contributions to this release.

Pebble v2.3.0

Features

• Added an ACME account "orders list" endpoint for finding order URLs associated with an account. See RFC 8555 §7.1.2.1.
• Updated pebble-challtestsrv with an API for mocking DNS SERVFAIL responses for a hostname.
• Added support for ACME external account binding (EAB) for new account requests. See RFC 8555 §7.3.4.

Bug-fixes

• The pebble-challtestsrv's mock CNAME delete API is fixed to remove the CNAME mock record instead of the CAA mock record for the given hostname.
• Changed PEBBLE_ALTERNATE_ROOTS intermediate certificates to have the same subject, matching the issuer of issued leaf certificate's.
• Fixed key rollover request handling for requests that fail inner JWS verification.
• Finalize requests that include a CSR that specifies a certificate public key already used by an ACME account now receive a badCSR type problem. See RFC 8555 §11.1.
• Authorizations for ACME-IP identifiers are fixed to only contain HTTP-01 and TLS-ALPN-01 challenges, not DNS-01. See draft-ietf-acme-ip §7.
• Added support for POST-as-GET requests in addition to GET/HEAD for directory and newNonce endpoints. See RFC §6.3
• Fixed handling of HTTP-01 validation requests that are redirected to a different port (e.g. 443).

Misc

• A Subject Key Identifier value is now included in all issued certificates. See RFC 5280 §4.2.1.2.
• The Pebble ACME API and management API ports (14000 and 15000) are now marked exposed in Dockerfile metadata.
• TLS 1.3 for Pebble's validation requests is explicitly enabled by env var in the Docker environment.
• The project and CI now use Go 1.13 and golangci-lint v1.21.0

New configuration options

• The PEBBLE_WFE_ORDERS_PER_PAGE env var can be used to control the account orders list endpoint's pagination. By default up to 15 order URLs are returned per response.
• The "externalAccountBindingRequired" config file boolean field can be used to control whether all newAccount requests must use external account binding.
• The "externalAccountMACKeys" config file key/value object field can be used to specify external account binding key IDs and encoded MAC keys See test/config/pebble-config-external-account-binding.json for an example.

Heartfelt thanks to @felixfontein, @sergioaugrod, @0pq76r, @Drakezul, @JoshVanL and @munnerz for their contributions to this release.

Pebble v2.2.2

The previous v2.2.1 release had a small regression with TLS-ALPN-01 challenges and the use of the -dnsserver argument. This bugfix release addresses that regression.

Bug-fixes:

• fix TLS-ALPN-01 with custom -dnsserver (thanks @adferrand)

Misc:

• updated project .gitignore (thanks @eggsampler)