@@ -9,6 +9,55 @@ behavior when the change improves security or project direction.
99
1010## Unreleased
1111
12+ ## 1.1.0 - TLS Policy And Certificate Operations
13+
14+ Released: pending
15+
16+ ### Added
17+
18+ - ACME-managed vhost certificate sources now derive safe on-disk certificate
19+ paths and can satisfy the TLS listener fallback certificate requirement when
20+ configured on ` server.default_vhost ` .
21+ - HTTP-01 challenge requests for ACME-managed vhosts can be served locally from
22+ the managed ACME storage directory when ` tls.acme.challenge = "http-01" ` .
23+ - TLS-ALPN-01 challenge certificates can now be generated and served by the
24+ rustls downstream listener when ` tls.acme.challenge = "tls-alpn-01" ` .
25+ - ACME EAB secret sources can now be loaded through a bounded, redacted,
26+ zeroized helper for the runtime issuer client.
27+ - ACME-managed certificate files can now be installed through a guarded helper
28+ that validates PEM shape, writes temporary files, rejects symlinked targets,
29+ and preserves previous files on validation or staging failures.
30+ - ACME HTTP-01 challenge files can now be installed and removed through the
31+ managed challenge store with token/value validation and symlink checks.
32+ - ACME account credentials are now stored under safe issuer-derived paths with
33+ bounded JSON loading, owner-only writes on Unix, and symlink rejection.
34+ - ` acme-client ` adds live ` instant-acme ` account bootstrap plus HTTP-01 and
35+ rustls TLS-ALPN-01 order/finalize support behind an explicit feature gate.
36+ - Google Trust Services production and staging are now built-in ACME issuers,
37+ with separate default EAB environment variables for each environment.
38+ - Managed ACME certificate expiry is now observed from bounded, symlink-safe PEM
39+ reads so Fluxheim can distinguish missing, due, and not-yet-due certificates.
40+ - ` fluxheim acme-renew ` runs due-only renewal once, while
41+ ` fluxheim acme-renew --all ` forces every configured ACME vhost.
42+ - Builds with ` acme-client ` now register a background ACME renewal service for
43+ configured ACME vhosts. It renews missing or due certificates on the
44+ configured check interval and refreshes reloadable downstream SNI certificate
45+ objects after successful renewal.
46+ - Downstream TLS listeners now have explicit policy config for named profiles,
47+ minimum protocol version, ALPN selection, curve preferences, and cipher suite
48+ allow-lists. ` modern ` now means TLS 1.3-only, while the default
49+ ` intermediate ` profile preserves the 1.0 TLS 1.2+ / HTTP/1.1+HTTP/2
50+ compatibility baseline with explicit AEAD ECDHE cipher policy.
51+ - Response HSTS can now be configured as structured policy with ` max_age_secs ` ,
52+ ` include_subdomains ` , and ` preload ` instead of requiring a raw header string.
53+
54+ ### Changed
55+
56+ - ` 1.1.0 ` is now scoped as TLS policy and ACME certificate operations so normal
57+ production deployments can avoid external certificate copy scripts.
58+ - Advanced provider-specific and zero-downtime certificate automation moved to
59+ a later certificate milestone.
60+
1261## 1.0.0 - Gateway Foundation
1362
1463Released: 2026-05-08
@@ -104,8 +153,8 @@ Released: 2026-05-06
104153 ` latest-alpine ` .
105154- Roadmap now tracks a future declarative redirect and rewrite engine with
106155 match-action routing, loop detection, and safe URL handling.
107- - Release ladder now focuses ` 1.1 ` on TLS policy hardening before operational
108- and load-balancing modules graduate.
156+ - Release ladder now focuses ` 1.1 ` on TLS policy and ACME certificate
157+ operations before operational and load-balancing modules graduate.
109158- Process runtime paths now default to ` /run/fluxheim ` instead of predictable
110159 files directly under ` /tmp ` .
111160- Examples now prefer ` upstreams = [...] ` ; the single ` upstream ` field remains
0 commit comments