Letsencrypt Pebble Versions Save

A miniature version of Boulder, Pebble is a small RFC 8555 ACME test server not suited for a production certificate authority.

v2.5.1

2 months ago

Identical to v2.5.0

v2.5.0

2 months ago

What's Changed

New Contributors

Full Changelog: https://github.com/letsencrypt/pebble/compare/v2.4.0...v2.5.0

v2.3.1

3 years ago

Features

  • Add CORS support to the frontend.
  • Add ability to control the length of Pebble's issuance chains (i.e. add or remove intermediates between the root and the end-entity certificate).
  • Add support for honoring NotBefore/NotAfter in issuance requests.

Fixes

  • Seed PRNG with current time to prevent predictable nonce rejection patterns.

Our heartfelt thanks to @ldez, @alexzorin, @szepeviktor, @cpu, and @meyskens for their contributions to this release.

v2.3.0

4 years ago

Features

  • Added an ACME account "orders list" endpoint for finding order URLs associated with an account. See RFC 8555 §7.1.2.1.
  • Updated pebble-challtestsrv with an API for mocking DNS SERVFAIL responses for a hostname.
  • Added support for ACME external account binding (EAB) for new account requests. See RFC 8555 §7.3.4.

Bug-fixes

  • The pebble-challtestsrv's mock CNAME delete API is fixed to remove the CNAME mock record instead of the CAA mock record for the given hostname.
  • Changed PEBBLE_ALTERNATE_ROOTS intermediate certificates to have the same subject, matching the issuer of issued leaf certificate's.
  • Fixed key rollover request handling for requests that fail inner JWS verification.
  • Finalize requests that include a CSR that specifies a certificate public key already used by an ACME account now receive a badCSR type problem. See RFC 8555 §11.1.
  • Authorizations for ACME-IP identifiers are fixed to only contain HTTP-01 and TLS-ALPN-01 challenges, not DNS-01. See draft-ietf-acme-ip §7.
  • Added support for POST-as-GET requests in addition to GET/HEAD for directory and newNonce endpoints. See RFC §6.3
  • Fixed handling of HTTP-01 validation requests that are redirected to a different port (e.g. 443).

Misc

  • A Subject Key Identifier value is now included in all issued certificates. See RFC 5280 §4.2.1.2.
  • The Pebble ACME API and management API ports (14000 and 15000) are now marked exposed in Dockerfile metadata.
  • TLS 1.3 for Pebble's validation requests is explicitly enabled by env var in the Docker environment.
  • The project and CI now use Go 1.13 and golangci-lint v1.21.0

New configuration options

  • The PEBBLE_WFE_ORDERS_PER_PAGE env var can be used to control the account orders list endpoint's pagination. By default up to 15 order URLs are returned per response.
  • The "externalAccountBindingRequired" config file boolean field can be used to control whether all newAccount requests must use external account binding.
  • The "externalAccountMACKeys" config file key/value object field can be used to specify external account binding key IDs and encoded MAC keys See test/config/pebble-config-external-account-binding.json for an example.

Heartfelt thanks to @felixfontein, @sergioaugrod, @0pq76r, @Drakezul, @JoshVanL and @munnerz for their contributions to this release.

v2.2.2

4 years ago

The previous v2.2.1 release had a small regression with TLS-ALPN-01 challenges and the use of the -dnsserver argument. This bugfix release addresses that regression.

Bug-fixes:

  • fix TLS-ALPN-01 with custom -dnsserver (thanks @adferrand)

Misc:

  • updated project .gitignore (thanks @eggsampler)

v2.2.1

4 years ago

The previous v2.2.0 release mistakenly tagged the same commit as v2.1.0. Apologies for the mistake. This v2.2.1 release fixes this issue and should be used in its place.

Features

  • separate HTTP management interface/listener.
  • cert-status-by-serial management endpoint for checking revocation status.
  • probabilistic valid authorization reuse.

Bug-fixes

  • fix missing returns in WFE error paths.
  • fix WFE rendering of empty contact/authz challenge arrays.
  • fix custom DNS resolver on Windows.

Misc

  • update docker-compose.yml to use latest image tags.
  • update docker base images to use Go 1.12.
  • WFE "marshaling" typo fixes/consistency.

Heartfelt thanks to @adferrand, @alexzorin, @eggsampler and @felixfontein for their contributions to this release.

v2.2.0

4 years ago

Pebble v2.2.0 was mistakenly tagged at the same commit as Pebble v2.1.0.

Please disregard this release and use v2.2.1. We leave this tag in place for immutability sake. Apologies for the inconvenience.

v2.1.0

4 years ago

features:

  • support for draft-ietf-acme-ip-06 (thanks @orangepizza for impl, @felixfontein for bug fixes!)
  • issuer/intermediate key/cert are accessible over HTTP (thanks @adferrand!)
  • support for specifying EE cert OCSP Responder URL (thanks @adferrand!)
  • support for creating and offering alternative cert. chains (thanks @felixfontein!)
  • -strict support for rejecting legacy JWS requests

misc:

  • CI release asset publication pipeline (thanks @adferrand!)

bug-fixes:

  • wfe: unlocking order in updateChallenge after read (thanks @dopey!)

v2.0.2

5 years ago
  • Bug fixes for data races between WFE and VA. Thanks to @bluecmd for reporting!
  • Removal of ID field from Account resource responses.
  • Simple CNAME support for pebble-challtestsrv. Thanks to @ryansouza for implementing!

v2.0.1

5 years ago
  • Always send Link: rel="index"
  • Implement orderNotReady and badPublicKey errors
  • Add linting, test coverage, code of conduct and make lint fixes
  • Use pre-built release versions of pebble and pebble-challtestsrv in docker-compose.yml
  • Add AppVeyor support to auto-publish Windows Docker images