v2.5.2

What's Changed

This fixes EAB which was broken in v2.5.0 and v2.5.1, and adds dns-account-01 support

• ci: remove AppVeyor file by @ldez in #449
• Add "dns-account-01" support from draft-ietf-acme-scoped-dns-challenges by @sheurich in #435
• Update README.md for ghcr.io docker images by @mcpherrinm in #450
• Fix broken externalAcountBinding config by @pgporada in #457
• build(deps): bump golang.org/x/net from 0.21.0 to 0.23.0 by @dependabot in #458
• docs: missing ghcr.io source for docker image by @buchdag in #460
• Require HS256, HS384, or HS512 for EAB by @mcpherrinm in #459

New Contributors

• @buchdag made their first contribution in #460

Full Changelog: v2.5.0...v2.5.2

v2.5.1

Identical to v2.5.0

v2.5.0

What's Changed

• add 'processing' state to challenges by @alexzorin in #382
• Validate CSR signatures and check signature type by @mcpherrinm in #386
• Fix compilation for 32bit by @a16bitsysop in #388
• Add Retry-After header when responding to Order and Authorization object by @moratori in #380
• Update install instructions by @jsha in #389
• Readme: Clarify HTTPS-only text by @aarongable in #397
• Add subproblems by @alexzorin in #383
• Replace deprecated ioutil calls by @pgporada in #400
• fix readme by @n98gt in #410
• README.md: Remove execute bit by @joshtriplett in #413
• Explicitly set the certificate validity period in config by @pgporada in #417
• challtestsrv: implement DoH by @jsha in #423
• Update challtestsrv to 1.3.2 by @jsha in #424
• chisel2.py fixes by @sheurich in #426
• Clarify github and go commands by @zyphlar in #429
• Upgrade Go and dependencies; CI and Docker fixes by @sheurich in #434
• Remove CommonName from issued certificates by @mcpherrinm in #420
• ca: fix regression with newCertificate by @ldez in #441
• Use GitHub Actions by @ldez in #442
• GolangCI-Lint Fixes by @sheurich in #439
• Switch to go-jose v4 by @mcpherrinm in #445
• ca: Pass OCSP Must-Staple from CSR into generated certificate by @wgreenberg in #436
• build(deps): bump github.com/go-jose/go-jose/v4 from 4.0.0 to 4.0.1 by @dependabot in #446
• CI: Travis -> GitHub Actions; Create Release Binaries and Container Images by @sheurich in #444

New Contributors

• @mcpherrinm made their first contribution in #386
• @a16bitsysop made their first contribution in #388
• @moratori made their first contribution in #380
• @pgporada made their first contribution in #400
• @n98gt made their first contribution in #410
• @joshtriplett made their first contribution in #413
• @sheurich made their first contribution in #426
• @zyphlar made their first contribution in #429
• @wgreenberg made their first contribution in #436

Full Changelog: v2.4.0...v2.5.0

Pebble v2.3.1

Features

• Add CORS support to the frontend.
• Add ability to control the length of Pebble's issuance chains (i.e. add or remove intermediates between the root and the end-entity certificate).
• Add support for honoring NotBefore/NotAfter in issuance requests.

Fixes

• Seed PRNG with current time to prevent predictable nonce rejection patterns.

Our heartfelt thanks to @ldez, @alexzorin, @szepeviktor, @cpu, and @meyskens for their contributions to this release.

Pebble v2.3.0

Features

• Added an ACME account "orders list" endpoint for finding order URLs associated with an account. See RFC 8555 §7.1.2.1.
• Updated pebble-challtestsrv with an API for mocking DNS SERVFAIL responses for a hostname.
• Added support for ACME external account binding (EAB) for new account requests. See RFC 8555 §7.3.4.

Bug-fixes

• The pebble-challtestsrv's mock CNAME delete API is fixed to remove the CNAME mock record instead of the CAA mock record for the given hostname.
• Changed PEBBLE_ALTERNATE_ROOTS intermediate certificates to have the same subject, matching the issuer of issued leaf certificate's.
• Fixed key rollover request handling for requests that fail inner JWS verification.
• Finalize requests that include a CSR that specifies a certificate public key already used by an ACME account now receive a badCSR type problem. See RFC 8555 §11.1.
• Authorizations for ACME-IP identifiers are fixed to only contain HTTP-01 and TLS-ALPN-01 challenges, not DNS-01. See draft-ietf-acme-ip §7.
• Added support for POST-as-GET requests in addition to GET/HEAD for directory and newNonce endpoints. See RFC §6.3
• Fixed handling of HTTP-01 validation requests that are redirected to a different port (e.g. 443).

Misc

• A Subject Key Identifier value is now included in all issued certificates. See RFC 5280 §4.2.1.2.
• The Pebble ACME API and management API ports (14000 and 15000) are now marked exposed in Dockerfile metadata.
• TLS 1.3 for Pebble's validation requests is explicitly enabled by env var in the Docker environment.
• The project and CI now use Go 1.13 and golangci-lint v1.21.0

New configuration options

• The PEBBLE_WFE_ORDERS_PER_PAGE env var can be used to control the account orders list endpoint's pagination. By default up to 15 order URLs are returned per response.
• The "externalAccountBindingRequired" config file boolean field can be used to control whether all newAccount requests must use external account binding.
• The "externalAccountMACKeys" config file key/value object field can be used to specify external account binding key IDs and encoded MAC keys See test/config/pebble-config-external-account-binding.json for an example.

Heartfelt thanks to @felixfontein, @sergioaugrod, @0pq76r, @Drakezul, @JoshVanL and @munnerz for their contributions to this release.

Pebble v2.2.2

The previous v2.2.1 release had a small regression with TLS-ALPN-01 challenges and the use of the -dnsserver argument. This bugfix release addresses that regression.

Bug-fixes:

• fix TLS-ALPN-01 with custom -dnsserver (thanks @adferrand)

Misc:

• updated project .gitignore (thanks @eggsampler)

Pebble v2.2.1

The previous v2.2.0 release mistakenly tagged the same commit as v2.1.0. Apologies for the mistake. This v2.2.1 release fixes this issue and should be used in its place.

Features

• separate HTTP management interface/listener.
• cert-status-by-serial management endpoint for checking revocation status.
• probabilistic valid authorization reuse.

Bug-fixes

• fix missing returns in WFE error paths.
• fix WFE rendering of empty contact/authz challenge arrays.
• fix custom DNS resolver on Windows.

Misc

• update docker-compose.yml to use latest image tags.
• update docker base images to use Go 1.12.
• WFE "marshaling" typo fixes/consistency.

Heartfelt thanks to @adferrand, @alexzorin, @eggsampler and @felixfontein for their contributions to this release.

Pebble v2.2.0

Pebble v2.2.0 was mistakenly tagged at the same commit as Pebble v2.1.0.

Please disregard this release and use v2.2.1. We leave this tag in place for immutability sake. Apologies for the inconvenience.

Pebble v2.1.0

features:

• support for draft-ietf-acme-ip-06 (thanks @orangepizza for impl, @felixfontein for bug fixes!)
• issuer/intermediate key/cert are accessible over HTTP (thanks @adferrand!)
• support for specifying EE cert OCSP Responder URL (thanks @adferrand!)
• support for creating and offering alternative cert. chains (thanks @felixfontein!)
• -strict support for rejecting legacy JWS requests

misc:

• CI release asset publication pipeline (thanks @adferrand!)

bug-fixes:

• wfe: unlocking order in updateChallenge after read (thanks @dopey!)

v2.0.2

• Bug fixes for data races between WFE and VA. Thanks to @bluecmd for reporting!
• Removal of ID field from Account resource responses.
• Simple CNAME support for pebble-challtestsrv. Thanks to @ryansouza for implementing!