Cert Warden v0.29.1

[v0.29.1] - 2026-04-13

Minor changes.

Fixed

• Improve http client rate limiter.
• Improve ARI update failed error message.

Cert Warden v0.29.0

[v0.29.0] - 2026-04-09

This release adds support for the dns-persist-01 challenge type. There
is a new provider dns-persist-01 Manual that should cover all cases.

Added

• Add dns-persist-01 challenge type support.

Fixed

• Several dependencies with possible issues updated.

Changed

• Update to go 1.25.5
• Update to node 20.19.6
• Update all frontend dependencies.
• Update github.com/go-jose/go-jose/v4 to v4.1.4
• Update google.golang.org/grpc to v1.80.0

Cert Warden v0.28.1

[v0.28.1] - 2025-12-16

This release is a few minor fixes and dependency updates.

Added

• Add ability to specify Cert Warden client notification port.

Fixed

• Fix post processing parameter posting (database had parameter order
  flip-flopped).
• Fix put csr extenstions (had wrong field name).
• Fix file encoding in acme.sh prep script.

Changed

• Update to go 1.25.5
• Update to node 20.19.6
• Update x/crypto to 0.45.0
• Update go-acme/lego/v4 to 4.29.0
• Update acme.sh to 3.1.2
• Update all frontend dependencies.
• Do some minor linting.

Cert Warden v0.28.0

[v0.28.0] - 2025-10-19

This release removes dns record checking during the propagation of
dns challenge records. This function was somewhat hit or miss depending
on provider. Instead, each provider now has one configurable wait
time that Cert Warden will wait before telling the ACME Server to
proceed with validation.

The config migration will add your two existing wait times together and use
that as your wait time value. A floor of 5 minutes will be used
if the value is less than that. For http, a minimum floor of 5 seconds
is used.

You should play with the wait time to find a reasonably low value so
you're not waiting excessively, but not so low that you fail validation.
For most dns providers, 5 minutes should be fine.

Otherwise, this is minor fixes and dependency updates.

Fixed

• Fix bug where a long order 'processing' state would not properly
  backoff.
• Fix db migration edge case.
• Fix missing current log file from zip download. The current log will
  now be included in the zip.

Changed

• Update to go 1.25.3.
• Update all backend direct dependencies.
• Update all frontend dependencies.
• Update node to 20.19.5.
• Update alpine to 3.22.
• Update ACME signing code for clarity.
• Update log parsing for display in web ui. This functionality is more
  resilient to corrupt log entries.

Removed

• Remove dns_checker functionality. Instead of checking for record
  propagation, Cert Warden now waits a user specified amount of time.

Cert Warden v0.27.0

[v0.27.0] - 2025-07-09

This release primarily adds support for the ACME Renewal Info
Extension (RFC 9773).

See: https://datatracker.ietf.org/doc/rfc9773/

If an ACME Server does not support ARI, Cert Warden will generate a
renewal window itself using its own algorithm. Certificates that are
valid for 10 days or less will be renewed roughly at the halfway mark
of their validity and certificates that are valid longer than 10 days
will be renewed when roughly 1/3 of their validity remains.

Options to manually configure renewal timing have been removed.

Note

Cert Warden will run a job to generate the initial renewal information
for your certificates approximately 1 minute after the first start of
this version. If you login before this information finishes updating
you will see Error! on the dashboard where the Expiration Flags would
normally be. This is expected and will resolve once the first ARI job finishes.

Caution

This release performs database modifications. Ensure you have a
recent backup and a recovery plan if something goes wrong.

Added

• Add ACME Renewal Info (ARI) extension support. Overhaul logic for when to do
  cert renewals. If the ACME Server supports ARI, it is respected. If it does
  not, Cert Warden generates a sane "in-house" ARI value and uses that. Cert
  Warden now checks for and performs renewals 1 minute after start and then
  roughly every 2 hours after that. Refresh timing is no longer configurable.
• Add ARI replaces field. Some ACME Servers support this to bypass rate
  limits.
• Add ARI explanation flag to dashboard.

Fixed

• Fix function that checked if there is post processing to do for a cert.
• Fix issue where the drop down for key selection on a cert failed to show
  the key algorithm of the current key.
• Backend pkg update to address a dependabot alert.
• Update Go to 1.24.5 for improvements and fixes.
• Update Node to 20.19.3.
• Clarify what "Profile" means in the popup of an order.
• Add noreferrer to all links that target _blank.

Changed

• Change color coding on the dashboard for certificate validity remaining:
  • greater than 1 week until renewal window begins : primary
  • less than 1 week until renewal window begins, but it hasn't begun : secondary
  • in the renewal window : warning
  • past the end of the renewal window : error
• Hovering over the validity remaining flag now shows all information about
  the certificate's renewal window.
• Do not require an e-mail address on accounts. Let's Encrypt is getting rid
  of them.
• Update all frontend dependencies.
• Minor changes to the way some bytes.Buffer are used.
• Minor linting.

Cert Warden v0.26.0

[v0.26.0] - 2025-05-18

This release adds support for ACME profiles. I'm not sure any provider is
using this outside of Let's Encrypt, but LE is making a pretty big investment
on this front so I wanted to get support added. A "prettier" version of support
is probably coming in the future, but for now this version is sufficient.

The new ACME Profile field is listed under the CSR section of a certificate.

Added

• Add support for specifying an ACME profile. If an order has a profile, an
  additional icon with the profile name will be shown under the order's
  "Details" column.
• Add some initial code for ACME ARI support. This code isn't actually in
  use yet though.

Fixed

• Impose proper rate limiting within both CW's http client as well as within
  the challenges package specifically.
• Try to ensure challenge records are actually deprovisioned during shutdown.

Cert Warden v0.25.1

[v0.25.1] - 2025-05-06

Minor fixes.

Fixed

• Fix erroneous frontend error after clicking place order.
• Improve Content-Type parsing (fixes use with some providers e.g., GoDaddy).
• Update vite to 6.3.5 to address security issue.

Cert Warden v0.25.0

[v0.25.0] - 2025-05-02

This release brings some significant feature updates. The most significant is
the ability to manually tweak wait times which could be particularly helpful
if you're getting errors related to DNS validation. One size does not fit all
in this area so I've made it something you can adjust yourself. If you're
having such an error, try increasing the relevant provider's wait time.

Caution

This release performs database AND config modifications. Ensure you have a
recent backup and a recovery plan if something goes wrong.

Add

• Add manual adjustments to the delay time for each provider. That is, you can
  now manually specify how long Cert Warden should wait before telling the ACME
  Server to proceed with resource validation. The existing behavior waits roughly
  3 minutes, so that default is automatically applied to existing providers,
  except for http-01-internal which does not require any delay.
• Add field to manually specify the address for the Cert Warden Client post
  processing (instead of using the cert subject). Any cert with a Client
  key present will have the subject automatically copied to the address field
  to ensure your existing setup doesn't break.
• Add legacy PFX support via api call.

Fixed

• Update react-router to 7.5.2 to fix a security issue.

Changed

• Make acme.sh provider more efficient. Modify scripts once in the source vs.
  every time they are run.
• Update acme.sh to 3.1.1.

Cert Warden v0.24.9

[v0.24.9] - 2025-04-22

Some minor fixes and improvements.

Important

The way post processing scripts are run has changed! Scripts will be run
in accord with their shebang. This also means your script MUST have the +x
permission or it won't run. The previous way of calling these scripts did
not enforce permissions, so if your scripts stop working after this update
they likely have the wrong shebang or are missing the executable permission.

Add

• Allow ACME Server / service that does not provide an account key change
  URL in its directory.
• Add log messages regarding succesful provision and deprovision of challenge
  records.
• Honor post-process script shebang. Scripts will run as specified which
  may produce new errors compared to the last version of CW. This allows more
  flexibility with scripting (e.g., you could use something like Python if you
  wanted to).

Fixed

• Fix nonce manager's retry loop when CW fails to get a nonce. This was
  implemented in the last version but the loop was wrong.
• Fix frontend UI erroneous error when adding an ACME Server.
• Fix garbage code & comments related to new version checking. Check will
  always run once per 24 hours, regardless of success or fail.
• Security fixes.
• Set included scripts in the /scripts folder to include the executable
  permission.

Changed

• Switch to using time.After() instead of extra code for timers. Go GC now
  handles this without issue and the code is cleaner.

Cert Warden v0.24.8

[v0.24.8] - 2025-04-15

This version brings a substantial overhaul to the challenge solving system. This
should provide a more consistent solving experience overall. There are also some
minor fixes and dependency updates.

Added

• Add cache headers to built-in http-01 server.
• Log individual authroization failures and their errors.

Fixes

• Fix unintended hold over of in-use challenge resources.
• Fix failures caused by new-nonce returning a 503 error.
• Fix resource overlap and transient solver failures.
• Fix possible security issues by updating some dependencies.
• Fix improper user logout if the brower is refreshed and the access token is
  expired but the session token is not.
• Fix redirect after submit of the add provider form.

Changed

• Overhaul challenge solving and resource tracking. Of primary note,
  at minimum, solving will now take 3 minutes to ensure full resource
  propagation. The new system may take longer for single dns name certs
  but well expedite certs with more than 1 dns name.
• Increase max solving time to 60 minutes before timeout.
• Update Go to 1.24.2
• Update go-acme/lego to 4.22.2
• Update node to 20.19.0