v2.1 Compatibility with ACME v2 draft-16Release v2.1
A general rework of code has been made to be compatible with the latest ACME draft 16 (v2.0 of acme-dns-tiny was based on draft 9).
First, unit tests now creates one account key by configuration sample, they correctly create and remove temporary files, and they read the
Then, tools created from acme-dns-tiny has been updated too: key rollover has been redesigned completely by the RFC and it has been updated to be compatible with latest acme-dns-tiny style. Style of account deactivation has been updated too.
Finally, acme-dns-tiny itself had a lot of improvements:
- Use standard Python3 doc strings instead of comments
- Simplify returns of the
_send_signed_requestinternal function to take advantage of the
_send_signed_requestis able to launch
POST-as-GETauthenticated requests as defined in recent RFC drafts
- Config file now read the
CertificateFormatkey: it allows you, if needed, to ask for a specific chain file format instead of the default
application/pem-certificate-chainas defined in the RFC.
- Example config file now avoid to define optional keys, it only give documentation
- In the
CNvalue can be anywhere in the
- If the
readyon the ACME server side, acme-dns-tiny doesn't run full process, but just ask the certificate chain.
v2.0 This release is only compatible with Let's Encrypt V2 API which is based on the 9th draft of ACME RFC.Release v2.0
News with the v2 release, the acme-dns-tiny code :
- is only compatible with ACME RFC draft-09 (the one currently used by Let's Encrypt API v2)
- can now requests for wildcard certificates (due to the use of the new API)
- has replaced the
CheckChallengeDelayoption by a
TTLone. This one is used when installing TXT records on your server and is used too to delay the challenge check (defaulted to 10 seconds)
- contact options have been simplified to follow the draft-09 recommendation (there's only one variable using URI list)
- has now a
--verbosecommand argument to have a little bit more output
Please see the new
example.inifile to retrieve all changes on the options.
Note, that the other tools which allows you to deactivate an ACME account and to rollover keys have been updated too to use the new API.
Some extra options has been added for advanced users:
- For those who need to install exactly same configuration file on multiple servers, you can use the
--csrcommand argument to specify the CSR file path (which is the unique option which will be different in that case)
- If you installed a CNAME on domains prefixed by
_acme-challenge, it will be followed to install the TXT records on the alias instead (note, it won't follow a chain of CNAME, just one alias as the project don't use a recursive DNS tool). That allows you to configure TSIG keys on a different zone and have more precise DNS update policy.
v1.5 A bit of code rework to be more clear, simpler unit tests and support for Windows end of lines (not tested on this OS, feedbacks are welcome !)
v1.4 * use Nonce received in latest ACME server response if available * Added a script to implement account key rollover * Moved aside the script used to delete account key
v1.2 * Add tests to cover more code * Clean a bit info messages * Fix typos