# Change Log This file contains a log of major changes in dehydrated ## [x.x.x] - xxxx-xx-xx ... ## [0.7.1] - 2022-10-31 ## Changed - `--force` no longer forces domain name revalidation by default, a new argument `--force-validation` has been added for that - Added support for EC secp521r1 algorithm (works with e.g. zerossl) - `EC PARAMETERS` are no longer written to privkey.pem (didn't seem necessary and was causing issues with various software) ## Fixed - Requests resulting in `badNonce` errors are now automatically retried (fixes operation with LE staging servers) - Deprecated `egrep` usage has been removed ## Added - Implemented EC for account keys - Domain list now also read from domains.txt.d subdirectory (behaviour might change, see docs) - Implemented RFC 8738 (validating/signing certificates for IP addresses instead of domain names) support (this will not work with most public CAs, if any!) ## [0.7.0] - 2020-12-10 ## Added - Support for external account bindings - Special support for ZeroSSL - Support presets for some CAs instead of requiring URLs - Allow requesting preferred chain (`--preferred-chain`) - Added method to show CAs current terms of service (`--display-terms`) - Allow setting path to domains.txt using cli arguments (`--domains-txt`) - Added new cli command `--cleanupdelete` which deletes old files instead of archiving them ## Fixed - No more silent failures on broken hook-scripts - Better error-handling with KEEP_GOING enabled - Check actual order status instead of assuming it's valid - Don't include keyAuthorization in challenge validation (RFC compliance) ## Changed - Using EC secp384r1 as default certificate type - Use JSON.sh to parse JSON - Use account URL instead of account ID (RFC compliance) - Dehydrated now has a new home: https://github.com/dehydrated-io/dehydrated - Added `OCSP_FETCH` and `OCSP_DAYS` to per-certificate configurable options - Cleanup now also removes dangling symlinks ## [0.6.5] - 2019-06-26 ## Fixed - Fixed broken APIv1 compatibility from last update ## [0.6.4] - 2019-06-25 ## Changed - Fetch account ID from Location header instead of account json ## [0.6.3] - 2019-06-25 ## Changed - OCSP refresh interval is now configurable - Implemented POST-as-GET - Call exit_hook on errors (with error-message as first parameter) ## Added - Initial support for tls-alpn-01 validation - New hook: sync_cert (for syncing certificate files to disk, see example hook description) ## Fixes - Fetch account information after registration to avoid missing account id ## [0.6.2] - 2018-04-25 ## Added - New deploy_ocsp hook - Allow account registration with custom key ## Changed - Don't walk certificate chain for ACMEv2 (certificate contains chain by default) - Improved documentation on wildcards ## Fixes - Added workaround for compatibility with filesystem ACLs - Close unwanted external file-descriptors - Fixed JSON parsing on force-renewal - Fixed cleanup of challenge files/dns-entries on validation errors - A few more minor fixes ## [0.6.1] - 2018-03-13 ## Changed - Use new ACME v2 endpoint by default ## [0.6.0] - 2018-03-11 ## Changed - Challenge validation loop has been modified to loop over authorization identifiers instead of altnames (ACMEv2 + wildcard support) - Removed LICENSE parameter from config (terms of service is now acquired directly from the CA directory) ## Added - Support for ACME v02 (including wildcard certificates!) - New hook: generate_csr (see example hook script for more information) - Calling random hook on startup to make it clear to hook script authors that unknown hooks should just be ignored... ## [0.5.0] - 2018-01-13 ## Changed - Certificate chain is now cached (CHAINCACHE) - OpenSSL binary path is now configurable (OPENSSL) - Cleanup now also moves revoked certificates ## Added - New feature for updating contact information (--account) - Allow automatic cleanup on exit (AUTO_CLEANUP) - Initial support for fetching OCSP status to be used for OCSP stapling (OCSP_FETCH) - Certificates can now have aliases to create multiple certificates with identical set of domains (see --alias and domains.txt documentation) - Allow dehydrated to run as specified user (/group) ## [0.4.0] - 2017-02-05 ## Changed - dehydrated now asks you to read and accept the CAs terms of service before creating an account - Skip challenges for already validated domains - Removed need for some special commands (BusyBox compatibility) - Exported a few more variables for use in hook-scripts - fullchain.pem now actually contains the full chain instead of just the certificate with an intermediate cert ## Added - Added private-key rollover functionality - Added `--lock-suffix` option for allowing parallel execution - Added `invalid_challenge` hook - Added `request_failure` hook - Added `exit_hook` hook - Added standalone `register` command ## [0.3.1] - 2016-09-13 ## Changed - Renamed project to `dehydrated`. - Default WELLKNOWN location is now `/var/www/dehydrated` - Config location is renamed to `dehydrated` (e.g. `/etc/dehydrated`) ## [0.3.0] - 2016-09-07 ## Changed - Config is now named `config` instead of `config.sh`! - Location of domains.txt is now configurable via DOMAINS_TXT config variable - Location of certs directory is now configurable via CERTDIR config variable - signcsr command now also outputs chain certificate if --full-chain/-fc is set - Location of account-key(s) changed - Default WELLKNOWN location is now `/var/www/letsencrypt` - New version of Let's Encrypt Subscriber Agreement ## Added - Added option to add CSR-flag indicating OCSP stapling to be mandatory - Initial support for configuration on per-certificate base - Support for per-CA account keys and custom config for output cert directory, license, etc. - Added option to select IP version of name to address resolution - Added option to run letsencrypt.sh without locks ## Fixed - letsencrypt.sh no longer stores account keys from invalid registrations ## [0.2.0] - 2016-05-22 ### Changed - PRIVATE_KEY config parameter has been renamed to ACCOUNT_KEY to avoid confusion with certificate keys - deploy_cert hook now also has the certificates timestamp as standalone parameter - Temporary files are now identifiable (template: letsencrypt.sh-XXXXXX) - Private keys are now regenerated by default ### Added - Added documentation to repository ### Fixed - Fixed bug with uppercase names in domains.txt (script now converts everything to lowercase) - mktemp no longer uses the deprecated `-t` parameter. - Compatibility with "pretty" json ## [0.1.0] - 2016-03-25 ### Changed - This is the first numbered version of letsencrypt.sh