Changelog

0.9.0 (2017-07-18)

  • Initial public release.

0.9.1 (2017-07-28)

0.9.2 (2018-03-19)

  • Python 3.6 supported

  • Omit disabled certs from list of certs to be renewed.

  • BUGFIX: Bind place to jail not to disthost (disthost->jail->place)

  • Do not expire certs one day before “not_after” but one day after instead

  • Allow “distribute only” with –renew-local-certs

  • New Feature: –renew-local-certs REMAINING_DAYS

    Renews local certs, which would expire within REMAINING_DAYS. Gives a nice tabular display of affected certs

  • New Feature: Allow encrypted storage of keys in DB

    2 new action commands: –encrypt-keys and –decrypt-keys

    New configuration parameter: db_encryption_key

  • Upgrading:

    Create new table Revision in DB - see install/create_schema_pki.sql:

    pki_op=# CREATE TABLE Revision (
id                SERIAL          PRIMARY KEY,            -- 'PK of Revision'
schemaVersion     int2            NOT NULL  DEFAULT 1,    -- 'Version of DB schema'
keysEncrypted     BOOLEAN         NOT NULL  DEFAULT FALSE -- 'Cert keys are encrypted'
);
pki_op=# INSERT INTO revision (schemaVersion) values(1);

    Then create passphrase and encrypt DB (see tutorial).

0.9.3 (2019-02-11)

  • Python 3.7 supported
  • With pyopenssl 19 on FreeBSD 12 (which has OpenSSL 1.1.1a-freebsd in base system), paramiko 2.4 works out-of-the-box. No longer need for paramiko workarounds like package paramiko-clc.
  • Now recovering from “Letsencrypt forgetting authorizations”, which happened at begin of 2019.
  • Fixing bug where one letsencrypt authorization was requested multiple times (happened once per distribution target).
  • Being more patient with Letsencrypt’s response to challenges

0.9.4 (2019-02-21)

  • INCOMPATIBLE CHANGE in configuration file syntax: dbAccounts keyword has been changed from ‘pki_dev’ to ‘serverpki’. See install example_config.py
  • Multiple local CA certs for CA cert roll over
  • Increased hash size to 512 (CA cert) resp. 384 bits (server/client cert)
  • Cert (including CA cert) export by cert serial number implemented.
  • Listing of cert meta info now also lists (issued) cert instances.
  • requirement for PyOpenSSL removed.
  • BUGFIXES e.g. Allow to enter 1st cert into empty CertInstances table

0.9.6 (2020-03-11)

  • Supporting and (requiring) V2 of ACME protocoll.
  • New fields in DB for upcoming support of certs with elliptic algorithm. (in addition to rsa). Run install/upgrade_to_2.sql in psql, connected to pki DB.

0.9.10 (2020-08-06)

  • New object oriented architecture, abstracting relational model
  • Support for dynamic DNS update mode of operation supported
  • Support for dual algo certs (rsa + ec)
  • Support for OCSP_must_staple attribute
  • New config file format
  • BUGFIXES mainly in ACMEv2 handshaking code
  • For upgrade run install/upgrade_to_{3456}.sql in psql, connected to pki DB.

0.9.11 (2020-08-11)

  • Using automatoes 0.9.5. Got hotfix from automatoes maintainer