Certmagic Versions Save

Automatic HTTPS for any Go program: fully-managed TLS certificate issuance and renewal

v0.20.0

5 months ago

This release vastly improves storage cleaning as well improving a few smaller things. There is a minor breaking change as we get ever closer to v1.0.

  • :warning: The DecisionFunc for On-Demand TLS now takes a context.Context value as its first argument. The context carries the ClientHelloInfo value (keyed by ClientHelloInfoCtxKey) for logging purposes.
  • Storage cleaning is now synchronized across the cluster, including process restarts. The state of cleaning expired certificates and OCSP staples is written to storage, and distributed locking is used to ensure that only 1 instance does it at a time. This greatly reduces costs for expensive storage backends! Cleaning is also done less often when the process is frequently restarted because the state is written to storage, so it is not forgotten after shutting down.
  • .home.arpa is now considered an internal suffix.
  • Backoff timings have been tuned based on real-world experience.

What's Changed

New Contributors

Full Changelog: https://github.com/caddyserver/certmagic/compare/v0.19.2...v0.20.0

v0.19.2

8 months ago

This release fixes a couple of bugs in on-demand TLS and also improves the context used during handshakes for cert operations. (Contexts assist with timeouts and cancellation.)

What's Changed

Full Changelog: https://github.com/caddyserver/certmagic/compare/v0.19.1...v0.19.2

v0.19.1

9 months ago

A minor patch that fixes a race condition when NewAccountFunc changes the ACMEIssuer it is called on.

A new error value is also exposed: ErrNoOCSPServerSpecified to help users determine whether stapling failed only because the certificate doesn't support OCSP.

What's Changed

New Contributors

Full Changelog: https://github.com/caddyserver/certmagic/compare/v0.19.0...v0.19.1

v0.19.0

10 months ago

This release has a few (relatively minor) API changes and additions to enable substantial performance improvements for large certificate deployments; for example, large and busy servers can now update a certificate cache's settings without having to make a new cache. This enables certificates already decoded into memory to remain even after a config change downstream.

:warning: As we are still pre-1.0, there are some breaking API changes in this release. Please take note :smiley:

Highlights

  • The Config.Manage*() methods are now (basically) a no-op if a managed certificate for the name(s) passed in is already present in the cache. It doesn't really make sense to reload the certificate from storage and decode it and replace it in the cache, because it is managed it will do that automatically when it gets renewed.
  • Removed Config.Unmanage() since it does not actually rely on the config at all. Replaced with Cache.RemoveManaged(). Removing a managed cert from the cache stops maintenance.
  • Also added Cache.Remove() which removes a certificate from the cache given its hash.
  • The methods which load unmanaged certs into the cache now return the cert hash.
  • Added Cache.SetOptions() to update a cache's config while active.
  • Clarified the semantics around the Storage and Locker interfaces. This should be useful for implementers.
  • Fixed a performance bug when On-Demand TLS was used with lots of specified domains (this is uncommon, as most uses of on-demand TLS don't know the domain names ahead of time).

What's Changed

New Contributors

Full Changelog: https://github.com/caddyserver/certmagic/compare/v0.18.2...v0.19.0

v0.18.2

10 months ago

This patch release actually has some notable new features but nothing that affects existing API surface:

  • New private keys are generated for every renewal (unless the new config property ReusePrivateKeys is set to true) -- previously, they were reused by default.
  • New IssuerPolicy field to configure how to choose from multiple issuers. By default, the first issuer that successfully provided a certificate is used. (This is unchanged.) Now, however, the issuers can be shuffled to implement basic load balancing before trying them in succession.
  • File storage locking mechanism is now more robust against short-lived locks in slow storage.
  • The cert_obtained event info was fixed.

(Skip v0.18.1, as it contains a bug caught by integration tests downstream.)

What's Changed

Full Changelog: https://github.com/caddyserver/certmagic/compare/v0.18.0...v0.18.2

v0.18.0

11 months ago

This update brings several optimizations and improvements:

  • Don't access storage during on-demand TLS unless the subject is allowed in the first place
  • Managers moved into on-demand config, since they operate only at handshake-time
  • Experimental FallbackServerName that is like DefaultServerName, except this one applies even if a ServerName is specified in the handshake
  • Several bug fixes, especially related to on-demand TLS and Managers

What's Changed

New Contributors

Full Changelog: https://github.com/caddyserver/certmagic/compare/v0.17.2...v0.18.0

v0.17.2

1 year ago

What's Changed

New Contributors

Full Changelog: https://github.com/caddyserver/certmagic/compare/v0.17.1...v0.17.2

v0.17.1

1 year ago

This release changes the OnEvent API in a slightly breaking way, so if you are using events, please check out the new doc: https://pkg.go.dev/github.com/caddyserver/certmagic#Config.OnEvent

The new API is more flexible and easier to use. We are also documenting the events in our README.

Some bug fixes and improved logging. Minimum version is now Go 1.18.

Full Changelog: https://github.com/caddyserver/certmagic/compare/v0.16.2...v0.17.1

v0.16.2

1 year ago

This release primarily improves DNS challenges, making them more efficient and correct (mostly edge cases).

What's Changed

New Contributors

Full Changelog: https://github.com/caddyserver/certmagic/compare/v0.16.1...v0.16.2

v0.16.1

2 years ago

Minor enhancement allowing customization of the propagation delay/timeout for DNS challenge.

Full Changelog: https://github.com/caddyserver/certmagic/compare/v0.16.0...v0.16.1