Skip to content

Latest commit

 

History

History
441 lines (380 loc) · 19.3 KB

changelog.md

File metadata and controls

441 lines (380 loc) · 19.3 KB
Raw

Changelog

5.4.0

5.3.0

5.2.1

  • Update certbot to v2.11.0.

5.2.0

  • Forward the SIGUSR1 signal to Nginx to tell it to reopen log files.

5.1.1

  • Update certbot to version 2.10.0

5.1.0

  • Add ability to change validity time of the local CA.
    • This variable is not mentioned in the main README since it should not be used without reading the relevant advanced documentation.

5.0.1

  • Lock certbot version via a requirements.txt file.
    • Updates to the certbot version will now bump patch version of this repo.
  • Added Bunny DNS to available authenticators.

5.0.0

  • We now run nginx -t before reloading Nginx. This will hopefully provide better info on config errors without crashing the container.
    • The reason for this being a major version is because technically we alter core container behavior where previous errors would result in a restart.
    • PR by @stefansundin

4.3.0

  • Parent image is now using Python 3.11 which implements PEP 668, so we have to allow PIP to "break system packages".

4.2.1

  • Require all certificate files to have a size greater than zero.

4.2.0

  • Add Ionos DNS authenticator plugin

4.1.0

  • Install Bash 5.2.15 from Debian Bookworm.
    • Workaround for this Bash bug which we also had in the Alpine image.
    • Not using a "backport" repository is not recommended, but right now the only way.
  • Added timestamps to the log output we produce.
    • This is technically a breaking change if someone parses our logs, but I will ignore that.

4.0.0

  • New approach to implementing IPv6 support for the HTTP-01 challenge.
    • Deleted the dedicated server in certbot.conf
    • This change should be transparent for anyone not having a custom certbot.conf file, but is technically making a breaking change for someone, thus a major revision bump.

3.3.1

3.3.0

3.2.2

  • Small syntax fixes recommended by shellcheck.

3.2.1

  • Small syntax fixes recommended by shellcheck.

3.2.0

  • Make it possible to override the CERTBOT_PRODUCTION_URL and CERTBOT_STAGING_URL variables.
    • You can now point certbot to whichever ACME server you want.

3.1.3

  • Recover and retry in case of failed dhparam creation.

3.1.2

  • Use latest version of Bash in the Alpine image again.
    • The wait bug is fixed since Bash 5.1.10.

3.1.1

  • Small bugfix for the dns-route53 authenticator.
  • Made so it is only bash that is installed from an older Alpine repository.

3.1.0

  • Replace sort -u with awk '!a[$0]++' to keep distinct order of the domain names.

3.0.1

  • Actually use ECDSA certificates by default.
    • Eagerness to deploy latest version this update was forgotten.

3.0.0

  • Add support for DNS-01 challenges.
    • Check out the list of all currently supported authenticators.
    • This also means it is now possible to request wildcard certificates!
    • PR by @XaF.
  • Make it possible to define which authenticator to use on a certificate basis.
  • Make it possible to use same cert_name across multiple config files.
    • The scripts will remember all domain names associated with the cert name.
    • This means you can now use as many config files as you want and have them all point to a single certificate.
  • Add BATS.
    • A lot unit tests for the Bash functions we use in the util.sh file.
    • Also add it as a GitHub action.
    • A huge thank you to @XaF for providing the foundation for this.
  • Add ability to override found server_name.
    • By adding a comment on the server_name line the script will now use that instead.
    • This enables you to easily group domains under a common wildcard certificate (example config).
  • Any server name beginning with '~' will be ignored.
    • This character means that the server name is a regex, and we cannot use it when requesting certificates.
  • Use ECDSA certificates by default.
    • You now have to explicitly set USE_ECDSA=0 to disable this.
  • We aren't actually introducing any breaking changes, but such a large change deserves a major release.
  • Update documentation.
  • Update examples.

2.4.1

  • Fix missing quotes around variable.
  • Changed package mirror used by Alpine images. More info in issue #70.
  • Added more documentation.
  • Updated the docker-compose examples a bit.

2.4.0

  • Create a script that can sign certificates with the help of a local certificate authortiy.
    • It is now possible to work completely offline.
    • We can now create certificates for localhost.
  • Restructure and add a lot of documentation.
  • openssl is now a symlink to libressl in the Alpine images.
    • This is done to simplify the rest of the scripts since the arguments are the same.

2.3.0

  • Add support for ECDSA certificates.
    • It is possible to have Nginx serve both ECDSA and RSA certificates at the same time for the same server. Read more in its good to know section.
  • Made so that the the "primary domain"/"cert name" can be whatever you want.
    • This was actually already possible from v0.12, but it is first now we allow it.

2.2.0

2.1.0

  • Made the create_dhparams.sh script capable of creating missing directories.
  • Made so that we run symlink_user_configs at startup so we do not run into a race condition with Nginx.
  • Some minor cleanup in the Dockerfiles related to the above changes.

2.0.1

  • There now exist a Dockerfile for building from the Nginx Alpine image as well.
    • It is possible to use the Alpine version by appending -alpine to any of the tags from now on.
    • There are now so many tags available, see dockerhub_tags.md for the possible combinations.
    • NOTE: There exists a bug in Bash 5.1.0, which is described in detail here.
    • Suggested by @tudddorrr.
  • Small fix to the create_dhparams.sh script to handle the use of libressl in Alpine.
  • Added a small sleep in order to mitigate a rare race condition between Nginx startup and the symlink script.
  • Fix an ugly printout in the case when the sleep function exited naturally.

2.0.0

  • Big change on how we recommend users to get their .conf files into the container.
  • Examples are updated to reflect changes.
  • Add more logging.
  • Add more " around variables for extra safety.
  • Big overhaul of how the documentation is structured.
  • Even more tags now available on Docker Hub!

1.3.0

  • Ignore values starting with data: and engine: when verifying that all files exists.
  • Add a debug mode which is enabled by setting the environment variable DEBUG=1.

1.2.0

1.1.0

  • Fix that scripts inside /docker-entrypoint.d/ were never run (issue #21).
    • Found while helping @isomerpages move from @staticfloats image.
  • Fix for issue where the script failed in case the /etc/letsencrypt/dhparams folder was missing.

1.0.0

  • Move over to semantic versioning.
    • The version number will now be given like this: [MAJOR].[MINOR].[PATCH]
    • This is done to signify that I feel like this code is stable, since I have been running this for quite a while.
  • Build from a defined version of Nginx.
    • This is done to facilitate a way to lock this container to a more specific version.
    • This also allows us to more often trigger rebuilds of this container on Docker Hub.
  • New tags are available on Docker Hub.
    • There will now be tags on the following form:
      • latest
      • 1.0.0
      • 1.0.0-nginx1.19.7

0.16

  • Container now listens to SIGHUP and will reload all configs if this signal is received.
    • More details can be found in the commit message: bf2c135
  • Made Docker image slightly smaller by including --no-install-recommends.
  • There is now also a dev branch/tag if you are brave and want to run experimental builds.
  • JonasAlfredsson/docker-nginx-certbot is now its own independent repository (i.e. no longer just a fork).

0.15

  • It is now possible to manually trigger a renewal of certificates.
    • It is also possible to include "force" to add --force-renewal to the request.
  • The "clean exit" trap now handle that parent container changed to SIGQUIT as stop signal.
  • The "certbot" server block (in Nginx) now prints to stdout by default.
  • Massive refactoring of both code and files:
    • Our "start command" file is now called start_nginx_certbot.sh instead of entrypoint.sh.
    • Both create_dhparams.sh and run_certbot.sh can now be run by themselves inside the container.
    • I have added set -e in most of the files so the program exit as intended when unexpected errors occurs.
    • Added {} and "" around most of the bash variables.
    • Change some log messages and where they appear.
  • Our /scripts/startup/ folder has been removed.

0.14

  • Made so that the container now exits gracefully and reports the correct exit code.
    • More details can be found in the commit message: 43dde6e
  • Bash script now correctly monitors both the Nginx and the certbot renewal process PIDs.
    • If either one of these processes dies, the container will exit with the same exit code as that process.
    • This will also trigger a graceful exit for the rest of the processes.
  • Removed unnecessary and empty ENTRYPOINT from Dockerfile.
  • A lot of refactoring of the code, cosmetic changes and editing of comments.

0.13

  • Fixed the regex used in all of the sed commands.
    • Now makes sure that the proper amount of spaces are present in the right places.
    • Now allows comments at the end of the lines in the configs. # Nice!
    • Made the expression a little bit more readable thanks to the -r flag.
  • Now made certbot solely responsible for checking if the certificates needs to be renewed.
    • Certbot is actually smart enough to not send any renewal requests if it doesn't have to.
  • The time interval used to trigger the certbot renewal check is now user configurable.
    • The environment variable to use is RENEWAL_INTERVAL.

0.12

  • Added --cert-name flag to the certbot certificate request command.
    • This allows for both adding and subtracting domains to the same certificate file.
    • Makes it possible to have path names that are not domain names (but this is not allowed yet).
  • Made the file parsing functions smarter so they only find unique file paths.
  • Cleaned up some log output.
  • Updated the docker-compose example.
  • Fixed some spelling in the documentation.

0.11

  • Python 2 is EOL, so it's time to move over to Python 3.
  • From now on Docker Hub will also automatically build with tags.
    • Lock the version by specifying the tag: jonasal/nginx-certbot:0.11

0.10

0.9

  • I am now confident enough to remove the version suffixes.
  • nginx:mainline is now using Debian 10 Buster.
  • Updated documentation.

0.9-gamma

  • Make both Nginx and the update script child processes of the entrypoint.sh script.
  • Container will now die along with Nginx like it should.
  • The Diffie-Hellman parameters now have better permissions.
  • Container now exist on Docker Hub under jonasal/nginx-certbot:latest
  • More documentation.

0.9-beta

  • @JonasAlfredsson enters the battle.
  • Diffie-Hellman parameters are now automatically generated.
  • Nginx now handles everything HTTP related -> certbot set to webroot mode.
  • Better checking to see if necessary files exist.
  • Will now request a certificate that includes all domain variants listed on the server_name line.
  • More extensive documentation.

0.8

  • Ditch cron, it never liked me anyway. Just use sleep and a while loop instead.

0.7

  • Complete rewrite, build this image on top of the nginx image, and run cron/certbot alongside nginx so that we can have Nginx configs dynamically enabled as we get SSL certificates.

0.6

  • Add nginx_auto_enable.sh script to /etc/letsencrypt/ so that users can bring Nginx up before SSL certs are actually available.

0.5

  • Change the name to docker-certbot-cron, update documentation, strip out even more stuff I don't care about.

0.4

  • Rip out a bunch of stuff because @staticfloat is a monster, and likes to do things his way

0.3

  • Add support for webroot mode.
  • Run certbot once with all domains.

0.2

  • Upgraded to use certbot client
  • Changed image to use alpine linux

0.1

  • Initial release