Skip to content

Latest commit

 

History

History
250 lines (162 loc) · 10.4 KB

CHANGELOG.rst

File metadata and controls

250 lines (162 loc) · 10.4 KB

Tools for ACME Release Notes

Feature release.

  • The collection now depends on community.crypto 2.24.0 or newer (#86).
  • acme_certificate role - add support for Hetzner's DNS (#87).
  • acme_certificate role - now uses the new community.crypto.acme_account_order_* modules added in community.crypto 2.24.0 (#86).
  • acme_certificate role - support ACME profile selection with the acme_certificate_profile parameter (#86).
  • acme_certificate role - support determining whether to renew by remaining percentage of the validity period (acme_certificate_renewal_on_remaining_percentage option) or ARI information (acme_certificate_use_ari option) (#86).
  • acme_certificate role - the role no longer supports acme_certificate_acme_version == 1. ACME v2 must always be used (#86).
  • acme_certificate role - properly apply no_log: true to task that reads private key file for backup. When not using SOPS encrypted private keys, the private key was visible in verbose mode or in the logs in plain text (#86).

Feature release.

  • The dependency on community.dns has been bumped to >= 2.9.0 to be able to use the community.dns.quote_txt filter when using the Route53 module (#76).
  • acme_certificate role - allow to configure the timeout and the DNS servers to use for validating DNS entry propagation for dns-01 challenges (#79, #80).

Maintenance release with slightly updated documentation and no functional changes.

Feature release with improved creation of DNS records for Route53 and Hosttech.

  • The collection now depends on community.aws >= 6.3.0 and amazon.aws >= 6.3.0 to improve stability of the acme_certificate role with Amazon's Route 53 DNS (#62).
  • acme_certificate role - increase maximum wait for Hosttech DNS records from 2 to 5 minutes (#64).
  • acme_certificate role - use community.aws.route53_wait instead of community.dns.wait_for_txt when using Amazon's Route 53 DNS to improve stability (#57, #62).

New major release dropping compatibility with old Ansible versions, namely Ansible 2.9 and ansible-base 2.10.

  • acme_certificate role - add Cloudflare DNS support (#55).
  • Drop compatibility for Ansible 2.9 and ansible-base 2.10. These versions of Ansible/ansible-base have been End of Life for some time now. If you are still using them, either stick to an older version of this collection, or upgrade to a newer version of ansible-core/Ansible (#54).

Collection dependency update with bugfixes and new features.

  • acme_certificate role - add new option acme_certificate_dns_substitution to allow substituting DNS names during DNS record creation for use with CNAMEs (#41).
  • acme_certificate role - added new option acme_certificate_verify_auth which allows to turn of validation that credentials for DNS modules are passed as role arguments. When disabled, you are responsible to pass credentials with module defaults or in other ways supported by the specific modules (#40, #42).
  • The collection no longer depends on community.aws >= 1.0.0, but on amazon.aws >= 5.0.0. The community.aws.route53 module was migrated to amazon.aws, which allows us to depend on one collection less. Note that if you use this collection with Ansible, you need Ansible 7.0.0 or newer; also note that Ansible 6.x.0 and before are End of Life by now (#39).
  • Avoid double failure of acme_certificate rescue task when first task in block fails (#38).
  • felixfontein.acme._substitute_dns - [INTERNAL] Adjust DNS name according to a CNAME substitution map

Maintenance release.

Bugfix release.

  • When cleaning up after failures in the acme_certificate role, make sure that an undefined ansible_failed_task does not cause another error (#32).

Feature release dropping support for some specific old Ansible/ansible-base versions.

  • In case an error happens before a certificate is issued, restore private key, and remove certificate and key backups if these were made (acme_certificate_keys_old_store option) (#30).
  • The collection repository conforms to the REUSE specification (#30).
  • Use FQCN for builtin actions and lookup plugins (#23).
  • acme_certificate role - add acme_certificate_renewal_on_remaining_days option which allows to only renew certificates that expire in a certain amount of days (#28).
  • Officially drop support for Ansible 2.9.10 to 2.9.16, and ansible-base 2.10.0 to 2.10.3. These versions did not work with the felixfontein.acme.acme_certificate role for some time now, so this should not really affect any regular user of this collection (#23).

This release bumps some requirements and adds some features.

  • The collection now requires community.dns >= 2.0.0 for Hosttech DNS support.
  • The collection now requires community.general >= 4.0.0.
  • acme_certificate role - an alternative root certificate URL can be specified in acme_certificate_root_certificate_for_verification that is only used for validating the retrieved chain (#22).
  • acme_certificate role - the role can now handle the DNS provider INWX (#19).

Update dependencies.

  • Hosttech DNS support: restrict required version of community.dns to < 2.0.0. A later version will bump the requirement to >= 2.0.0 and switch to the new API.

Major revamp of the collection with new dependencies, better documentation, and several features and bugfixes.

  • Add documentation for the roles to the collection's docsite (#9).
  • Adding support for ansible-core's new role argument spec feature. This makes ansible-core 2.11.1 or newer validate the parameters passed to the roles in this collection (#13).
  • Use community.dns.wait_for_txt to speed up waiting for DNS challenges to propagate.
  • acme_certificate - add acme_certificate_hosttech_token option to use HostTech's new JSON API instead of old WSDL API (#12).
  • acme_certificate - check whether credentials for DNS provider are set before starting certificate retrieval (#12).
  • Replace felixfontein.hosttech_dns and felixfontein.tools collection dependencies by community.dns >= 1.0.0 and community.general >= 2.5.0.
  • acme_certificate role - remove usage of tags issue-tls-certs, issue-tls-certs-newkey and verify-tls-certs. By default, new private keys are generated. This can be disabled by setting acme_certificate_regenerate_private_keys to false (#15).
  • account_key_rollover role - when using sops-encrypted keys, community.sops.sops_encrypt was run on the remote node and not the controller node (#7).

Feature and repository maintenance release.

  • revoke_old_certificates role - allow to revoke by ACME account key instead of certificate private key by setting acme_certificate_revoke_with_acme_account to true. This allows to revoke certificates with BuyPass, which does not support revocation by certificate private key.

Initial release of my acme_certificate role converted to a collection, with two new roles revoke_old_certificates and account_key_rollover.

  • felixfontein.acme.account_key_rollover - Rollover for the ACME account key
  • felixfontein.acme.acme_certificate - Retrieve a certificate for a set of domains and/or IP addresses
  • felixfontein.acme.revoke_old_certificates - Revoke old certificates copied aside by acme_certificate