Dehydrated Versions Save

letsencrypt/acme client implemented as a shell-script – just add water

v0.7.1

1 year ago

[0.7.1] - 2022-10-31

Changed

  • --force no longer forces domain name revalidation by default, a new argument --force-validation has been added for that
  • Added support for EC secp521r1 algorithm (works with e.g. zerossl)
  • EC PARAMETERS are no longer written to privkey.pem (didn't seem necessary and was causing issues with various software)

Fixed

  • Requests resulting in badNonce errors are now automatically retried (fixes operation with LE staging servers)
  • Deprecated egrep usage has been removed

Added

  • Implemented EC for account keys
  • Domain list now also read from domains.txt.d subdirectory (behaviour might change, see docs)
  • Implemented RFC 8738 (validating/signing certificates for IP addresses instead of domain names) support (this will not work with most public CAs, if any!)

v0.7.0

3 years ago

[0.7.0] - 2020-12-10

Added

  • Support for external account bindings
  • Special support for ZeroSSL
  • Support presets for some CAs instead of requiring URLs
  • Allow requesting preferred chain (--preferred-chain)
  • Added method to show CAs current terms of service (--display-terms)
  • Allow setting path to domains.txt using cli arguments (--domains-txt)
  • Added new cli command --cleanupdelete which deletes old files instead of archiving them

Fixed

  • No more silent failures on broken hook-scripts
  • Better error-handling with KEEP_GOING enabled
  • Check actual order status instead of assuming it's valid
  • Don't include keyAuthorization in challenge validation (RFC compliance)

Changed

  • Using EC secp384r1 as default certificate type
  • Use JSON.sh to parse JSON
  • Use account URL instead of account ID (RFC compliance)
  • Dehydrated now has a new home: https://github.com/dehydrated-io/dehydrated
  • Added OCSP_FETCH and OCSP_DAYS to per-certificate configurable options
  • Cleanup now also removes dangling symlinks

v0.6.5

4 years ago

[0.6.5] - 2019-06-26

Fixed

  • Fixed broken APIv1 compatibility from last update

v0.6.4

4 years ago

[0.6.4] - 2019-06-25

Changed

  • Fetch account ID from Location header instead of account json

v0.6.3

4 years ago

[0.6.3] - 2019-06-25

Changed

  • OCSP refresh interval is now configurable
  • Implemented POST-as-GET
  • Call exit_hook on errors (with error-message as first parameter)

Added

  • Initial support for tls-alpn-01 validation
  • New hook: sync_cert (for syncing certificate files to disk, see example hook description)

Fixes

  • Fetch account information after registration to avoid missing account id

v0.6.2

5 years ago

[0.6.2] - 2018-04-25

Added

  • New deploy_ocsp hook
  • Allow account registration with custom key

Changed

  • Don't walk certificate chain for ACMEv2 (certificate contains chain by default)
  • Improved documentation on wildcards

Fixes

  • Added workaround for compatibility with filesystem ACLs
  • Close unwanted external file-descriptors
  • Fixed JSON parsing on force-renewal
  • Fixed cleanup of challenge files/dns-entries on validation errors
  • A few more minor fixes

v0.6.1

6 years ago

[0.6.1] - 2018-03-13

Changed

  • Use new ACME v2 endpoint by default

v0.6.0

6 years ago

[0.6.0] - 2018-03-11

Changed

  • Challenge validation loop has been modified to loop over authorization identifiers instead of altnames (ACMEv2 + wildcard support)
  • Removed LICENSE parameter from config (terms of service is now acquired directly from the CA directory)

Added

  • Support for ACME v02 (including wildcard certificates!)
  • New hook: generate_csr (see example hook script for more information)
  • Calling random hook on startup to make it clear to hook script authors that unknown hooks should just be ignored...

v0.5.0

6 years ago

[0.5.0] - 2018-01-13

Changed

  • Certificate chain is now cached (CHAINCACHE)
  • OpenSSL binary path is now configurable (OPENSSL)
  • Cleanup now also moves revoked certificates

Added

  • New feature for updating contact information (--account)
  • Allow automatic cleanup on exit (AUTO_CLEANUP)
  • Initial support for fetching OCSP status to be used for OCSP stapling (OCSP_FETCH)
  • Certificates can now have aliases to create multiple certificates with identical set of domains (see --alias and domains.txt documentation)
  • Allow dehydrated to run as specified user (/group)

v0.4.0

7 years ago

[0.4.0] - 2017-02-05

Changed

  • dehydrated now asks you to read and accept the CAs terms of service before creating an account
  • Skip challenges for already validated domains
  • Removed need for some special commands (BusyBox compatibility)
  • Exported a few more variables for use in hook-scripts
  • fullchain.pem now actually contains the full chain instead of just the certificate with an intermediate cert

Added

  • Added private-key rollover functionality
  • Added --lock-suffix option for allowing parallel execution
  • Added invalid_challenge hook
  • Added request_failure hook
  • Added exit_hook hook
  • Added standalone register command