Repository: gregtwallace/legocerthub
Branch: master
Commit: 259679f12e34
Files: 12
Total size: 93.3 KB
Directory structure:
gitextract_ype51_yk/
├── .gitattributes
├── .github/
│ └── workflows/
│ ├── build_releases.yml
│ └── publish_docker.yml
├── .gitignore
├── CHANGELOG.md
├── Dockerfile
├── LICENSE.md
├── README.md
├── build.ps1
├── build.sh
├── docker-compose.yml
└── version.json
================================================
FILE CONTENTS
================================================
================================================
FILE: .gitattributes
================================================
# shell scripts require LF
*.sh text eol=lf
# linux service should use LF
*.service eol=lf
================================================
FILE: .github/workflows/build_releases.yml
================================================
name: Build Releases
on:
workflow_dispatch:
push:
'tags':
- 'v*'
env:
GITHUB_REF: ${{ github.ref }}
# Versions - keep in sync with Dockerfile
GO_VERSION: '1.26.2'
NODE_VERSION: '24.15.0'
jobs:
build-common:
runs-on: ubuntu-24.04
steps:
- name: Checkout Main Repo
uses: actions/checkout@v6
with:
repository: gregtwallace/certwarden
ref: ${{ env.GITHUB_REF }}
fetch-depth: 0
- name: Save README
uses: actions/upload-artifact@v7
with:
name: README.md
path: ./README.md
- name: Save LICENSE
uses: actions/upload-artifact@v7
with:
name: LICENSE.md
path: ./LICENSE.md
- name: Save CHANGELOG
uses: actions/upload-artifact@v7
with:
name: CHANGELOG.md
path: ./CHANGELOG.md
build-frontend:
runs-on: ubuntu-24.04
steps:
- name: Checkout Frontend Repo
uses: actions/checkout@v6
with:
repository: gregtwallace/certwarden-frontend
ref: ${{ env.GITHUB_REF }}
fetch-depth: 0
- name: Setup Node.js
uses: actions/setup-node@v6
with:
node-version: '${{ env.NODE_VERSION }}'
cache: 'npm'
- run: npm ci
- run: npm run build
env:
CI: false
- name: Archive npm failure logs
uses: actions/upload-artifact@v7
if: failure()
with:
name: npm-logs
path: ~/.npm/_logs
- name: Save Compiled React App
uses: actions/upload-artifact@v7
with:
name: frontend_build
path: ./dist
build-backend-common:
runs-on: ubuntu-24.04
steps:
- name: Checkout Backend Repo
uses: actions/checkout@v6
with:
repository: gregtwallace/certwarden-backend
ref: ${{ env.GITHUB_REF }}
fetch-depth: 0
- name: Save Default Config
uses: actions/upload-artifact@v7
with:
name: config.default.yaml
path: ./config.default.yaml
- name: Save Example Config
uses: actions/upload-artifact@v7
with:
name: config.example.yaml
path: ./config.example.yaml
- name: Save Config Changelog
uses: actions/upload-artifact@v7
with:
name: config.changelog.md
path: ./config.changelog.md
- name: Save Scripts (Linux)
uses: actions/upload-artifact@v7
with:
name: scripts-linux
path: ./scripts/linux
- name: Save Scripts (Windows)
uses: actions/upload-artifact@v7
with:
name: scripts-windows
path: ./scripts/windows
build-backend-linux-arm64:
runs-on: ubuntu-24.04
steps:
- name: Checkout Backend Repo
uses: actions/checkout@v6
with:
repository: gregtwallace/certwarden-backend
ref: ${{ env.GITHUB_REF }}
fetch-depth: 0
- name: Update apt
run: sudo apt update
- name: Install cross-compiler for linux/arm64
run: sudo apt-get -y install gcc-aarch64-linux-gnu
- name: Set up Go
uses: actions/setup-go@v6
with:
go-version: '${{ env.GO_VERSION }}'
- name: Build
run: go build -o ./certwarden -v ./cmd/api-server
env:
GOOS: linux
GOARCH: arm64
CC: aarch64-linux-gnu-gcc
CGO_ENABLED: 1
- name: Save Compiled Binary
uses: actions/upload-artifact@v7
with:
name: certwarden-linux-arm64
path: ./certwarden
build-backend-linux-amd64:
runs-on: ubuntu-24.04
steps:
- name: Checkout Backend Repo
uses: actions/checkout@v6
with:
repository: gregtwallace/certwarden-backend
ref: ${{ env.GITHUB_REF }}
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@v6
with:
go-version: '${{ env.GO_VERSION }}'
- name: Build
run: go build -o ./certwarden -v ./cmd/api-server
env:
GOOS: linux
GOARCH: amd64
CGO_ENABLED: 1
- name: Save Compiled Binary
uses: actions/upload-artifact@v7
with:
name: certwarden-linux-amd64
path: ./certwarden
build-backend-windows-amd64:
runs-on: windows-2022
steps:
- name: Checkout Backend Repo
uses: actions/checkout@v6
with:
repository: gregtwallace/certwarden-backend
ref: ${{ env.GITHUB_REF }}
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@v6
with:
go-version: '${{ env.GO_VERSION }}'
- name: Build
run: go build -o ./certwarden.exe -v ./cmd/api-server
env:
GOOS: windows
GOARCH: amd64
CGO_ENABLED: 1
- name: Save Compiled Binary
uses: actions/upload-artifact@v7
with:
name: certwarden-windows-amd64
path: ./certwarden.exe
release-file-linux-arm64:
needs:
[
build-common,
build-frontend,
build-backend-common,
build-backend-linux-arm64,
]
runs-on: ubuntu-24.04
steps:
- name: Make release directory
run: mkdir ./release
- name: Download Frontend
uses: actions/download-artifact@v8
with:
name: frontend_build
path: ./release/frontend_build
- name: Download Backend Default Config
uses: actions/download-artifact@v8
with:
name: config.default.yaml
path: ./release
- name: Download Backend Example Config
uses: actions/download-artifact@v8
with:
name: config.example.yaml
path: ./release
- name: Download Config Changelog
uses: actions/download-artifact@v8
with:
name: config.changelog.md
path: ./release
- name: Download Linux Scripts
uses: actions/download-artifact@v8
with:
name: scripts-linux
path: ./release/scripts
- name: Download Backend Binary
uses: actions/download-artifact@v8
with:
name: certwarden-linux-arm64
path: ./release
- name: Download README
uses: actions/download-artifact@v8
with:
name: README.md
path: ./release
- name: Download LICENSE
uses: actions/download-artifact@v8
with:
name: LICENSE.md
path: ./release
- name: Download CHANGELOG
uses: actions/download-artifact@v8
with:
name: CHANGELOG.md
path: ./release
- name: Set script permissions
run: |
find ./release/scripts -type f -name "*.sh" -print0 | xargs -0 chmod 755
- name: Tar files (preserves permissions)
run: |
tar -cvf certwarden_linux_arm64.tar ./release
- name: Save Release
uses: actions/upload-artifact@v7
with:
name: certwarden_linux_arm64
path: certwarden_linux_arm64.tar
release-file-linux-amd64:
needs:
[
build-common,
build-frontend,
build-backend-common,
build-backend-linux-amd64,
]
runs-on: ubuntu-24.04
steps:
- name: Make release directory
run: mkdir ./release
- name: Download Frontend
uses: actions/download-artifact@v8
with:
name: frontend_build
path: ./release/frontend_build
- name: Download Backend Default Config
uses: actions/download-artifact@v8
with:
name: config.default.yaml
path: ./release
- name: Download Backend Example Config
uses: actions/download-artifact@v8
with:
name: config.example.yaml
path: ./release
- name: Download Config Changelog
uses: actions/download-artifact@v8
with:
name: config.changelog.md
path: ./release
- name: Download Linux Scripts
uses: actions/download-artifact@v8
with:
name: scripts-linux
path: ./release/scripts
- name: Download Backend Binary
uses: actions/download-artifact@v8
with:
name: certwarden-linux-amd64
path: ./release
- name: Download README
uses: actions/download-artifact@v8
with:
name: README.md
path: ./release
- name: Download LICENSE
uses: actions/download-artifact@v8
with:
name: LICENSE.md
path: ./release
- name: Download CHANGELOG
uses: actions/download-artifact@v8
with:
name: CHANGELOG.md
path: ./release
- name: Set script permissions
run: |
find ./release/scripts -type f -name "*.sh" -print0 | xargs -0 chmod 755
- name: Tar files (preserves permissions)
run: |
tar -cvf certwarden_linux_amd64.tar ./release
- name: Save Release
uses: actions/upload-artifact@v7
with:
name: certwarden_linux_amd64
path: certwarden_linux_amd64.tar
release-file-windows-amd64:
needs:
[
build-common,
build-frontend,
build-backend-common,
build-backend-windows-amd64,
]
runs-on: ubuntu-24.04
steps:
- name: Make release directory
run: mkdir ./release
- name: Download Frontend
uses: actions/download-artifact@v8
with:
name: frontend_build
path: ./release/frontend_build
- name: Download Backend Default Config
uses: actions/download-artifact@v8
with:
name: config.default.yaml
path: ./release
- name: Download Backend Example Config
uses: actions/download-artifact@v8
with:
name: config.example.yaml
path: ./release
- name: Download Config Changelog
uses: actions/download-artifact@v8
with:
name: config.changelog.md
path: ./release
- name: Download Windows Scripts
uses: actions/download-artifact@v8
with:
name: scripts-windows
path: ./release/scripts
- name: Download Backend Binary
uses: actions/download-artifact@v8
with:
name: certwarden-windows-amd64
path: ./release
- name: Download README
uses: actions/download-artifact@v8
with:
name: README.md
path: ./release
- name: Download LICENSE
uses: actions/download-artifact@v8
with:
name: LICENSE.md
path: ./release
- name: Download CHANGELOG
uses: actions/download-artifact@v8
with:
name: CHANGELOG.md
path: ./release
- name: Save Release
uses: actions/upload-artifact@v7
with:
name: certwarden_windows_amd64
path: ./release
================================================
FILE: .github/workflows/publish_docker.yml
================================================
name: Publish Docker Image
on:
workflow_dispatch:
push:
'tags':
- 'v*'
env:
GITHUB_REF: ${{ github.ref }}
GITHUB_REF_NAME: ${{ github.ref_name }}
# GO_VERSION: <set in Dockerfile, not here>
# NODE_VERSION: <set in Dockerfile, not here>
jobs:
build-docker:
runs-on: ubuntu-24.04
steps:
- name: Checkout Main Repo
uses: actions/checkout@v6
with:
repository: gregtwallace/certwarden
ref: ${{ env.GITHUB_REF }}
fetch-depth: 0
- name: Set up QEMU
uses: docker/setup-qemu-action@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v4
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Log in to the GitHub Container registry
uses: docker/login-action@v4
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@v6
with:
images: |
gregtwallace/certwarden
ghcr.io/${{ github.repository }}
- name: Build and push Docker image
uses: docker/build-push-action@v7
with:
context: .
file: ./Dockerfile
push: true
platforms: linux/amd64,linux/arm64
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
build-args: |
BACKEND_VERSION=${{ env.GITHUB_REF_NAME }}
FRONTEND_VERSION=${{ env.GITHUB_REF_NAME }}
================================================
FILE: .gitignore
================================================
/out
================================================
FILE: CHANGELOG.md
================================================
# Cert Warden Changelog
## [v0.29.3] - 2026-05-15
Minor updates and fixes.
## Added
- Add default path to acme.sh provider form.
- Add build flag to omit dns-01 go-acme from builds (not in use yet but
provides an option to greatly reduce compile size and time).
- Add backend github action for testing.
- Add download route tests.
## Fixed
- Fix issue where newest valid order wasn't served for a cert.
Issue triggered when newer order had a shorter validity and the "old"
order had a later expiration date. This could be triggered by the
recent Let's Encrypt change from 90 to 45 day certificates.
- Updates to address several frontend package warnings.
- Improve redacted console log of frontend logging. Also add redaction
for the CW client AES key.
- Fix validation test regarding rfc850 time.
- Use derivative of shutdown context in all storage contexts.
## Changed
- Update axios to 1.16.0
- Update follow-redirects to 1.16.0
- Update postcss to 8.5.14
- Use build flags to exclude acme.sh provider from windows builds (as
opposed to checking GOOS at runtime)
- Minor updates to dns-persist-01
- Begin rework of storage. Preparation to make the SQL code storage method
agnostic and to move all sqlite specific code to its own package. In the
future I'd like to change sqlite package to move away from the CGO
requirement.
## [v0.29.2] - 2026-04-29
Critical security fix and other updates.
> [!CAUTION]
> You should immediately update Cert Warden. There was a security
> vulnerability where it was possible to access the private key with just the
> certificate api key. You should also rotate any keys where you shared the
> certificate api key without the intention of sharing the private key as
> well.
## Fixed
- Security issue where combination key+certificate downloads could be
accessed with only one of the two keys. Thank you to @Feliksas to reporting
this.
## Changed
- Wake up hourly to check certificates (instead of every other hour).
- Increase http request limit to 10 (from 3). The prior release decreased this
due to a misconfiguration on Let's Encrypts infrastructure. The issue should
be resolved so we can go faster again.
- Move retry-after header parsing and add some tests.
- Update go-acme/lego/v4 to 4.35.2
- Rewrite dnscloudflare01 using Cloudflare's newest Go API (v6).
- Update all Github actions to latest versions.
- Update node.js to 24.15.0
## [v0.29.1] - 2026-04-13
Minor changes.
## Fixed
- Improve http client rate limiter.
- Improve ARI update failed error message.
## [v0.29.0] - 2026-04-09
This release adds support for the dns-persist-01 challenge type. There
is a new provider `dns-persist-01 Manual` that should cover all cases.
## Added
- Add dns-persist-01 challenge type support.
## Fixed
- Several dependencies with possible issues updated.
## Changed
- Update to go 1.25.5
- Update to node 20.19.6
- Update all frontend dependencies.
- Update github.com/go-jose/go-jose/v4 to v4.1.4
- Update google.golang.org/grpc to v1.80.0
## [v0.28.1] - 2025-12-16
This release is a few minor fixes and dependency updates.
## Added
- Add ability to specify Cert Warden client notification port.
## Fixed
- Fix post processing parameter posting (database had parameter order
flip-flopped).
- Fix put csr extenstions (had wrong field name).
- Fix file encoding in acme.sh prep script.
## Changed
- Update to go 1.25.5
- Update to node 20.19.6
- Update x/crypto to 0.45.0
- Update go-acme/lego/v4 to 4.29.0
- Update acme.sh to 3.1.2
- Update all frontend dependencies.
- Do some minor linting.
## [v0.28.0] - 2025-10-19
This release removes dns record checking during the propagation of
dns challenge records. This function was somewhat hit or miss depending
on provider. Instead, each provider now has one configurable wait
time that Cert Warden will wait before telling the ACME Server to
proceed with validation.
The config migration will add your two existing wait times together and use
that as your wait time value. A floor of 5 minutes will be used
if the value is less than that. For http, a minimum floor of 5 seconds
is used.
You should play with the wait time to find a reasonably low value so
you're not waiting excessively, but not so low that you fail validation.
For most dns providers, 5 minutes should be fine.
Otherwise, this is minor fixes and dependency updates.
## Fixed
- Fix bug where a long order 'processing' state would not properly
backoff.
- Fix db migration edge case.
- Fix missing current log file from zip download. The current log will
now be included in the zip.
## Changed
- Update to go 1.25.3.
- Update all backend direct dependencies.
- Update all frontend dependencies.
- Update node to 20.19.5.
- Update alpine to 3.22.
- Update ACME signing code for clarity.
- Update log parsing for display in web ui. This functionality is more
resilient to corrupt log entries.
## Removed
- Remove dns_checker functionality. Instead of checking for record
propagation, Cert Warden now waits a user specified amount of time.
## [v0.27.0] - 2025-07-09
This release primarily adds support for the ACME Renewal Info
Extension (RFC 9773).
See: https://datatracker.ietf.org/doc/rfc9773/
If an ACME Server does not support ARI, Cert Warden will generate a
renewal window itself using its own algorithm. Certificates that are
valid for 10 days or less will be renewed roughly at the halfway mark
of their validity and certificates that are valid longer than 10 days
will be renewed when roughly 1/3 of their validity remains.
Options to manually configure renewal timing have been removed.
> [!NOTE]
> Cert Warden will run a job to generate the initial renewal information
> for your certificates approximately 1 minute after the first start of
> this version. If you login before this information finishes updating
> you will see `Error!` on the dashboard where the Expiration Flags would
> normally be. This is expected and will resolve once the first ARI job finishes.
> [!CAUTION]
> This release performs database modifications. Ensure you have a
> recent backup and a recovery plan if something goes wrong.
## Added
- Add ACME Renewal Info (ARI) extension support. Overhaul logic for when to do
cert renewals. If the ACME Server supports ARI, it is respected. If it does
not, Cert Warden generates a sane "in-house" ARI value and uses that. Cert
Warden now checks for and performs renewals 1 minute after start and then
roughly every 2 hours after that. Refresh timing is no longer configurable.
- Add ARI `replaces` field. Some ACME Servers support this to bypass rate
limits.
- Add ARI explanation flag to dashboard.
## Fixed
- Fix function that checked if there is post processing to do for a cert.
- Fix issue where the drop down for key selection on a cert failed to show
the key algorithm of the current key.
- Backend pkg update to address a dependabot alert.
- Update Go to 1.24.5 for improvements and fixes.
- Update Node to 20.19.3.
- Clarify what "Profile" means in the popup of an order.
- Add noreferrer to all links that target _blank.
## Changed
- Change color coding on the dashboard for certificate validity remaining:
- greater than 1 week until renewal window begins : primary
- less than 1 week until renewal window begins, but it hasn't begun : secondary
- in the renewal window : warning
- past the end of the renewal window : error
- Hovering over the validity remaining flag now shows all information about
the certificate's renewal window.
- Do not require an e-mail address on accounts. Let's Encrypt is getting rid
of them.
- Update all frontend dependencies.
- Minor changes to the way some bytes.Buffer are used.
- Minor linting.
## [v0.26.0] - 2025-05-18
This release adds support for ACME `profiles`. I'm not sure any provider is
using this outside of Let's Encrypt, but LE is making a pretty big investment
on this front so I wanted to get support added. A "prettier" version of support
is probably coming in the future, but for now this version is sufficient.
The new `ACME Profile` field is listed under the `CSR` section of a certificate.
## Added
- Add support for specifying an ACME profile. If an order has a profile, an
additional icon with the profile name will be shown under the order's
"Details" column.
- Add some initial code for ACME ARI support. This code isn't actually in
use yet though.
## Fixed
- Impose proper rate limiting within both CW's http client as well as within
the challenges package specifically.
- Try to ensure challenge records are actually deprovisioned during shutdown.
## [v0.25.1] - 2025-05-06
Minor fixes.
## Fixed
- Fix erroneous frontend error after clicking place order.
- Improve Content-Type parsing (fixes use with some providers e.g., GoDaddy).
- Update vite to 6.3.5 to address security issue.
## [v0.25.0] - 2025-05-02
This release brings some significant feature updates. The most significant is
the ability to manually tweak wait times which could be particularly helpful
if you're getting errors related to DNS validation. One size does not fit all
in this area so I've made it something you can adjust yourself. If you're
having such an error, try increasing the relevant provider's wait time.
> [!CAUTION]
> This release performs database AND config modifications. Ensure you have a
> recent backup and a recovery plan if something goes wrong.
## Add
- Add manual adjustments to the delay time for each provider. That is, you can
now manually specify how long Cert Warden should wait before telling the ACME
Server to proceed with resource validation. The existing behavior waits roughly
3 minutes, so that default is automatically applied to existing providers,
except for http-01-internal which does not require any delay.
- Add field to manually specify the address for the Cert Warden Client post
processing (instead of using the cert subject). Any cert with a Client
key present will have the subject automatically copied to the address field
to ensure your existing setup doesn't break.
- Add legacy PFX support via api call.
## Fixed
- Update react-router to 7.5.2 to fix a security issue.
## Changed
- Make acme.sh provider more efficient. Modify scripts once in the source vs.
every time they are run.
- Update acme.sh to 3.1.1.
## [v0.24.9] - 2025-04-22
Some minor fixes and improvements.
> [!IMPORTANT]
> The way post processing scripts are run has changed! Scripts will be run
> in accord with their shebang. This also means your script MUST have the +x
> permission or it won't run. The previous way of calling these scripts did
> not enforce permissions, so if your scripts stop working after this update
> they likely have the wrong shebang or are missing the executable permission.
## Add
- Allow ACME Server / service that does not provide an account key change
URL in its directory.
- Add log messages regarding succesful provision and deprovision of challenge
records.
- Honor post-process script shebang. Scripts will run as specified which
may produce new errors compared to the last version of CW. This allows more
flexibility with scripting (e.g., you could use something like Python if you
wanted to).
## Fixed
- Fix nonce manager's retry loop when CW fails to get a nonce. This was
implemented in the last version but the loop was wrong.
- Fix frontend UI erroneous error when adding an ACME Server.
- Fix garbage code & comments related to new version checking. Check will
always run once per 24 hours, regardless of success or fail.
- Security fixes.
- Set included scripts in the `/scripts` folder to include the executable
permission.
## Changed
- Switch to using time.After() instead of extra code for timers. Go GC now
handles this without issue and the code is cleaner.
## [v0.24.8] - 2025-04-15
This version brings a substantial overhaul to the challenge solving system. This
should provide a more consistent solving experience overall. There are also some
minor fixes and dependency updates.
## Added
- Add cache headers to built-in http-01 server.
- Log individual authroization failures and their errors.
## Fixed
- Fix unintended hold over of in-use challenge resources.
- Fix failures caused by `new-nonce` returning a 503 error.
- Fix resource overlap and transient solver failures.
- Fix possible security issues by updating some dependencies.
- Fix improper user logout if the brower is refreshed and the access token is
expired but the session token is not.
- Fix redirect after submit of the add provider form.
## Changed
- Overhaul challenge solving and resource tracking. Of primary note,
at minimum, solving will now take 3 minutes to ensure full resource
propagation. The new system may take longer for single dns name certs
but well expedite certs with more than 1 dns name.
- Increase max solving time to 60 minutes before timeout.
- Update Go to 1.24.2
- Update go-acme/lego to 4.22.2
- Update node to 20.19.0
## [v0.24.7] - 2025-03-27
Fix cname check for dns-01.
## [v0.24.6] - 2025-03-25
A couple minor features, as well as minor updates and fixes.
## Added
- Add CNAME check when using Domain Aliases. An error is logged to indicate when
an alias is configured in Cert Warden but is not found when checking DNS
records. This should make alias problems more obvious and easier to
troubleshoot.
- Add persistent browser storage for the rows per page setting. The user selection
will persist in local storage. The `ACME Orders` table has a separately persisted
value since users will probably want that one to be shorter and not tied to the
other table views.
## Fixes
- Multiple dependency updates to address CVEs.
- Allow `+` symbol in email addresses.
- Fix some minor typos.
## Changed
- Change logs display behavior to show last 500 entries. This is to improve
viewing consistency and performance.
- Update to Vite 6.2.2.
## [v0.24.5] - 2025-02-12
Update major version deps of the frontend to the latest and greatest. The backend
is unchanged from the last version and no change in functionality of the frontend
is expected. Some build tools were also updated.
## Fixed
- Fixed missing field name on PaG page.
## Changed
- Update to Vite 6.
- Update to React 19.
- Update to MUI 6.
- Build with Node 20 instead of 18.
- Build using Ubuntu LTS 24.04 and Windows-2022.
- Overhaul ts and eslint configs to modern values.
- Do a bunch of linting.
### Removed
- Remove some dead code related to viewing provider configs in the page that shows
all providers.
## [v0.24.4] - 2025-02-03
The porkbun API url changed and requires an update. I am taking this opportunity
to rip the bandaid off and update all dependencies. Please report any issues.
### Fixed
- Fix PorkBun API URL (through dependency update).
- Fixed error with duplicate element `id` on PaG page.
- Don't show change password widget for non-local user.
- Fix config docs regarding the removed `frontend_show_debug_info` item.
## Changed
- Update Go to 1.23.5.
- Update Node to 18.20.6.
- Update Alpine to 3.21.
- Update acme.sh to 3.1.0.
- Update all other backend and frontend dependencies.
## [v0.24.3] - 2025-01-26
More minor tweaks, polish, and fixes.
### Added
- Add ability to view the entire ACME Server's directory response in the frontend
when the frontend debug info toggle is enabled.
### Fixed
- Fix issue where multiple orders or multiple domains on one order could fail
to validate due to the ACME Server finding the previous value for the expected
record. This adds a 60 second delay before re-using a previously used resource.
- Fix frontend navigation links related to `Providers`.
### Changed
- Frontend debug option was removed from environment config. Instead it
is stored in the user's browser and can be toggled on the `Settings` page.
## [v0.24.2] - 2025-01-20
Very minor tweaks, polish, and fixes.
### Added
- Add account select and display of account information on the Debug
PaG page.
- Add debug log of kid on ACME signed POSTs.
- Indent debug PaG json.
- Add help link to Debug PaG page.
### Fixed
- Don't require EAB fields to be populated for Account registration. If
an Account was previously registered it will already be bound and thus
does not need to be bound again.
- If Debug PaG URL has an invalid account id, page will redirect to the
Accounts page.
## [v0.24.1] - 2025-01-15
Bug fixes.
### Added
- Add link to the debug PaG page in frontend (rather than only having it
as a hidden page accessible only via typing in the URL path).
### Fixed
- Fix change password functionality for local `admin` user.
- Fix error checking when evaluating if an ACME Server returned an ACME
type error. This really wasn't causing issues but was discovered while
working with the new Debug PaG page.
- Fix frontend PaG page so an ACME Server error is not returned as an
error to the frontend. Instead frontend should receive an OK response
containing information about the ACME Server error response.
## [v0.24.0] - 2025-01-11
This release adds a number of new features and fixes.
### Added
- Add OIDC suuport.
- Added tracking of last API access for keys and certs.
- Added `/v1/acmeaccounts/:id/post-as-get` route and a hidden frontend
page. The form allows using PaG to a resource for troubleshooting
purposes.
- Add language detection efforts for Accept-Language header. Always include
sane fallback and default values.
### Fixed
- Couple of dependency updates related to security.
- Improve some error messages relating to directory fetching.
- Improve validation of acme-dns config.
- Make frontend explicitly check session expiration at login. This fixes
an issue where clock skew makes the login succeed but then returns
the user to the login page.
### Changed
- Change frontend date/time to show the date and a tooltip that includes
the time.
- Increase access token validity to 4 minutes, up from 2 minutes.
- Remove custom http.Client package. Instead, use a custom round tripper
to accomplish the same thing.
- Overhaul `auth` package functionality.
### Removed
- Remove all references to old application name and remove all backward
compatibility.
## [v0.23.0] - 2024-12-07
This release adds a few new features.
### Added
- Add PFX download route (https://www.certwarden.com/docs/using_certificates/api_calls/#get-pkcs12-pfxp12-with-certificate-chain-and-private-key).
- Add challenge domain aliases (https://www.certwarden.com/docs/user_interface/providers/#domain-aliases).
- Add more detailed error messages and display them to the user.
## [v0.22.3] - 2024-11-26
Minor updates and fixes.
### Added
- Log error when failing to write the `env.js` file.
- Add some initial code for alias support.
- Add `oath-toolkit-oathtool` dep for acme.sh.
### Fixed
- Fix possible nil deref when serving the https certificate.
- Update gomarkdown pkg to address alert.
- Update goland-jwt pkg to address alert.
### Changed
- Update to go version 1.23.3.
- Update to node version 18.20.5.
- Update `acme.sh` to version 3.0.9.
- Set default `env.js` to the actual defaults. Some users have run into issues
writing this file, so this will bandaid the situation somewhat.
## [v0.22.2] - 2024-09-29
Update Vite to address some security issues.
## [v0.22.1] - 2024-09-07
The auto ordering logic was updated to make Cert Warden more friendly to all ACME
servers (instead of focusing on Let's Encrypt). Renewal time is now calculated
based on the percentage of a certificate's validity that is remaining instead of
a static number of days. A tooltip was added to easily see this information in the
Dashboard. Eventually the ACME Renewal Information (ARI) Extentsion will be used
but since the relevant spec is not yet finalized, I have chosed to not implement
it yet.
### Added
- Add tooltip on frontend Dashboard when hovering over the days until expiration.
Tooltip shows percentage of validity remaining and the anticipated automatic
renewal date.
### Fixed
- Updated grpc dependency on backend. I don't believe the issue actually
impacts Cert Warden but the update was done anyway.
### Changed
- Change auto ordering (i.e., renewal) logic. Instead of a fixed number of
days remaining, calculate when 1/3 of the certificate's validity remains
and then place the new order. For extremely short dated certificates, a
backstop value of 10 days is used and if validity drops below that regardless
of percentage, a new order will be placed.
- Update frontend expiration days coloring to match the same logic as backend.
Warning color is used when a cert is within a week of renewal and red is used
when renewal is imminent or overdue.
- Convert backend Order object time int members to time.Time.
- Overhaul frontend Flag component to separate logic out for different flags.
- Update pagination package so default value will return all results from the db.
- Update axios to 1.7.4 and vite to 5.4.0.
- Tighten some linting rules and lint accordingly.
- Use math/rand/v2 in safecert package.
### Removed
- Remove `valid_remaining_days_threshold` config option in favor of new
certificate renewal logic.
- Remove some dead validTo/validFrom code in backend.
## [v0.22.0] - 2024-07-11
> [!IMPORTANT]
> Old API routes using the `/legocerthub` prefix were previously
> deprecated but are now completely removed. Anything still using the
> old routes after upgrade will break.
> Additionally, the `legocerthub` docker builds will no longer be
> updated. Builds starting with this version will only be posted under
> `certwarden` on both GitHub and DockerHub.
This release removes some old remnants of LeGo CertHub and also adds some
minor features.
### Added
- Add ability to specify the desired Root Certificate for a certificate.
This option was added under the CSR of a Certificate and behaves the
same way as Certbot's `--preferred-chain` flag.
- Add confirmation dialog for certificate order revocation. Additionally,
the confirmation dialog allows specifying a recovation code.
- Add a button on the frontend edit account screen to easily copy the
account URL.
### Fixed
- Fix footer theme icon to correctly use my custom component.
### Changed
- Changed orders table to show the root cert's Common Name moving
forward. Since this information was not parsed in previous versions,
it will not be displayed on existing orders, only on orders fulfilled
in this version and later.
### Removed
- Remove old `/legocerthub` redirect routes. This will break anything
still using the old routes.
- Disable posting of new docker builds under the old `legocerthub`
name.
## [v0.21.6] - 2024-07-02
Minor updates and fixes.
### Added
N/A
### Fixed
- Fix percentage formatting in `dns_checker` debug messages.
- Fix key pem formatting. In rare cases, an extra blank line was added
incorrectly.
- Update a few dependencies to address Dependabot alerts.
- Fix backend mod file to properly set Go `1.22.4`.
### Changed
- The key pem formatting function was tweaked for code clarity and is
likely a little more robust now as a result.
- Update Node JS to 18.20.3.
- Update Alpine to 3.20.
### Removed
N/A
## [v0.21.5] - 2024-07-02
Removed due to issues with Go 1.22.5.
## [v0.21.4] - 2024-06-13
Minor updates and fixes.
If you are coming from <0.21.0, please read the warnings on 0.21.0.
### Added
- Add better async order fulfillment. This was already supported but
the additional changes make it more robust. If you have the
`debug` log level set you will see more API calls to the remote
ACME server.
- Add more robust checking of downloaded certificate chains. Also
lay the groundwork for preferred chain selection in a future
version. Add some additional log messages related to this.
### Fixed
- Fix linux install script and service files.
### Changed
- Update some log messages for clarity.
- Update to Go 1.22.4.
- Minor code cleanup for var type and name clarity.
- Change some usage of ToLower to EqualFold instead as a better
coding practice.
- Update `braces` pkg.
### Removed
N/A
## [v0.21.3] - 2024-05-17
Minor updates and fixes.
If you are coming from <0.21.0, please read the warnings on 0.21.0.
### Added
N/A
### Fixed
- Fix default certname. The app was looking for `certwarden` instead
of `serverdefault`.
- Fix various issues in dependencies.
### Changed
- Update to Go 1.22.3.
- Update all dependencies (backend and frontend).
### Removed
N/A
## [v0.21.2] - 2024-05-07
Minor updates and fixes.
If you are coming from <0.21.0, please read the warnings on 0.21.0.
### Added
- Always show Account URL. Some ACME providers (like Let's Encrypt)
allow CAA records that specify specific account(s) that are allowed
to issue certificates. Make the account URL always visible to make
it easier to generate such records.
- Add refresh Account button on the edit account page. The button
queries the ACME server for the current state of the account and
saves it to Cert Warden.
- Add debug log message that lists which dns servers dns_checker is
configured to use.
### Fixed
- Update net package to address a dependabot alert re: http/2.
- Fix some file downloads having duplicate extension in the name of
the file (e.g. `.pem.pem`).
- Fix retry after badNonce error for some ACME servers. (This is not
a Cert Warden bug. Some ACME servers apparently don't follow the
spec for how to handle badNonce. This fix allows Cert Warden to
handle these non-compliant servers. Cert Warden will log a warning
when this happens and the issue should be reported to the maintainer
of the non-compliant server.)
- Fix some error messages printing in a garbled format.
### Changed
- Minor API path rename for account registration.
- Minor styling changes in nonce manager.
### Removed
N/A
## [v0.21.1] - 2024-04-19
Minor updates and fixes.
If you are coming from <0.21.0, please read the warnings on 0.21.0.
### Added
- Add ability to use = (equal sign) in environment param values.
### Fixed
- Fix environment param name and value checking. Be more strict about
what is allowed in a param name. Make the frontend logic match the
backend logic exactly.
- Fix environment params slice not properly stripping quotes.
- Fix time parsing of old backup file names. (If you saw a bunch of
`warn` messages in your logs about backups and times, this is the
fix.)
### Changed
N/A
### Removed
N/A
## [v0.21.0] - 2024-04-15
LeGo CertHub has changed to Cert Warden! This was done to avoid confusion
due to name overlap with another project. As part of this transition, a
number of things changed. I made efforts to make this upgrade cause
little to no pain, but there are changes that could trip you up.
> [!CAUTION]
> You should not perform this updated in an unattended fashion. Something
> might break and you may need to make tweaks. If you have problems,
> please open an issue or post on the forum.
Compatibility Notes:
- Names of binaries, install, and upgrade scripts have changed. This includes
the default paths and user name. If you're using a build outside of docker,
you may need to update your local service to match the new file names.
Review the changes in
https://github.com/gregtwallace/certwarden-backend/blob/master/scripts/linux/install.sh
https://github.com/gregtwallace/certwarden-backend/blob/master/scripts/linux/upgrade.sh
and
https://github.com/gregtwallace/certwarden-backend/blob/master/scripts/linux/legocerthub.service
- The Cert Warden Client route was changed. The server will attempt to
post to the old route if the new route 404'd.
- The sqlite db was renamed to `appdata.db`. The old file should be
automatically renamed on first start.
- The default certificate name this app uses has changed from `legocerthub`
to `serverdefault`. The db version will be updated on first start and if
one named `legocerthub` exists, it will be renamed to `serverdefault`.
- The basepath for the app and api changed from `/legocerthub` to
`/certwarden`. Redirects are in place (for now) but you should update
clients ASAP. A warning will be logged on the server any time a legacy
path is accessed. The warning includes the IP of the client so you
can go fix it.
- Log and backup filename prefixes were changed but the old files should
still be accessible and viewable as if they had the new 'correct' name.
Most of the backwards compatibility bandages will be removed in a later
version. Please update clients asap to avoid future issues.
### Added
N/A
### Fixed
N/A
### Changed
- Update to Vite 5 and use the new CSP injection feature (instead of the
custom implementation previously used).
- Update to Go 1.22.1 and Node 18.20.2.
- Update a number of other dependencies.
- DB schema version changed from 5 to 6. The schema didn't actually change
but this was done to help with the name change migration.
### Removed
N/A
## [v0.20.4] - 2024-03-25
Minor updates and fixes.
I plan to rename this project. Please let me know if you have any ideas!
See: https://community.letsencrypt.org/t/new-client-lego-certhub/215010
### Added
- Add basic validation to frontend when editing envrionment variables, as
well as an error message specifying the correct format.
### Fixed
- Fix email validation on frontend (thanks @oliverl-21).
### Changed
- Overhaul environment variables for providers and certificates. These can
now have quotes around the name, value, both, or neither and still work
correctly. This was done as this format is common to other tools when
setting these.
- Certain fields are no longer redacted when outputted (e.g. API Keys).
They are still redacted in the logs though.
- The go-acme provider will now use the system default DNS server(s)
instead of Google (if they can be determined, which they should be on all
OSes).
- Update go jose, protobuf, and do go mod tidy.
- Update axios and follow-redirects.
- Update some func names on backend pem output. This is in preparation to
add output in other formats (e.g., pfx).
- Update frontend copyright notice to 2024.
### Removed
- Removed provider config preview when viewing the page that shows all
providers. Edit a provider to see the full config.
## [v0.20.3] - 2024-03-06
Update to Go 1.22.1, which includes some security fixes.
## [v0.20.2] - 2024-03-05
Minor release that adds OCSP stapling and fixes a graceful shutdown bug.
### Added
- Add OCSP stapling to the certificate that LeGo serves to clients
connecting to it.
### Fixed
- Fix auth session cleaning service. Timer had a bug that stopped it from
running and also caused graceful shutdown to hang.
### Removed
- Removed some unused dead code and vars.
## [v0.20.1] - 2024-03-01
Hotfix to prior version.
## [v0.20.0] - 2024-02-29
This release breaks up the work being done to fulfill certificates and the
work that is done after they are fulfilled (post processing). This is done
to make it more clear what work is being done. It is also with an eye to
potential future functionality to allow canceling and rescheduling of jobs.
I have not yet decided what to do in that regard though.
It also adds an Extra Extensions option to certificates' CSRs. Certain ACME
Servers may support Extra Extensions on certificates and this allows the
user to specify desired extensions. There is a built-in button to add the
OCSP Must Staple extension. Note: Servers may or may not honor extensions
on the CSR and if they don't honor them, they may still continue and issue
a certificate without them. This is advanced functionality and your mileage
may vary. You should confirm what your ACME Server does and does not
support and verify that the resulting certificates that are produced
actually match your expectations.
### Added
- Add separate post processing work queue to clearly separate this work
from certificate order work.
- Add support for additional certificate extensions. There is also a
button to add the OCSP Must Staple extension.
- Add help link to the CSR section of certificates.
### Fixed
- Fix missing field in form field func in frontend code.
- Fix integer checking on frontend. Prevents things like page number `2.5`
from being interpreted as `2`.
### Changed
- Move SafeMap to its own package.
- Some minor code cleanup in a couple areas removing unused vars / code.
- Don't include blank CSR fields as part of the CSR. Reduces size of the
CSR that is transmitted to the ACME Server.
## [v0.19.2] - 2024-02-24
Minor bug fix.
### Fixed
- Fix safe map read which caused bug in http-01 internal server.
## [v0.19.1] - 2024-02-18
Minor bug fix.
### Fixed
- Fix broken 'submit' button on edit account page. It looks like this
was introduced during the conversion to TypeScript.
## [v0.19.0] - 2024-02-17
This version adds help links to the official documentation on most pages
of the frontend app. There are also a couple of minor bug fixes and
dependency updates.
### Added
- Help links on most frontend pages.
### Fixed
- Fix possible memory leaks from time.After() calls.
- Fix missing field error related to go-acme le-go.
- Update follow-redirect package to fix CVE-2023-26159.
### Changed
- Update to Go 1.22.
- Update to Node 18.19.0.
- Update to math/rand/v2 standard library.
- Update github actions fo Node.js 20 versions.
- Update docker container to Alpine 3.19.
- Shorten application binary name in docker container.
## [v0.18.4] - 2024-02-02
Minor updates.
### Added
- Add post processing variable names for custom environment variables. Instead
of being forced to use `LEGO_CERTIFICATE_COMMON_NAME` the string
{{CERTIFICATE_COMMON_NAME}} can be used as a value in a custom named
variable. This allows more versatility in post processing.
- Add ability to run binaries in post process, in addition to scripts.
### Fixed
- Fix issue where time might print strangely in log message about
auto-ordering.
- Fix wrong tooltip over the ignore update X button.
- Fix frontend form validation on provider domains. Wildcards are not allowed
on providers as the domain is already assumed to include all subdomains,
including wildcard subdomains. The backend already properly validated this
but the frontend did not.
### Changed
- Update Vite to 4.5.2.
## [v0.18.2] - 2024-01-11
Minor updates.
### Added
- Add new API route to download key, cert, and certchain all in one file.
- Add ability to view all DNS names on any given order.
- Docker: Add timezone support (use the TZ environment variable).
### Changed
- Change key name display on a given order to show an icon instead of the
long name, with a tooltip containing the key name. Clicking the icon
still navigates to the key.
## [v0.18.1] - 2024-01-06
Minor fixes to prior release.
### Fixed
- Fix backend post to LeGo client.
- Fix missing field error on frontend.
## [v0.18.0] - 2024-01-05
This release is pretty beefy with a number of significant code changes. Of
most interest to users is the addition of support for EVEN MORE dns providers
thanks to the integration of go-acme/lego.
DNS providers supported by the new provider option:
https://go-acme.github.io/lego/dns/
I'm also working on a client container that can receive certificate updates
and restart designated docker containers (so they pick up new certs). The
code for the client is available at
https://github.com/gregtwallace/certwarden-client
but builds aren't yet published and use is not yet recommended unless you
really want to live on the bleeding edge.
### Added
- Add go-acme le-go provider type. This adds even more dns provider options.
- Add LeGo Client post processing option. Causes the db to upgrade to user
version 4. The client is still under development and compiled versions are
not yet posted.
### Fixed
- Fix possible provider update having a nil-deref if sending API payload
without a config.
- Fix expiration check when trying to manually run post-processing. The wrong
expiration was previously being used causing post processing to fail if the
order was over ~1 week old.
- Fix logging during challenge checking for valid/invalid. There was a bad
variable.
- Update some dependencies to address possible vulnerabilities.
### Changed / Improved
- Decoupled domains from provider configs. Providers do not need knowledge of
the domains. No changes to the config.yaml file though, this was just some
code cleanup.
- Simplify provider manager code a little bit by getting rid of an unneeded
map.
- Rollback cloudflare api package as a test to observe impact in pprof. This
should have no user facing impact.
## [v0.17.3] - 2024-01-02
Minor fixes.
### Added
- Add ability to specify different provider(s) for subdomains. This allows
provider A to service example.com but use provider B for sub.example.com.
### Fixed
- Fix nil deref during automatic backup of app prior to config file version
upgrade.
- Fix mismatch of domain to provider in case where domains have overlapping
names (e.g. testexample.com would have matched to example.com).
- Several possible CVEs addressed via dependency updates and Go version
update to 1.21.5.
## [v0.17.2] - 2023-12-30
Minor fixes.
### Fixed
- Fix spawning of zombie `ssl_client` process in docker container.
- Fix label on private key API Key showing as `old` even though it is the
only API Key.
## [v0.17.1] - 2023-12-21
Minor fixes to the prior release.
### Fixed
- Ensure backup folder gets created.
- Fix possible hang of shutdown during failed backup waiting to retry.
- Fix post processing logging so it is more clear what's going on.
## [v0.17.0] - 2023-12-20
This release adds backup functionality. It also adds the ability to run
a script on the server after the successful completion of certificate
creation or renewal.
### Added
- Add backup functionality both to store locally on disc and to download
to client. Automatic backups are enabled by default but backup settings
can be changed in the config file. See the config example, change log,
and default for more info.
- Add post-processing script options to certificate. If you want to push
new certificates to clients you can use a script on the LeGo server to
do so and specify the script path and environment variables in the
certificate settings.
- Add post-processing button to certificates' orders. Useful for testing
post processing is working without having to repeatedly order new
certificates. This can also be used to rollback to previous orders, if
needed.
### Changed / Improved
- Relocate db and config file to ./app sub folder of main data folder.
Files will be moved automatically from the previous location.
- Cloudlare now permits wrong config. This is so the app still starts
even if the internet is down. To compensate, log messages are clear in
the logs to highlight the problem.
- Allow non-existent scripts in dns01manual method. This is to allow
configuration before the script is in the folder and also to avoid
failures to start if a file gets moved. Errors will be logged
accordingly.
- Make grids on front end look a little nicer.
### Fixed
- Fix frontend idle logout. The timer was not properly resetting so early
timeout would trigger.
### Removed
- Remove notice about Let's Encrypt on the ACME Servers page. Support is
more general now, so no need to warn.
## [v0.16.3] - 2023-12-13
> [!CAUTION]
> You need to upgrade to this release **IMMEDIATELY** if you are running
> version 0.15.1 through 0.16.2. These versions contain a critical
> security flaw which potentially allowed unauthorized access to private
> keys.
The sole change in this release is addressing a critical security flaw.
Depending on the sensitivity of your environment, the most secure action
after updating your version is to revoke all your certificates, rotate all
of your account private keys, and reissue all of your certificates with
new keys.
If you're just running a home lab or have access denial measures in
place to prevent access to your server, this is almost certainly overkill.
I have been running these versions too and all I am doing is rotating
my account keys as an extra precaution.
You can also manually review your logs between instllation of 0.15.1
and now to see if the keys were actually downloaded by an unauthorized
client.
This vulnerability did not allow access to any other sensitive
information such as the config file, API keys, etc. Only the download of
private keys was impacted.
### Added
N/A
### Changed / Improved
N/A
### Fixed
- Fix critical security vulnerability that allowed unauthenticated
clients to download sensitive files.
### Removed
N/A
## [v0.16.2] - 2023-12-05
> **Warning**
> This release fixes a security issue where the wrong permissions
> were set on the database and config files. Please manually verify
> your ./data/config.yaml and ./data/lego-certhub.db are set to
> 0600 (RW for owner only).
Release to address the security issue in the warning and ensure files
have the proper permissions set on creation.
Also a doc fix and install script fix.
### Added
N/A
### Changed / Improved
N/A
### Fixed
- Fix security issue where db and config might not be created with
the proper permissions (0600).
- Fix Linux install script. Empty config file causes an error so just
let LeGo create the file on first run.
- Update config example, defaults, and change log to include info
about the pprof change in the last release (oops, forgot).
### Removed
N/A
## [v0.16.1] - 2023-12-03
A laundry list of fixes and improvements.
Note: The config schema will update from 2 to 3 due to change in the
pprof port config variable.
### Added
- Add exponential backoff and retry for a number of functions (acme
directory refresh, dns record checking, acme order processing and
challenge solving).
- Add more detailed error for when actions run with an empty acme
directory (i.e. the directory url is currently failing).
- Add automatic config backup before writing automated schema updates.
- Add automatic db backup before writing automated schema updates.
- Add security headers and access logging to pprof server.
### Changed / Improved
- Improve acme post signed debug logging to be more helpful in the
event troubleshooting is needed. Logging now occurs of items before
they are encoded (and thus not easily readable by a human). Log
unencoded payload and destination, indent server responses before
logging, and add logging for csr common name and dns name on finalize
action.
- Make acme error type more straightforward.
- Improve acme post signed logic.
- Improve order fulfillment logic.
- Cap order fulfillment at 2 hours before failing (instead of a set
number of loops through the logic).
- Do not allow order actions if the certificate form above is change.
This is intended to prevent accidentally doing an action with stale
(unsaved) data.
### Fixed
- Fix pprof with HSTS header by having pprof also run in https mode
when server has a valid cert. As a result, config now has a
separate port option for http and https. Also add the new default
port to Docker files.
- Directory refresh edge case that could result in double refresh.
- Ensure app doesn't shutdown before challenge record deprovisioning
is complete.
- Use proper errors Is and As instead of assertions and plain
comparisons.
- Use proper error types for error comparisons (e.g. Cloudflare
dns record already exists error and dns check error is not found).
- Fix default permissions on db when creating new.
- Fix frontend cert revoke button color.
- Fix showing a priority on idle workers on the frontend. Priority
should be blank since there is no job.
- Fix Place New Order button not being disabled during an action.
### Removed
- Remove redirect to frontend root on login timeout. This was added in
the last update and is just kind of annoying without much benefit.
## [v0.16.0] - 2023-11-25
The frontend has been completely updated to TypeScript with full type
safety. This involved a ton of code changes, please report any issues.
If you experience something breaking, the previous version has the same
config and database versions, so report the issue and downgrade both
the frontend and the backend binary to the previous version.
### Added
- Add redirect if invalid page is specified when viewing a table of
things (e.g. keys, certs, etc).
- Add redirect of any frontend path when logged out to the main root
path.
### Changed
- Complete overhaul to implement TypeScript.
- Overhaul backend responses to be more detailed and consistent.
- Update contexts and hooks on frontend for a little bit more sanity.
- Updated input handler to use recursion and support any depth object.
Also changed methodology of the handler to make it compatible with
type safety.
- Show success or error message on password change.
- Update frontend server url validation to confirm only valid
characters in addition to https.
- Submit button on forms is always enabled.
- Use regex for field name matching to look up value type and error
message.
- Remove some info from displaying on providers summary page. To get
all of the details, click into 'Edit'.
- Update type for validation errors and method of recording errors.
- Update frontend dependencies.
### Fixed
- Update Axios version to address a security issue.
- Show success or error message on password change.
- Fix sorting of account list by environment column.
- Add missing CSR 'State' field.
### Removed
N/A
## [v0.15.2] - 2023-11-06
This release is quality of life. It mainly addresses things related to
logging.
### Added
- Info log logout success.
### Changed
- Tweak wording on frontend describing the order queue.
- Reorder CSP params.
- Rename error handling middleware to not use the word error.
### Fixed
- Fix inaccurate info logging of certain information when serving the
frontend. This was creating log clutter that should only be in debug.
- Fix CSP whitespace on default policy.
- Fix typing of json response Message field.
### Removed
N/A
## [v0.15.1] - 2023-10-31
This release is mostly quality of life improvements. Various security
mechanisms are fine tuned and some minor bugs are fixed.
### Added
- Add Referrer-Policy and set to no-referrer.
- Add more security headers to all server responses.
- Use nonce for styles in Content Security Policy by setting on a meta
property and using some crafty on the fly code tweaking when the backend
serves the relevant js file.
### Changed
- Tighten up Content Security Policy.
- Rewrote backend middleware logic to make code easier to follow and to make
it easier to adjust middlewares moving forward.
- Don't use CORS on 404 error.
- Secure change password and logout routes with access token. (This was
secure before, the logic is just more consistent now.)
- Simplify backend logout logic.
- Auth minor code cleanup for clarity.
- Rename refresh token to session token and update references to 'session'
for consistency.
- Update dns_checker log messages.
- Use full base64 character set for nonce generation.
- Simplify (streamline) frontend useAuth hook.
### Fixed
- Fix broken checkbox when editing an ACME Server.
- Fix Vary header usage logic for download.
- Update auth log message format to match new format.
- Add proper fallback options to Content Security Policy.
- Fix retry logic on frontend during access token refresh (fewer unneeded
retries will occur).
### Removed
- Remove nonce from scripts in Content Security Policy and only allow
'self' in script Content Security Policy.
## [v0.15.0] - 2023-10-23
> **Warning**
> You must ensure your config.yaml is at least config_version: 1 prior to
> installing or LeGo will not start.
Note: If you are new or don't have a config.yaml, one will be created for
you on the first run of LeGo.
Moving forward LeGo will enforce config_version but will migrate seemlessly
unless there are notes to the contrary. Notes will include specific needed
actions. To assist with changes across versions, all releases now include a
config.changelog.md which notes all changes, not just breaking changes.
If you are already on the previous version (0.14.1) you can just manually
insert `config_version: 1` without any other changes. You should still
review the config default and example to ensure you have the options you
want.
This version also includes a bunch of other features, most of which revolve
around adding more security to LeGo.
### Added
- Create config.yaml if one does not exist.
- Add strict enforcement of config.yaml schema version.
- Add auto update schema from 1 to 2. Older version 0 or unspecified
version will need manual intervention (at a minimum config_version
will need to be added).
- Add HTTP Strict Transport Security (HSTS) header by default. Config has
an option to disable the header (`disable_hsts`).
- Add relatively strict `Content-Security-Policy` header, including nonces
on scripts. Vite does not yet support nonces for style but I will add
it later when it does.
- Add headers to prevent MIME type sniffing and iframes.
- Add `frontend_show_debug_info` config option to set frontend to show
debug info and do some console.logging.
- Add ability to clear the update notification from the left side
navigation bar.
- Add logout tooltip.
- Add theme toggle tooltip.
- Add data-preload on style, script, and link tags.
- Add timeout context on Cloudflare API calls.
- Include config.changelog.md in releases. This file details changes to
config.yaml over time.
### Changed
- Move theme toggle to just an icon in bottom right corner in footer.
- Rewrite frontend file handler on the Go backend. Needed to provide
more consistent headers and nonce support.
- Update to Go 1.21.3, Node 18.18.2, and Vite 4.5.0.
- Update all other dependencies in frontend and backend.
- Update acme.sh script to 3.0.7 (adds a couple more dns providers).
- Update Cloudflare provider to utilize newest Cloudflare Go api.
- Some minor code cleanup.
- Rename `cors_permitted_origins config option` to
`cors_permitted_crossorigins`.
- Minor navbar restyling.
- Change status/new version information and update frontend to properly
show the changed information.
- Redact certain senstive information when the frontend is set to log
debug info to the console.
### Fixed
- Fix accidentally allowing all cross-origins by default. If no origins
are specified, CORS is disabled.
- Explicitly set dockerbuild tool versions so binary releases and docker
releases are built in the same way.
### Removed
- Removed dockerfile generation of empty config file. This is now handled
by the backend when it runs for the first time.
- Remove frontend Settings link to backend URL. Link just goes to a 404
so there isn't really a point.
- Remove Roboto font include and move it to external files.
## [v0.14.1] - 2023-10-17
The are two significant updates in this version. The first is the removal
of dev mode and related feature disablement over http. This provides more
configuration flexibility (e.g. behind a reverse proxy) but does forego
some security. Users are trusted to choose what is right for them.
The other major update is the addition of the ability to review orders
that are in progress or queued up to be worked. The new section "Order
Queue" shows both orders actively being worked by a worker and also
orders awaiting an available worker. The list of orders show under edit
certificate also reflects if a particular order is already in the queue
and the "Retry" button is disabled if the order already queued up. This
feature should eliminate some of the "guessing" about what LeGo is doing
in the background without having to look through the logs.
### Added
- Add ability to view orders currently being worked on and queued to be
worked on when a worker is available.
### Changed
- Update worker log messages to include worker number.
- Return 404 for bad routes instead of 401.
- Frontend dev mode replaced with show/log debug info. This is set by the
backend if log level is debug.
- Change some minor styling on frontend.
- On frontend edit certificate, update order status to reflect information
if the order is in the order worker queue.
### Fixed
- Fix border colors on input array of objects of text fields.
### Removed
- Remove dev mode.
- Remove disabling of certain functions when server is running over http
(instead of https).
- Remove password complexity requirements.
## [v0.14.0] - Skipped
## [v0.13.1] - 2023-10-12
This release adds the ability to add, edit, and delete providers via the
frontend GUI. It is now possible to setup LeGo without manually editing
the config file. You should still check the config example to see if you
need or want to set any of those options.
### Added
- Add ability to add, edit, and delete providers via the GUI and without
having to restart LeGo.
- Add example config to release packages and docker image. This should
have been added last version.
### Changed
- If dns_checker can't properly configure dns servers, fallback to sleep
for 2 minutes. This is to avoid app start failure in this instance and
instead to use a reasonable alternative. An error is still logged.
- Change deprecated substr func to substring func.
- Set 'Revoke' button on certificate orders to be red.
- Don't redact acme-dns provider info. It isn't sensitive enough to
justify the additional complexity.
- Always log some basic info when orders are placed and completed.
Previously this was only showing at debug log level.
### Fixed
- Fix sometimes non-unique key on GUI display of provider config.
- Fix handling of redacted info when it is POSTed.
### Removed
N/A
## [v0.13.0] - 2023-10-10
> **Warning**
> Please read as there are breaking changes requiring manual intervention.
1: LeGo config MUST be updated using the new provider format which includes
specifying domains. See the example config file. A wildcard provider can also
be configured (single domain of *) and LeGo will use this provider if there
is no provider configured for a given domain. If you only use one provider,
you should add the wildcard domain and you're done.
2: Domain arg has been removed from dns manual scripts. Domain cannot be reliably
determined and as such it has been removed. This caused the position of the args
for these scripts to move and your scripts will need an update if you use this
method.
3: Removed redirects from old paths. When LeGo added the base path /legocerthub
old routes at base / were given redirects to prevent breakage. These redirects
are now removed and any clients using the old paths will need their scripts
updated.
This release does away with the need to select a challenge provider for each
certificate. It also has several tweaks and minor fixes.
The groundwork is also in place to add/edit/delete providers via the GUI. This
will be added in a future version.
### Added
- Add environment output on sample dns scripts.
- Add backend functionality to modify providers while server is running via
routes. Frontend modification not yet added.
- Add ability to view providers in the frontend.
### Changed
- Update to logging of some debug info.
- Separate default config from example config to make it more apparent what the
default settings are.
- Reduce API key length from 48 to 32. This is based on an entropy calculation
and still provides adequate security.
- Move ACME Servers to side bar in frontend navigation.
- Update config version from 0 to 1 (see notes above).
- Code clean up in several spots.
- Clarified various log messages.
- Clean up and streamline logic for form handling on frontend, including
common input handler.
### Fixed
- Do a better job of redacting certain sensitive information in debug logs.
- Fix api keys form unchanged calculation.
- Add openssl to dockerbuild (needed for acme.sh).
- Fix usage of access_token by frontend.
- Fix manifest paths.
### Removed
- Remove need to select a challenge method. Instead, domains are configured
and LeGo automatically selects the correct provider based on the domains
in the certificate.
## [v0.12.6] - 2023-08-20
Releasing solely to fix importing of private keys via the frontend UI.
There are other minor changes but they are so minor they probably aren't
relevant to users.
### Added
N/A
### Changed
- Generic-ify SafeMap (minor code clean improvements).
- Minor update to handling of empty acme time in Order object NotBefore
and NotAfter fields.
- Verify session is still valid before refreshing a session. This was
already being done, but made it more explicit.
### Fixed
- Fix private key import via frontend UI.
### Removed
N/A
## [v0.12.5] - 2023-08-11
This release adds shutdown and restart functions. Otherwise, it mainly
fixes some minor bugs and optimizes some code.
Config Note: 'private_key_name' is no longer a config field. The key
is now derived from 'certificate_name'.
### Added
- Add shutdown and restart routes with buttons in frontend to trigger
those routes.
### Changed
- Update some route names.
- Update LeGo https certificate reload logic to no longer require a go
routine. LeGo cert will update as soon as it renews.
- Optimize view log handler for better memory footprint.
- Update output package to remove unneeded vars.
### Fixed
- Fix broken log download handler and optimize related code.
- Modify logger so it is gracefully closed on exit, though it is not
perfect due to lumberjack bug:
https://github.com/natefinch/lumberjack/issues/56
- Fix log view handler failing to close file.
### Removed
- Remove LeGo config option for private key. Private key is now derived
from the certificate name.
## [v0.12.4] - 2023-08-08
This release resolves a significant issue with the challenge solver
failing in certain cases involving wild card certificates or multiple
ACME providers.
### Added
- Add an error if user tries to enable acme.sh on a Windows server.
- Add better notes in default config regarding acme.sh options.
- Add shutdown handler for client to trigger LeGo shutdown.
- Make WorkTracker data type for reuse.
### Changed
- Move pprof to its own http server and port.
- Significant overhaul of custom http client to make it more sane.
- Rework how challenge resource provisioning is tracked. Instead of in
each method, centralize in Challenges package.
- Some minor code tidy up.
### Fixed
- Fix when multiple workers are trying to solve Challenges that use
the same resource name. This could cause Orders to fail under certain
conditions. Instead, queue the resources and solve the Challenges
one at a time.
- Make Cloudflare use the app's http Client with the proper settings.
### Removed
N/A
## [v0.12.3] - 2023-08-06
This version is mostly minor fixes. Pprof support is also added.
### Added
- Add pprof support. Default config option has it disabled though.
- On account object output, include EAB and TOS fields for the relevant
ACME server.
### Changed
- Conditionally show EAB fields only when they're needed.
- Only show KID on frontend if debug and it is known.
- Use http.ServeContent to serve zip files.
- Deprecate 'domain' arg in dns01 manual method.
- Set directory refresh to occur at 1am + random minute rather than 24
hours from the last one.
### Fixed
- Fix Cloudflare challenge method failing for domains where the zone has
more than two parts (e.g. some-name.in.ua).
See: https://github.com/gregtwallace/certwarden/issues/22
- Minor code cleanup (move an error, remove an export, and fix a typo).
### Removed
- Cloudflare zone map does not require safety, so mutex was removed.
## [v0.12.2] - Skipped
## [v0.12.1] - Skipped
## [v0.12.0] - 2023-07-27
This version brings support for conditional headers. It also cleans up
some of the backend logic and fixes a couple of issues.
### Added
- Add etag header to pem files when they're sent.
- Add last-modified time stamp to pem files when they're sent.
- Add support for request headers if-match and if-none-match.
- Add support for request headers if-modified-since and
if-unmodified-since.
- Add support for request header if-range.
### Changed
- Use http.ServeContent to send pem files to clients instead of previous
Write method.
- Switch to a separate CORS package for ease of use and to ensure proper
specs are followed without having to maintain it myself.
- Overhauled logic in storage and download packages so pem output is a
little more sane.
- Updated output package logging to make it a little cleaner and clarify
some log messages.
### Fixed
- Fixed issue where legacy request api keys would be saved to log.
- Fixed check that always said db needs an upgrade in new version even
when it didn't.
- Added missing x-api-key and apikey headers to CORS list.
### Removed
N/A
## [v0.11.1] - 2023-07-26
The only fix in this update is acme.sh being added to the Docker
container. If you're not using Docker, there is no difference between
0.11.0 and 0.11.1.
### Added
N/A
### Changed
N/A
### Fixed
- Fixed acme.sh not installing into the Docker container.
### Removed
N/A
## [v0.11.0] - 2023-07-25
This release streamlines new certificate creation by allowing simultaneous
key generation. In the new certificate 'private key' drop down, there is a
new option to generate a key. This eliminates the need to make a new key
separately first. The key name, description, and other fields are copied
from what is specified on the certificate.
### Added
- Add ability to generate a key simultaneously with a new certificate.
### Changed
- Set default new key to Generate and ECDSA P-256.
### Fixed
N/A
### Removed
N/A
## [v0.10.5] - 2023-07-22
This update fixes the acme.sh challenge method when running in Docker
container. It also bundles the acme.sh scripts with LeGo so no extra
modifications are needed to use this method.
### Added
- Bundle acme.sh scripts (v3.0.6) with LeGo.
### Changed
N/A
### Fixed
- Fix acme.sh challenge method when running in Docker.
- Fix linux scripts (primarily install and upgrade scripts).
### Removed
N/A
## [v0.10.4] - 2023-07-18
This release mainly upgrades code dependencies.
### Added
- Some default config comments regarding Docker.
### Changed
- Upgrade to Go 1.20.6.
- Upgrade to Node 18.17.
- Upgrade to Vite 4.4.4.
- Upgrade to eslint 8.45.0.
- Upgrade to semver 6.3.1.
- Upgrade @emotion/react ^11.10.6 → ^11.11.1
- Upgrade @emotion/styled ^11.10.6 → ^11.11.0
- Upgrade @fontsource/roboto ^4.5.8 → ^5.0.5
- Upgrade @mui/icons-material ^5.11.16 → ^5.14.0
- Upgrade @mui/material ^5.12.2 → ^5.14.0
- Upgrade @types/react ^18.0.28 → ^18.2.15
- Upgrade @types/react-dom ^18.0.11 → ^18.2.7
- Upgrade @vitejs/plugin-react-swc ^3.0.0 → ^3.3.2
- Upgrade axios ^1.3.6 → ^1.4.0
- Upgrade eslint-plugin-react-refresh ^0.3.4 → ^0.4.3
### Fixed
- Fixed refresh cookie when running in http mode.
- Fixed typo in NODE_VERSION build var.
### Removed
N/A
## [v0.10.3] - 2023-07-05
This release adds the ability to manually edit API keys. This functionality
is intended for advanced users only.
There are also a number of minor bug fixes.
### Added
- Added ability to directly edit API keys. This is generally discouraged
though.
### Changed
- Improved Cloudflare error logging.
- Reorganize file structure of some frontend components.
### Fixed
- Fixed bad app redirect from root path `/`.
- Fixed bad redirect from http to https in certain configurations.
- Fixed sql query for PUT on certs.
- Fixed sql query for PUT on keys.
- Fixed edit cert re-render due to incorrect comparison of subject alt
arrays.
### Removed
N/A
## [v0.10.2] - 2023-06-30
Minor updates including modifying the base path for services so LeGo can sit
behind a reverse proxy.
Ideally you would update all client scripts to include the new base path when
accessing the api (e.g. `/legocerthub/api`), however, redirect routes were
added so this isn't necessary (yet).
### Added
- Add base path of `/legocerthub` for both /app and /api. This allows LeGo to
sit behind a reverse proxy. Redirect routes were added to provide backward
compatibility with scripts calling the old paths (assuming LeGo isn't behind
a reverse proxy).
- Add comments regarding how to configure cloudflare dns challenges.
### Changed
- Cloudflare dns challenge no longer requires specifying zone names when using
an API token. LeGo automatically queries for available zones.
- Cloudflare dns challenge confirms that the proper permission exists (edit dns)
before adding a zone (domain) to the configured list. If the permission is
missing, a warning is logged.
### Fixed
- Modify `netcap` command in linux install and update scripts. Some OSes
will error if the command uses a wildcard.
- Fix typo relating to cloudflare dns challenges in config.default.yaml.
### Removed
- Removed unused var when backend creates environment for frontend.
## [v0.10.1] - Skipped
## [v0.10.0] - 2023-06-19
Primarily this update adds support for custom ACME Servers instead of just
hardcoding Let's Encrypt. This functionality can be found in the web UI
Settings. I've done some testing with Google Cloud but that's about it. LE
is still the most tested provider but feel free to open issues if you run
across problems with others.
Warning: Your database schema will be modified upon install, so make sure you do
a backup just in case.
Warning 2: If you've changed the default ACME server in the last version you
will need to manually edit the database after upgrade to fix the directory
URLs. The upgrade assumes prior use of LE servers and sets those values.
### Added
- Add acme_servers package to manage acme services. This allows users to define
which ACME Servers they want to use instead of just Let's Encrypt.
- Add comments in default config to elaborate on what dev_mode does.
- Add db user_version as part of db creation.
- Add db user_version upgrade logic from v0 to v1 (these changes are to
implement the new acme_servers package).
- Add information on server status and new versions regarding db version.
- Add warning in frontend if new version will update db user_version.
- Add widget in Settings to link to ACME Servers viewing and editing. This is
instead of adding a sidebar link.
### Changed
- Update Vite to version 4.3.9.
- Refactor challenges so storage does not depend on it. This also changes the
logic for who enabled/disabled is reported.
- Don't export Storage service members.
- Modify frontend to reflect changes to backend status and new version reporting.
- Lint Button component.
### Fixed
- Fix a broken error check in certificates.
- Fix frontend password length check to match backend (which was changed last
version).
### Removed
N/A
## [v0.9.4] - 2023-06-02
This fixes the docker health check and http redirect.
### Added
- Add a debug log line for the start up of the dns_checker service.
- Add `/api/health` endpoint. This endpoint does not require authentication and
returns a 204 if the server is running.
### Changed
- Reduce min password length from 10 to 8 characters. This is less secure, please
don't actually do it! If you're doing dev work and want a bad password strictly
for testing, turn devMode on and min length is completely removed.
### Fixed
- Fix docker healthcheck failing. Corrected healthcheck in Dockerfile and also
set it to the `/api/health` endpoint.
- Fix unlikely case where isRefreshing may not properly change back to false on
the frontend if the token refresh errored.
- Fix http redirect in cases where bind address is not the correct browser address.
For example, previously binding to `0.0.0.0` would cause an incorrect redirect to
https://0.0.0.0 rather than the actual server. The new method uses the same
hostname as was in the original request so it doesn't matter what the bind
address is set to or what alias the client is using to connect.
### Removed
N/A
## [v0.9.3] - 2023-05-20
Fixes dns_checker null pointer bug where dns methods don't work if Cloudflare
method was not enabled (even if not using Cloudflare).
### Added
- Add External Account Binding support, though support of alternate CAs is
still considered experimental.
- Add generic error code catcher on ACME calls.
### Changed
- Require email on accounts.
### Fixed
- Fix issue where dns_checker didn't start if dns-01 was being used but
Cloudflare was disabled.
- Fix non-standard account field `createdAt`.
- Fix response processing of account key rollover action.
- Fix issue where frontend would erroneously display a `0` in form footers.
### Removed
N/A
## [v0.9.2] - 2023-05-19
Thanks to those that have made contributions!
### Added
- Build arm64 support both as binary and as docker image.
- Add docker-compose.yml sample to repo.
- Add sample docker build & commands.
- Docker first run includes `config_version` now.
- EXPERIMENTAL: Allow changing of ACME directories in config.
### Changed
- Changed docker binary to match other binaries.
- Made acme.sh temp script name more specific.
### Fixed
N/A
### Removed
- All logging saves to log files now. `log` package has been completely
removed.
- Removed frontend references to Let's Encrypt.
## [v0.9.1] - 2023-05-17
Two additional challenge methods have been added. Most excitingly, if you
clone the acme.sh repo you can use ANY dns provider supported by that set
of scripts without having to edit any scripts yourself.
Support for acme-dns was also added.
You should add `config_version: 0` to your config file as this is a new
check. Nothing will break without it but you will get an error in the log.
### Added
- Config version check to help flag when breaking changes are anticipated
during a version upgrade.
- Support for acme-dns server (https://github.com/joohoi/acme-dns)
- Support for acme.sh (https://github.com/acmesh-official/acme.sh)
- Support for environment variables in dns-01 manual shell scripts.
### Changed
- Change update check display to show time last checked.
### Fixed
- Logging of stderr for dns-01 manual shell scripts.
### Removed
N/A
## [v0.9.0] - 2023-05-13
This release brings a number of changes including an automatic check for new
versions as well as docker support. Please review the config.default.yaml to
ensure you're using all of the desired settings.
### Added
- Added update check that queries a remote json file daily to determine if a
new version is available. Auto update is not part of this and may be added at
a later date.
- Docker support.
- Log app version on start to make logs clear as to which version was running
during an event.
### Changed
- Allow really poor passwords in dev mode (removed min character length).
### Fixed
- Minor type fix in challenges.
- Minor simplification of auth construction.
- Flexbox on navbar.
- Password change error not properly displaying.
- Missing useEffect dependency in main.
### Removed
- Removed 'hostname' config option. Backend now configures the self hosted
frontend with an absolute path so a hostname isn't needed.
## [v0.8.0] - 2023-05-04
> **Warning**
> Please read as there are breaking changes requiring manual intervention.
lego-certhub.db, config.yaml, and the log folder need to be manually moved to
a /data subfolder if coming from a prior release.
You may also need to update your config file:
- 'bind_address' added to specify what address the server should bind to. The
default is blank which binds to all available addresses.
- 'cors_permitted_origins' should be set if you need cross-origin support.
### Added
Backend
- Added 'bind_address' configuration option which defaults to all addresses.
- Added 'cors_permitted_origins' to define permitted origins for cross-origin
requests.
Frontend
- Added highlighting on active navbar route.
### Changed
Backend
- Moved db, config, and log storage to /data subfolder (primarily to make
docker mounting easier).
- Updated cross-origin configuration to better match intent.
- API URL for hosted frontend is based on config 'hostname'. This should be
a dns resolvable fqdn.
- Updated some log messages regarding server start and bind address.
- 'hostname' functionality was clarified.
- Simplified subject validation functions on certificates.
- Did some linting on certificates put function.
Frontend
- Updated ApiError wording.
- Updated navbar components to make a little nicer.
### Fixed
Backend
- Fixed cookie to properly permit cross-origin refresh. If cross-origin is not
configured, cookie SameSite is set to strict for added security.
- Fixed inability for ACME Accounts secured by RSA key to validate DNS
challenges. (https://github.com/gregtwallace/certwarden-backend/issues/1)
Frontend
- Fixed a path that was not properly updated when moving to Vite.
- Fixed auth_expiration management by moving from a cookie to session storage.
- Fixed app rendering where the wrong render would briefly appear before App
had loaded session storage data.
### Removed
Backend
- Localhost is no longer always allowed by cross-origin header.
- Removed some details regarding backend configuration when querying status.
- Removed login expiration cookie.
Frontend
- Removed details related to backend status call change.
## [v0.7.0] - 2023-04-29
Major updates were made to the frontend in this release, including removing
Create React App and replacing it with Vite.
### Added
Backend
- Added tests for validation package.
Frontend
- Defined props with prop-types.
- Added sublabel on text array component.
- Added placeholder message on empty InputSelect fields.
### Changed
Backend
- Log Cloudflare domains at Info level.
- Updated email validation regex and method. Domain piece uses domain validator
and email username is separately validated.
- DNS Manual Script name updated.
Frontend
- Port from Create React App to Vite (CRA is deprecated).
- Moved constants to a separate file.
- Updated paths for navigation when using cancel and submit buttons. Next
destination is now explicit rather than relative.
- Login form clears if backend rejects the login.
### Fixed
Frontend
- Did a ton of linting.
- Fixed issue where Axios errors could cause a loop on logout and also cleaned
up Axios error handling in general.
- Fixed issue where Rollover Account Key would still show loading message even
after loaded.
### Removed
Frontend
- Removed dummy forms.
- Removed duplicative FormError component and replaced with common ApiError
component.
## [v0.6.11] - 2023-03-12
### Added
- Added debug log message when dns checker is configured to skip the check.
### Changed
- Update dependency versions: x/text, x/net, x/time, x/crypto, & go-retryablehttp
- Abort dns checker sleep when configured to skip and shutdown signal is received.
### Fixed
- Patched several CVEs by upgrading dependencies, including CVE-2022-32149,
CVE-2022-41721, CVE-2022-27664, and CVE-2022-41723.
- Add missing error check in Cloudflare challenge provider.
### Removed
N/A
## [v0.6.10] - 2023-03-08
### Added
N/A
### Changed
- Update Go version and move Node and Go versions to global variables in build script.
- Rename DNS example scripts to avoid accidental overwrite.
- Minor code clarification in CORS.
### Fixed
N/A
### Removed
N/A
## [v0.6.9] - 2023-01-29
### Added
- Config option to disable dns checker module. Instead, specify a time to sleep and
then assume dns propagated successfully.
- Manual DNS script challenge validation module. Calls external scripts to create
and remove DNS records. This allows support for any DNS provider. Add example scripts
to show variables available to scripts.
- Add some more config comments on dns checker config.
### Changed
- Better logging for config parsing.
- Better authentication logging for audit trail.
- Better download logging for audit trail.
- Exit on improperly formatted config.yaml
### Fixed
- Fix install and upgrade linux scripts to work when called from any path.
- Fix logic auto order logic that could sometimes result in the job being called
twice on the same day.
- Include subject in the CSR DNSNames field (not just Alt Names). LE accepted the
previous method but Pebble returns an error without this.
- Frontend: Fix missing Staging Flag in All Certificates.
- Frontend: Fix wrong information in confirm delete certificate Dialog.
### Removed
N/A
================================================
FILE: Dockerfile
================================================
# example build:
# docker build . --build-arg=BACKEND_VERSION=v0.8.0 --build-arg=FRONTEND_VERSION=v0.8.0 -t certwarden:v0.8.0
# example master branch build and export
# docker builder prune -a
# docker build . --build-arg=BACKEND_VERSION=master --build-arg=FRONTEND_VERSION=master -t certwarden:v0.24.5-a1
# docker save -o ./out/cw0.24.5-a1.tar certwarden:v0.24.5-a1
# import into docker
# docker load -i ./cw0.24.5-a1.tar
# example run
# docker run -d --name certwarden -e TZ=Europe/Stockholm -v ./data:/app/data -p 4050:4050 -p 4055:4055 -p 4060:4060 -p 4065:4065 -p 4070:4070 ghcr.io/gregtwallace/certwarden:latest
# Versions - keep in sync with build_releases.yml
ARG ALPINE_VERSION=3.23
ARG GO_VERSION=1.26.2
ARG NODE_VERSION=24.15.0
# https://hub.docker.com/_/alpine
# https://hub.docker.com/_/golang
# https://hub.docker.com/_/node
FROM node:${NODE_VERSION}-alpine${ALPINE_VERSION} AS frontend_build
ARG FRONTEND_VERSION
WORKDIR /
RUN apk add git && \
git clone --depth 1 --branch "${FRONTEND_VERSION}" https://github.com/gregtwallace/certwarden-frontend.git /src && \
cd /src && \
npm clean-install && \
npm run build
FROM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS backend_build
ARG BACKEND_VERSION
ARG CGO_ENABLED=1
ENV CGO_CFLAGS="-D_LARGEFILE64_SOURCE"
WORKDIR /
RUN apk add git gcc musl-dev && \
git clone --depth 1 --branch "${BACKEND_VERSION}" https://github.com/gregtwallace/certwarden-backend.git /src && \
cd /src && \
go build -o ./certwarden ./cmd/api-server
FROM alpine:${ALPINE_VERSION}
WORKDIR /app
# acme.sh dependencies
RUN apk add bash
RUN apk add curl
RUN apk add openssl
RUN apk add oath-toolkit-oathtool
RUN mkdir -p /root/.acme.sh
# timezone support
RUN apk add --no-cache tzdata
# copy app
COPY --from=backend_build /src/certwarden .
COPY --from=backend_build /src/config.default.yaml .
COPY --from=backend_build /src/config.example.yaml .
COPY --from=backend_build /src/config.changelog.md .
COPY --from=backend_build /src/scripts/linux ./scripts
COPY --from=frontend_build /src/dist ./frontend_build
COPY ./README.md .
COPY ./CHANGELOG.md .
COPY ./LICENSE.md .
# permissions for scripts (*.sh files only)
RUN find ./scripts -type f -name "*.sh" -print0 | xargs -0 chmod 755
# make default data folder
RUN sh -c "mkdir /app/data"
# defer empty config file generation to Cert Warden on first run (if not manually made by user prior)
# Note: Do not disable http redirect once https is configured or healthcheck will break
HEALTHCHECK CMD curl --silent --output /dev/null --fail http://localhost:4050/certwarden/api/health || exit 1
# http / https server
EXPOSE 4050/tcp
EXPOSE 4055/tcp
# http challenge server
EXPOSE 4060/tcp
# pprof http / https
EXPOSE 4065/tcp
EXPOSE 4070/tcp
CMD ["/app/certwarden"]
================================================
FILE: LICENSE.md
================================================
Personal, private (non-commercial) use of this software is permitted.
All Rights Reserved
Copyright (c) 2022-25 Greg T. Wallace
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
ALL CONTRIBUTIONS TO THIS SOFTWARE SUBMITTED VIA ISSUES, PULL REQUESTS, OR
ANY OTHER METHOD CONSTITUTE A RELEASE OF ANY AND ALL RIGHTS TO SAID
CONTRIBUTION. IN ADDITION TO THE AFORMENTIONED RELEASE, CONTRIBUTIONS BECOME
GOVERNED BY THIS LICENSE AND ALL RIGHTS ARE RESERVED TO THIS PROJECT'S
COPYRIGHT HOLDER.
================================================
FILE: README.md
================================================
# Cert Warden
Centralized Certificate Management
Conveniently Leverage Let's Encrypt to Secure Your Infrastructure
## More Information
https://www.certwarden.com/
## Download
Binary Releases
https://github.com/gregtwallace/certwarden/releases
GitHub Packages
https://github.com/gregtwallace/certwarden/pkgs/container/certwarden
## Sources
Backend
https://github.com/gregtwallace/certwarden-backend
Frontend
https://github.com/gregtwallace/certwarden-frontend
================================================
FILE: build.ps1
================================================
# Parent dir is root
$scriptDir = Get-Location
$rootDir = Split-Path -Path $scriptDir -Parent
$outDir = Join-Path -Path $scriptDir -ChildPath "/out"
## Backend
Set-Location $rootDir/certwarden-backend
# Include config example
Copy-Item -Path $rootDir/certwarden-backend/config.default.yaml -Destination $outDir
# Mandatory env flag for sqlite
$env:CGO_ENABLED = 1
# Windows x64
$env:GOARCH = "amd64"
$env:GOOS = "windows"
go build -o $outDir/certwarden.exe ./cmd/api-server
## Frontend
Set-Location $rootDir/certwarden-frontend
npx vite build
# remove old build
Remove-Item -Path $outDir/frontend_build -recurse
New-Item -ItemType Directory -Force -Path $outDir/frontend_build
# move to out
Move-Item -Path $rootDir/certwarden-frontend/dist/* -Destination $outDir/frontend_build
# Return to original path
Set-Location $scriptDir
================================================
FILE: build.sh
================================================
#/bin/bash
repo=/home/greg/certwarden-backend
certwarden_path=/opt/certwarden
cd $repo
git fetch origin
git pull
export CGO_ENABLED=1
go build -o $repo/certwarden ./cmd/api-server
================================================
FILE: docker-compose.yml
================================================
version: '3'
services:
certwarden:
container_name: certwarden
image: ghcr.io/gregtwallace/certwarden:latest
restart: unless-stopped
ports:
- 4050:4050 # server interface (http)
- 4055:4055 # server interface (https)
- 4060:4060 # http-01 challenge server (http)
- 4065:4065 # pprof debug server (http)
- 4070:4070 # pprof debug server (https)
volumes:
- ./data:/app/data
================================================
FILE: version.json
================================================
[
{
"channel": "beta",
"version": "0.29.3",
"config_version": 5,
"database_version": 11,
"url": "https://github.com/gregtwallace/certwarden/releases/tag/v0.29.3"
}
]
gitextract_ype51_yk/ ├── .gitattributes ├── .github/ │ └── workflows/ │ ├── build_releases.yml │ └── publish_docker.yml ├── .gitignore ├── CHANGELOG.md ├── Dockerfile ├── LICENSE.md ├── README.md ├── build.ps1 ├── build.sh ├── docker-compose.yml └── version.json
Condensed preview — 12 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (99K chars).
[
{
"path": ".gitattributes",
"chars": 92,
"preview": "# shell scripts require LF\n*.sh text eol=lf\n\n# linux service should use LF\n*.service eol=lf\n"
},
{
"path": ".github/workflows/build_releases.yml",
"chars": 11124,
"preview": "name: Build Releases\n\non:\n workflow_dispatch:\n push:\n 'tags':\n - 'v*'\n\nenv:\n GITHUB_REF: ${{ github.ref }}\n "
},
{
"path": ".github/workflows/publish_docker.yml",
"chars": 1750,
"preview": "name: Publish Docker Image\n\non:\n workflow_dispatch:\n push:\n 'tags':\n - 'v*'\n\nenv:\n GITHUB_REF: ${{ github.ref"
},
{
"path": ".gitignore",
"chars": 5,
"preview": "/out\n"
},
{
"path": "CHANGELOG.md",
"chars": 76760,
"preview": "# Cert Warden Changelog\n\n## [v0.29.3] - 2026-05-15\n\nMinor updates and fixes.\n\n## Added\n- Add default path to acme.sh pro"
},
{
"path": "Dockerfile",
"chars": 2802,
"preview": "# example build:\n# docker build . --build-arg=BACKEND_VERSION=v0.8.0 --build-arg=FRONTEND_VERSION=v0.8.0 -t certwarden:v"
},
{
"path": "LICENSE.md",
"chars": 902,
"preview": "Personal, private (non-commercial) use of this software is permitted.\n\nAll Rights Reserved\n\nCopyright (c) 2022-25 Greg T"
},
{
"path": "README.md",
"chars": 474,
"preview": "# Cert Warden\nCentralized Certificate Management\nConveniently Leverage Let's Encrypt to Secure Your Infrastructure\n"
},
{
"path": "build.ps1",
"chars": 837,
"preview": "# Parent dir is root\n$scriptDir = Get-Location\n$rootDir = Split-Path -Path $scriptDir -Parent\n$outDir = Join-Path -Path "
},
{
"path": "build.sh",
"chars": 184,
"preview": "#/bin/bash\n\nrepo=/home/greg/certwarden-backend\ncertwarden_path=/opt/certwarden\n\ncd $repo\ngit fetch origin\ngit pull\n\nexpo"
},
{
"path": "docker-compose.yml",
"chars": 430,
"preview": "version: '3'\n\nservices:\n certwarden:\n container_name: certwarden\n image: ghcr.io/gregtwallace/certwarden:latest\n "
},
{
"path": "version.json",
"chars": 190,
"preview": "[\n {\n \"channel\": \"beta\",\n \"version\": \"0.29.3\",\n \"config_version\": 5,\n \"database_version\": 11,\n \"url\": \"h"
}
]
About this extraction
This page contains the full source code of the gregtwallace/legocerthub GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 12 files (93.3 KB), approximately 23.5k tokens. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.