A simple ACME client for Windows (for use with Let's Encrypt et al.)
Store.CertificateStore.PrivateKeyExportable
(or it legacy version: Security.PrivateKeyExportable
) the program will now automatically grant read access to the private key to the administrators group. On recent version of Windows this appears to be required to allow the administrator to actually export the certificate after a renewal run by the Task Scheduler under the SYSTEM
account. Reported by @mont-foray in #2529.administrators
and network service
provided to --acl-fullcontrol
or --acl-read
are now automatically translated to appropriate local names on international versions of Windows. Also it's now possible to providate SIDs (e.g. S-1-5-...
) for other advanced scenarios. Inspired by feedback provided by @rgomezc in #2529.settings.json
by configuring UI.Color.Background
to "black"
. So far this is the one and only option available.ParellelBatchSize
> ParallelBatchSize
, as noticed by @sunstarjeff in #2509).true
by default, but is supposed to be false
(seen by @North3rnL1ght in #2518)INotificationTarget
interface with just a handful of functions to send notifications however you want. If you're willing to show and share your work, contributions are obviously welcome!--acl-read
parameter for the CertificateStore plugin, granting local principals read access to the private key, complementing the pre-existing --acl-fullcontrol
parameter.Validation.ParallelBatchSize
that can be used to limit the number of simultaneous validations happening. In extreme cases, unlimited parallelism can lead to problems like overrunning the maximum size of a DNS response. Default for existing installations is 100 and for new installations 20.ImportRSDFull.ps1
example, thanks for helping!settings.json
file cannot be (fully) parsed./
in url (#2498, reported by @grindsa)This release was funded by
One gold sponsor:
Two silver sponsors:
And four bronze sponsors:
If you want professional support for win-acme, your company up here in the release notes, or just want to buy me (@WouterTinus) a beer for maintaining this tool, please sponsor using GitHub Sponsors, Patreon or PayPal.
The FTP validation plugin gained an option to use the GnuTLS library for FTPS connections, as the default TLS implementation provided in .NET/Windows suffers from compatibility issues with various Unix-based FTP servers. For more background on this subject check this page by the FluentFTP project. Using this requires:
Validation.Ftp.UseGnuTls = true
gnutls.v{build}.x64.zip
We recommend you only do this as a last resort when other validation methods fail, because there are some limitations of this connection method documented on the link above. This all initiated based on feedback by @cuper6.
settings.json
which allows you to disable certificate validation for the ACME endpoint, useful for people running their own ACME CA using a self-signed certificate (requested by @100110010111 in #2431).ImportJKS.ps1
example script by using $env:JAVA_HOME
instead of a hardcoded path (#2408).notAfter
settings, fractional seconds are no longer sent to the server, because that level of accuracy is overkill and some providers throw errors upon receiving them (thanks for testing @timothyd09 in #2394)ClientName
setting when creating the scheduled task, preventing failures (reported by @andrewsauder in #2410).--nocache
switch (and interactive menu option) could still reuse previously generated private keys.notAfter
dates to whole hours, as at least Secigo doesn't accept anything smaller, based on feedback from @timothyd09 (#2394)--register
which can be used to set up a new ACME account in unattended mode without the need to immediately create a certificate. Based on feedback from @ArthurHNL (#2391).Order.DefaultValidDays
can now be used to request certificates that are valid for a shorter time than the default offered by the server. Note that this is not supported by Let's Encrypt at this point, but it should work for Sectigo among others. Requested by @timothyd09 (#2394)Csr.Rsa.SignatureAlgorithm
and Csr.Ec.SignatureAlgorithm
. The defaults remain unchanged at SHA512withRSA
and SHA512withEHDSA
respectivky. As requested by @julieolson-gs (#2385)._acme-challenge.www.example.com
cannot be created in the zone example.com
(e.g. because it doesn't exist), it will also try to created it in the zone www.example.com
(based on feedback by @jamesarbrown #2389).ScheduledTask.RenewalMinimumValidDays
didn't have the desired effect anymore since v2.3.3 (#2371, reported by @marconfus).The added or subtracted value results in an un-representable DateTime
could appear when loading renewals after an upgrade, reported by @akuropa.RenewalDisableServerSchedule
setting.--account somename
on the command line to create a certificate using a named account.settings.json
for various plugins, the interactive menu will select it by default, so that a simple <ENTER> will confirm its use (#2345, suggested by @rboy1)--reuse-privatekey
parameter has been set.RenewalDaysRange
setting or ARI information) we show both the start and end of the period.PrivateKeyExportable
and UseNextGenerationCryptoApi
are disabled (#2329, #1350), introduced in 2.2.2 and reported by many users, first by @douglassimaodev/verbose
syntax instead of --verbose
/secret
syntax instead of --secret