[ { "path": ".gitattributes", "content": "# shell scripts require LF\n*.sh text eol=lf\n\n# linux service should use LF\n*.service eol=lf\n" }, { "path": ".github/workflows/build_releases.yml", "content": "name: Build Releases\n\non:\n workflow_dispatch:\n push:\n 'tags':\n - 'v*'\n\nenv:\n GITHUB_REF: ${{ github.ref }}\n # Versions - keep in sync with Dockerfile\n GO_VERSION: '1.26.2'\n NODE_VERSION: '24.15.0'\n\njobs:\n build-common:\n runs-on: ubuntu-24.04\n\n steps:\n - name: Checkout Main Repo\n uses: actions/checkout@v6\n with:\n repository: gregtwallace/certwarden\n ref: ${{ env.GITHUB_REF }}\n fetch-depth: 0\n\n - name: Save README\n uses: actions/upload-artifact@v7\n with:\n name: README.md\n path: ./README.md\n\n - name: Save LICENSE\n uses: actions/upload-artifact@v7\n with:\n name: LICENSE.md\n path: ./LICENSE.md\n\n - name: Save CHANGELOG\n uses: actions/upload-artifact@v7\n with:\n name: CHANGELOG.md\n path: ./CHANGELOG.md\n\n build-frontend:\n runs-on: ubuntu-24.04\n\n steps:\n - name: Checkout Frontend Repo\n uses: actions/checkout@v6\n with:\n repository: gregtwallace/certwarden-frontend\n ref: ${{ env.GITHUB_REF }}\n fetch-depth: 0\n\n - name: Setup Node.js\n uses: actions/setup-node@v6\n with:\n node-version: '${{ env.NODE_VERSION }}'\n cache: 'npm'\n\n - run: npm ci\n\n - run: npm run build\n env:\n CI: false\n\n - name: Archive npm failure logs\n uses: actions/upload-artifact@v7\n if: failure()\n with:\n name: npm-logs\n path: ~/.npm/_logs\n\n - name: Save Compiled React App\n uses: actions/upload-artifact@v7\n with:\n name: frontend_build\n path: ./dist\n\n build-backend-common:\n runs-on: ubuntu-24.04\n steps:\n - name: Checkout Backend Repo\n uses: actions/checkout@v6\n with:\n repository: gregtwallace/certwarden-backend\n ref: ${{ env.GITHUB_REF }}\n fetch-depth: 0\n\n - name: Save Default Config\n uses: actions/upload-artifact@v7\n with:\n name: config.default.yaml\n path: ./config.default.yaml\n\n - name: Save Example Config\n uses: actions/upload-artifact@v7\n with:\n name: config.example.yaml\n path: ./config.example.yaml\n\n - name: Save Config Changelog\n uses: actions/upload-artifact@v7\n with:\n name: config.changelog.md\n path: ./config.changelog.md\n\n - name: Save Scripts (Linux)\n uses: actions/upload-artifact@v7\n with:\n name: scripts-linux\n path: ./scripts/linux\n\n - name: Save Scripts (Windows)\n uses: actions/upload-artifact@v7\n with:\n name: scripts-windows\n path: ./scripts/windows\n\n build-backend-linux-arm64:\n runs-on: ubuntu-24.04\n steps:\n - name: Checkout Backend Repo\n uses: actions/checkout@v6\n with:\n repository: gregtwallace/certwarden-backend\n ref: ${{ env.GITHUB_REF }}\n fetch-depth: 0\n\n - name: Update apt\n run: sudo apt update\n\n - name: Install cross-compiler for linux/arm64\n run: sudo apt-get -y install gcc-aarch64-linux-gnu\n\n - name: Set up Go\n uses: actions/setup-go@v6\n with:\n go-version: '${{ env.GO_VERSION }}'\n\n - name: Build\n run: go build -o ./certwarden -v ./cmd/api-server\n env:\n GOOS: linux\n GOARCH: arm64\n CC: aarch64-linux-gnu-gcc\n CGO_ENABLED: 1\n\n - name: Save Compiled Binary\n uses: actions/upload-artifact@v7\n with:\n name: certwarden-linux-arm64\n path: ./certwarden\n\n build-backend-linux-amd64:\n runs-on: ubuntu-24.04\n steps:\n - name: Checkout Backend Repo\n uses: actions/checkout@v6\n with:\n repository: gregtwallace/certwarden-backend\n ref: ${{ env.GITHUB_REF }}\n fetch-depth: 0\n\n - name: Set up Go\n uses: actions/setup-go@v6\n with:\n go-version: '${{ env.GO_VERSION }}'\n\n - name: Build\n run: go build -o ./certwarden -v ./cmd/api-server\n env:\n GOOS: linux\n GOARCH: amd64\n CGO_ENABLED: 1\n\n - name: Save Compiled Binary\n uses: actions/upload-artifact@v7\n with:\n name: certwarden-linux-amd64\n path: ./certwarden\n\n build-backend-windows-amd64:\n runs-on: windows-2022\n steps:\n - name: Checkout Backend Repo\n uses: actions/checkout@v6\n with:\n repository: gregtwallace/certwarden-backend\n ref: ${{ env.GITHUB_REF }}\n fetch-depth: 0\n\n - name: Set up Go\n uses: actions/setup-go@v6\n with:\n go-version: '${{ env.GO_VERSION }}'\n\n - name: Build\n run: go build -o ./certwarden.exe -v ./cmd/api-server\n env:\n GOOS: windows\n GOARCH: amd64\n CGO_ENABLED: 1\n\n - name: Save Compiled Binary\n uses: actions/upload-artifact@v7\n with:\n name: certwarden-windows-amd64\n path: ./certwarden.exe\n\n release-file-linux-arm64:\n needs:\n [\n build-common,\n build-frontend,\n build-backend-common,\n build-backend-linux-arm64,\n ]\n runs-on: ubuntu-24.04\n\n steps:\n - name: Make release directory\n run: mkdir ./release\n\n - name: Download Frontend\n uses: actions/download-artifact@v8\n with:\n name: frontend_build\n path: ./release/frontend_build\n\n - name: Download Backend Default Config\n uses: actions/download-artifact@v8\n with:\n name: config.default.yaml\n path: ./release\n\n - name: Download Backend Example Config\n uses: actions/download-artifact@v8\n with:\n name: config.example.yaml\n path: ./release\n\n - name: Download Config Changelog\n uses: actions/download-artifact@v8\n with:\n name: config.changelog.md\n path: ./release\n\n - name: Download Linux Scripts\n uses: actions/download-artifact@v8\n with:\n name: scripts-linux\n path: ./release/scripts\n\n - name: Download Backend Binary\n uses: actions/download-artifact@v8\n with:\n name: certwarden-linux-arm64\n path: ./release\n\n - name: Download README\n uses: actions/download-artifact@v8\n with:\n name: README.md\n path: ./release\n\n - name: Download LICENSE\n uses: actions/download-artifact@v8\n with:\n name: LICENSE.md\n path: ./release\n\n - name: Download CHANGELOG\n uses: actions/download-artifact@v8\n with:\n name: CHANGELOG.md\n path: ./release\n\n - name: Set script permissions\n run: |\n find ./release/scripts -type f -name \"*.sh\" -print0 | xargs -0 chmod 755\n\n - name: Tar files (preserves permissions)\n run: |\n tar -cvf certwarden_linux_arm64.tar ./release\n\n - name: Save Release\n uses: actions/upload-artifact@v7\n with:\n name: certwarden_linux_arm64\n path: certwarden_linux_arm64.tar\n\n release-file-linux-amd64:\n needs:\n [\n build-common,\n build-frontend,\n build-backend-common,\n build-backend-linux-amd64,\n ]\n runs-on: ubuntu-24.04\n\n steps:\n - name: Make release directory\n run: mkdir ./release\n\n - name: Download Frontend\n uses: actions/download-artifact@v8\n with:\n name: frontend_build\n path: ./release/frontend_build\n\n - name: Download Backend Default Config\n uses: actions/download-artifact@v8\n with:\n name: config.default.yaml\n path: ./release\n\n - name: Download Backend Example Config\n uses: actions/download-artifact@v8\n with:\n name: config.example.yaml\n path: ./release\n\n - name: Download Config Changelog\n uses: actions/download-artifact@v8\n with:\n name: config.changelog.md\n path: ./release\n\n - name: Download Linux Scripts\n uses: actions/download-artifact@v8\n with:\n name: scripts-linux\n path: ./release/scripts\n\n - name: Download Backend Binary\n uses: actions/download-artifact@v8\n with:\n name: certwarden-linux-amd64\n path: ./release\n\n - name: Download README\n uses: actions/download-artifact@v8\n with:\n name: README.md\n path: ./release\n\n - name: Download LICENSE\n uses: actions/download-artifact@v8\n with:\n name: LICENSE.md\n path: ./release\n\n - name: Download CHANGELOG\n uses: actions/download-artifact@v8\n with:\n name: CHANGELOG.md\n path: ./release\n\n - name: Set script permissions\n run: |\n find ./release/scripts -type f -name \"*.sh\" -print0 | xargs -0 chmod 755\n\n - name: Tar files (preserves permissions)\n run: |\n tar -cvf certwarden_linux_amd64.tar ./release\n\n - name: Save Release\n uses: actions/upload-artifact@v7\n with:\n name: certwarden_linux_amd64\n path: certwarden_linux_amd64.tar\n\n release-file-windows-amd64:\n needs:\n [\n build-common,\n build-frontend,\n build-backend-common,\n build-backend-windows-amd64,\n ]\n runs-on: ubuntu-24.04\n\n steps:\n - name: Make release directory\n run: mkdir ./release\n\n - name: Download Frontend\n uses: actions/download-artifact@v8\n with:\n name: frontend_build\n path: ./release/frontend_build\n\n - name: Download Backend Default Config\n uses: actions/download-artifact@v8\n with:\n name: config.default.yaml\n path: ./release\n\n - name: Download Backend Example Config\n uses: actions/download-artifact@v8\n with:\n name: config.example.yaml\n path: ./release\n\n - name: Download Config Changelog\n uses: actions/download-artifact@v8\n with:\n name: config.changelog.md\n path: ./release\n\n - name: Download Windows Scripts\n uses: actions/download-artifact@v8\n with:\n name: scripts-windows\n path: ./release/scripts\n\n - name: Download Backend Binary\n uses: actions/download-artifact@v8\n with:\n name: certwarden-windows-amd64\n path: ./release\n\n - name: Download README\n uses: actions/download-artifact@v8\n with:\n name: README.md\n path: ./release\n\n - name: Download LICENSE\n uses: actions/download-artifact@v8\n with:\n name: LICENSE.md\n path: ./release\n\n - name: Download CHANGELOG\n uses: actions/download-artifact@v8\n with:\n name: CHANGELOG.md\n path: ./release\n\n - name: Save Release\n uses: actions/upload-artifact@v7\n with:\n name: certwarden_windows_amd64\n path: ./release\n" }, { "path": ".github/workflows/publish_docker.yml", "content": "name: Publish Docker Image\n\non:\n workflow_dispatch:\n push:\n 'tags':\n - 'v*'\n\nenv:\n GITHUB_REF: ${{ github.ref }}\n GITHUB_REF_NAME: ${{ github.ref_name }}\n # GO_VERSION: \n # NODE_VERSION: \n\njobs:\n build-docker:\n runs-on: ubuntu-24.04\n\n steps:\n - name: Checkout Main Repo\n uses: actions/checkout@v6\n with:\n repository: gregtwallace/certwarden\n ref: ${{ env.GITHUB_REF }}\n fetch-depth: 0\n\n - name: Set up QEMU\n uses: docker/setup-qemu-action@v4\n\n - name: Set up Docker Buildx\n uses: docker/setup-buildx-action@v4\n\n - name: Login to Docker Hub\n uses: docker/login-action@v3\n with:\n username: ${{ secrets.DOCKERHUB_USERNAME }}\n password: ${{ secrets.DOCKERHUB_TOKEN }}\n\n - name: Log in to the GitHub Container registry\n uses: docker/login-action@v4\n with:\n registry: ghcr.io\n username: ${{ github.actor }}\n password: ${{ secrets.GITHUB_TOKEN }}\n\n - name: Extract metadata (tags, labels) for Docker\n id: meta\n uses: docker/metadata-action@v6\n with:\n images: |\n gregtwallace/certwarden\n ghcr.io/${{ github.repository }}\n\n - name: Build and push Docker image\n uses: docker/build-push-action@v7\n with:\n context: .\n file: ./Dockerfile\n push: true\n platforms: linux/amd64,linux/arm64\n tags: ${{ steps.meta.outputs.tags }}\n labels: ${{ steps.meta.outputs.labels }}\n build-args: |\n BACKEND_VERSION=${{ env.GITHUB_REF_NAME }}\n FRONTEND_VERSION=${{ env.GITHUB_REF_NAME }}\n" }, { "path": ".gitignore", "content": "/out\n" }, { "path": "CHANGELOG.md", "content": "# Cert Warden Changelog\n\n## [v0.29.3] - 2026-05-15\n\nMinor updates and fixes.\n\n## Added\n- Add default path to acme.sh provider form.\n- Add build flag to omit dns-01 go-acme from builds (not in use yet but\n provides an option to greatly reduce compile size and time).\n- Add backend github action for testing.\n- Add download route tests.\n\n## Fixed\n- Fix issue where newest valid order wasn't served for a cert.\n Issue triggered when newer order had a shorter validity and the \"old\"\n order had a later expiration date. This could be triggered by the\n recent Let's Encrypt change from 90 to 45 day certificates.\n- Updates to address several frontend package warnings.\n- Improve redacted console log of frontend logging. Also add redaction\n for the CW client AES key.\n- Fix validation test regarding rfc850 time.\n- Use derivative of shutdown context in all storage contexts.\n\n## Changed\n- Update axios to 1.16.0\n- Update follow-redirects to 1.16.0\n- Update postcss to 8.5.14\n- Use build flags to exclude acme.sh provider from windows builds (as\n opposed to checking GOOS at runtime)\n- Minor updates to dns-persist-01\n- Begin rework of storage. Preparation to make the SQL code storage method\n agnostic and to move all sqlite specific code to its own package. In the\n future I'd like to change sqlite package to move away from the CGO\n requirement.\n\n\n## [v0.29.2] - 2026-04-29\n\nCritical security fix and other updates.\n\n> [!CAUTION]\n> You should immediately update Cert Warden. There was a security\n> vulnerability where it was possible to access the private key with just the\n> certificate api key. You should also rotate any keys where you shared the\n> certificate api key without the intention of sharing the private key as\n> well.\n\n## Fixed\n- Security issue where combination key+certificate downloads could be\n accessed with only one of the two keys. Thank you to @Feliksas to reporting\n this.\n\n## Changed\n- Wake up hourly to check certificates (instead of every other hour).\n- Increase http request limit to 10 (from 3). The prior release decreased this\n due to a misconfiguration on Let's Encrypts infrastructure. The issue should\n be resolved so we can go faster again.\n- Move retry-after header parsing and add some tests.\n- Update go-acme/lego/v4 to 4.35.2\n- Rewrite dnscloudflare01 using Cloudflare's newest Go API (v6).\n- Update all Github actions to latest versions.\n- Update node.js to 24.15.0\n\n\n## [v0.29.1] - 2026-04-13\n\nMinor changes.\n\n## Fixed\n- Improve http client rate limiter.\n- Improve ARI update failed error message.\n\n\n## [v0.29.0] - 2026-04-09\n\nThis release adds support for the dns-persist-01 challenge type. There\nis a new provider `dns-persist-01 Manual` that should cover all cases.\n\n## Added\n- Add dns-persist-01 challenge type support.\n\n## Fixed\n- Several dependencies with possible issues updated.\n\n## Changed\n- Update to go 1.25.5\n- Update to node 20.19.6\n- Update all frontend dependencies.\n- Update github.com/go-jose/go-jose/v4 to v4.1.4\n- Update google.golang.org/grpc to v1.80.0\n\n\n## [v0.28.1] - 2025-12-16\n\nThis release is a few minor fixes and dependency updates.\n\n## Added\n- Add ability to specify Cert Warden client notification port.\n\n## Fixed\n- Fix post processing parameter posting (database had parameter order\n flip-flopped).\n- Fix put csr extenstions (had wrong field name).\n- Fix file encoding in acme.sh prep script.\n\n## Changed\n- Update to go 1.25.5\n- Update to node 20.19.6\n- Update x/crypto to 0.45.0\n- Update go-acme/lego/v4 to 4.29.0\n- Update acme.sh to 3.1.2\n- Update all frontend dependencies.\n- Do some minor linting.\n\n\n## [v0.28.0] - 2025-10-19\n\nThis release removes dns record checking during the propagation of\ndns challenge records. This function was somewhat hit or miss depending\non provider. Instead, each provider now has one configurable wait\ntime that Cert Warden will wait before telling the ACME Server to\nproceed with validation. \n\nThe config migration will add your two existing wait times together and use\nthat as your wait time value. A floor of 5 minutes will be used\nif the value is less than that. For http, a minimum floor of 5 seconds\nis used.\n\nYou should play with the wait time to find a reasonably low value so\nyou're not waiting excessively, but not so low that you fail validation.\nFor most dns providers, 5 minutes should be fine.\n\nOtherwise, this is minor fixes and dependency updates.\n\n## Fixed\n- Fix bug where a long order 'processing' state would not properly\n backoff.\n- Fix db migration edge case.\n- Fix missing current log file from zip download. The current log will\n now be included in the zip.\n\n## Changed\n- Update to go 1.25.3.\n- Update all backend direct dependencies.\n- Update all frontend dependencies.\n- Update node to 20.19.5.\n- Update alpine to 3.22.\n- Update ACME signing code for clarity.\n- Update log parsing for display in web ui. This functionality is more\n resilient to corrupt log entries.\n\n## Removed\n- Remove dns_checker functionality. Instead of checking for record\n propagation, Cert Warden now waits a user specified amount of time.\n\n\n## [v0.27.0] - 2025-07-09\n\nThis release primarily adds support for the ACME Renewal Info\nExtension (RFC 9773).\n\nSee: https://datatracker.ietf.org/doc/rfc9773/\n\nIf an ACME Server does not support ARI, Cert Warden will generate a\nrenewal window itself using its own algorithm. Certificates that are \nvalid for 10 days or less will be renewed roughly at the halfway mark\nof their validity and certificates that are valid longer than 10 days \nwill be renewed when roughly 1/3 of their validity remains.\n\nOptions to manually configure renewal timing have been removed.\n\n> [!NOTE]\n> Cert Warden will run a job to generate the initial renewal information\n> for your certificates approximately 1 minute after the first start of \n> this version. If you login before this information finishes updating\n> you will see `Error!` on the dashboard where the Expiration Flags would\n> normally be. This is expected and will resolve once the first ARI job finishes.\n\n> [!CAUTION]\n> This release performs database modifications. Ensure you have a\n> recent backup and a recovery plan if something goes wrong.\n\n## Added\n- Add ACME Renewal Info (ARI) extension support. Overhaul logic for when to do\n cert renewals. If the ACME Server supports ARI, it is respected. If it does\n not, Cert Warden generates a sane \"in-house\" ARI value and uses that. Cert\n Warden now checks for and performs renewals 1 minute after start and then\n roughly every 2 hours after that. Refresh timing is no longer configurable.\n- Add ARI `replaces` field. Some ACME Servers support this to bypass rate\n limits.\n- Add ARI explanation flag to dashboard.\n\n## Fixed\n- Fix function that checked if there is post processing to do for a cert.\n- Fix issue where the drop down for key selection on a cert failed to show\n the key algorithm of the current key.\n- Backend pkg update to address a dependabot alert.\n- Update Go to 1.24.5 for improvements and fixes.\n- Update Node to 20.19.3.\n- Clarify what \"Profile\" means in the popup of an order.\n- Add noreferrer to all links that target _blank.\n\n## Changed\n- Change color coding on the dashboard for certificate validity remaining:\n - greater than 1 week until renewal window begins : primary\n - less than 1 week until renewal window begins, but it hasn't begun : secondary\n - in the renewal window : warning\n - past the end of the renewal window : error\n- Hovering over the validity remaining flag now shows all information about\n the certificate's renewal window.\n- Do not require an e-mail address on accounts. Let's Encrypt is getting rid\n of them.\n- Update all frontend dependencies.\n- Minor changes to the way some bytes.Buffer are used.\n- Minor linting.\n\n\n## [v0.26.0] - 2025-05-18\n\nThis release adds support for ACME `profiles`. I'm not sure any provider is\nusing this outside of Let's Encrypt, but LE is making a pretty big investment\non this front so I wanted to get support added. A \"prettier\" version of support\nis probably coming in the future, but for now this version is sufficient.\n\nThe new `ACME Profile` field is listed under the `CSR` section of a certificate.\n\n## Added\n- Add support for specifying an ACME profile. If an order has a profile, an\n additional icon with the profile name will be shown under the order's\n \"Details\" column.\n- Add some initial code for ACME ARI support. This code isn't actually in\n use yet though.\n\n## Fixed\n- Impose proper rate limiting within both CW's http client as well as within\n the challenges package specifically.\n- Try to ensure challenge records are actually deprovisioned during shutdown.\n\n\n## [v0.25.1] - 2025-05-06\n\nMinor fixes.\n\n## Fixed\n- Fix erroneous frontend error after clicking place order.\n- Improve Content-Type parsing (fixes use with some providers e.g., GoDaddy).\n- Update vite to 6.3.5 to address security issue.\n\n\n## [v0.25.0] - 2025-05-02\n\nThis release brings some significant feature updates. The most significant is\nthe ability to manually tweak wait times which could be particularly helpful\nif you're getting errors related to DNS validation. One size does not fit all\nin this area so I've made it something you can adjust yourself. If you're \nhaving such an error, try increasing the relevant provider's wait time.\n\n> [!CAUTION]\n> This release performs database AND config modifications. Ensure you have a\n> recent backup and a recovery plan if something goes wrong.\n\n## Add\n- Add manual adjustments to the delay time for each provider. That is, you can\n now manually specify how long Cert Warden should wait before telling the ACME\n Server to proceed with resource validation. The existing behavior waits roughly\n 3 minutes, so that default is automatically applied to existing providers,\n except for http-01-internal which does not require any delay.\n- Add field to manually specify the address for the Cert Warden Client post\n processing (instead of using the cert subject). Any cert with a Client\n key present will have the subject automatically copied to the address field\n to ensure your existing setup doesn't break.\n- Add legacy PFX support via api call.\n\n## Fixed\n- Update react-router to 7.5.2 to fix a security issue.\n\n## Changed\n- Make acme.sh provider more efficient. Modify scripts once in the source vs.\n every time they are run.\n- Update acme.sh to 3.1.1.\n\n\n## [v0.24.9] - 2025-04-22\n\nSome minor fixes and improvements.\n\n> [!IMPORTANT]\n> The way post processing scripts are run has changed! Scripts will be run\n> in accord with their shebang. This also means your script MUST have the +x\n> permission or it won't run. The previous way of calling these scripts did\n> not enforce permissions, so if your scripts stop working after this update\n> they likely have the wrong shebang or are missing the executable permission.\n\n## Add\n- Allow ACME Server / service that does not provide an account key change\n URL in its directory.\n- Add log messages regarding succesful provision and deprovision of challenge\n records.\n- Honor post-process script shebang. Scripts will run as specified which\n may produce new errors compared to the last version of CW. This allows more\n flexibility with scripting (e.g., you could use something like Python if you\n wanted to).\n\n## Fixed\n- Fix nonce manager's retry loop when CW fails to get a nonce. This was\n implemented in the last version but the loop was wrong.\n- Fix frontend UI erroneous error when adding an ACME Server.\n- Fix garbage code & comments related to new version checking. Check will \n always run once per 24 hours, regardless of success or fail.\n- Security fixes.\n- Set included scripts in the `/scripts` folder to include the executable\n permission.\n\n## Changed\n- Switch to using time.After() instead of extra code for timers. Go GC now\n handles this without issue and the code is cleaner.\n\n\n## [v0.24.8] - 2025-04-15\n\nThis version brings a substantial overhaul to the challenge solving system. This\nshould provide a more consistent solving experience overall. There are also some\nminor fixes and dependency updates.\n\n## Added\n- Add cache headers to built-in http-01 server.\n- Log individual authroization failures and their errors.\n\n## Fixed\n- Fix unintended hold over of in-use challenge resources.\n- Fix failures caused by `new-nonce` returning a 503 error.\n- Fix resource overlap and transient solver failures.\n- Fix possible security issues by updating some dependencies.\n- Fix improper user logout if the brower is refreshed and the access token is\n expired but the session token is not.\n- Fix redirect after submit of the add provider form.\n\n## Changed\n- Overhaul challenge solving and resource tracking. Of primary note,\n at minimum, solving will now take 3 minutes to ensure full resource\n propagation. The new system may take longer for single dns name certs\n but well expedite certs with more than 1 dns name.\n- Increase max solving time to 60 minutes before timeout.\n- Update Go to 1.24.2\n- Update go-acme/lego to 4.22.2\n- Update node to 20.19.0\n\n\n## [v0.24.7] - 2025-03-27\n\nFix cname check for dns-01.\n\n\n## [v0.24.6] - 2025-03-25\n\nA couple minor features, as well as minor updates and fixes.\n\n## Added\n- Add CNAME check when using Domain Aliases. An error is logged to indicate when\n an alias is configured in Cert Warden but is not found when checking DNS\n records. This should make alias problems more obvious and easier to\n troubleshoot.\n- Add persistent browser storage for the rows per page setting. The user selection\n will persist in local storage. The `ACME Orders` table has a separately persisted\n value since users will probably want that one to be shorter and not tied to the\n other table views.\n\n## Fixes\n- Multiple dependency updates to address CVEs.\n- Allow `+` symbol in email addresses.\n- Fix some minor typos.\n\n## Changed\n- Change logs display behavior to show last 500 entries. This is to improve\n viewing consistency and performance.\n- Update to Vite 6.2.2.\n\n\n## [v0.24.5] - 2025-02-12\n\nUpdate major version deps of the frontend to the latest and greatest. The backend\nis unchanged from the last version and no change in functionality of the frontend\nis expected. Some build tools were also updated.\n\n## Fixed\n- Fixed missing field name on PaG page.\n\n## Changed\n- Update to Vite 6.\n- Update to React 19.\n- Update to MUI 6.\n- Build with Node 20 instead of 18.\n- Build using Ubuntu LTS 24.04 and Windows-2022.\n- Overhaul ts and eslint configs to modern values.\n- Do a bunch of linting.\n\n\n### Removed\n- Remove some dead code related to viewing provider configs in the page that shows\n all providers.\n\n\n## [v0.24.4] - 2025-02-03\n\nThe porkbun API url changed and requires an update. I am taking this opportunity\nto rip the bandaid off and update all dependencies. Please report any issues.\n\n### Fixed\n- Fix PorkBun API URL (through dependency update).\n- Fixed error with duplicate element `id` on PaG page.\n- Don't show change password widget for non-local user.\n- Fix config docs regarding the removed `frontend_show_debug_info` item.\n\n## Changed\n- Update Go to 1.23.5.\n- Update Node to 18.20.6.\n- Update Alpine to 3.21.\n- Update acme.sh to 3.1.0.\n- Update all other backend and frontend dependencies.\n\n\n## [v0.24.3] - 2025-01-26\n\nMore minor tweaks, polish, and fixes.\n\n### Added\n- Add ability to view the entire ACME Server's directory response in the frontend\n when the frontend debug info toggle is enabled.\n\n### Fixed\n- Fix issue where multiple orders or multiple domains on one order could fail\n to validate due to the ACME Server finding the previous value for the expected\n record. This adds a 60 second delay before re-using a previously used resource.\n- Fix frontend navigation links related to `Providers`.\n\n### Changed\n- Frontend debug option was removed from environment config. Instead it\n is stored in the user's browser and can be toggled on the `Settings` page.\n\n\n## [v0.24.2] - 2025-01-20\n\nVery minor tweaks, polish, and fixes.\n\n### Added\n- Add account select and display of account information on the Debug\n PaG page.\n- Add debug log of kid on ACME signed POSTs.\n- Indent debug PaG json.\n- Add help link to Debug PaG page.\n\n### Fixed\n- Don't require EAB fields to be populated for Account registration. If\n an Account was previously registered it will already be bound and thus\n does not need to be bound again.\n- If Debug PaG URL has an invalid account id, page will redirect to the\n Accounts page.\n\n\n## [v0.24.1] - 2025-01-15\n\nBug fixes.\n\n### Added\n- Add link to the debug PaG page in frontend (rather than only having it\n as a hidden page accessible only via typing in the URL path).\n\n### Fixed\n- Fix change password functionality for local `admin` user.\n- Fix error checking when evaluating if an ACME Server returned an ACME\n type error. This really wasn't causing issues but was discovered while\n working with the new Debug PaG page.\n- Fix frontend PaG page so an ACME Server error is not returned as an\n error to the frontend. Instead frontend should receive an OK response\n containing information about the ACME Server error response.\n\n\n## [v0.24.0] - 2025-01-11\n\nThis release adds a number of new features and fixes.\n\n### Added\n- Add OIDC suuport.\n- Added tracking of last API access for keys and certs.\n- Added `/v1/acmeaccounts/:id/post-as-get` route and a hidden frontend\n page. The form allows using PaG to a resource for troubleshooting\n purposes.\n- Add language detection efforts for Accept-Language header. Always include\n sane fallback and default values.\n\n### Fixed\n- Couple of dependency updates related to security.\n- Improve some error messages relating to directory fetching.\n- Improve validation of acme-dns config.\n- Make frontend explicitly check session expiration at login. This fixes\n an issue where clock skew makes the login succeed but then returns\n the user to the login page.\n\n### Changed\n- Change frontend date/time to show the date and a tooltip that includes\n the time.\n- Increase access token validity to 4 minutes, up from 2 minutes.\n- Remove custom http.Client package. Instead, use a custom round tripper\n to accomplish the same thing.\n- Overhaul `auth` package functionality.\n\n### Removed\n- Remove all references to old application name and remove all backward\n compatibility.\n\n\n## [v0.23.0] - 2024-12-07\n\nThis release adds a few new features.\n\n### Added\n- Add PFX download route (https://www.certwarden.com/docs/using_certificates/api_calls/#get-pkcs12-pfxp12-with-certificate-chain-and-private-key).\n- Add challenge domain aliases (https://www.certwarden.com/docs/user_interface/providers/#domain-aliases).\n- Add more detailed error messages and display them to the user.\n\n\n## [v0.22.3] - 2024-11-26\n\nMinor updates and fixes.\n\n### Added\n- Log error when failing to write the `env.js` file.\n- Add some initial code for alias support.\n- Add `oath-toolkit-oathtool` dep for acme.sh.\n\n### Fixed\n- Fix possible nil deref when serving the https certificate.\n- Update gomarkdown pkg to address alert.\n- Update goland-jwt pkg to address alert.\n\n### Changed\n- Update to go version 1.23.3.\n- Update to node version 18.20.5.\n- Update `acme.sh` to version 3.0.9.\n- Set default `env.js` to the actual defaults. Some users have run into issues\n writing this file, so this will bandaid the situation somewhat.\n\n\n## [v0.22.2] - 2024-09-29\n\nUpdate Vite to address some security issues.\n\n\n## [v0.22.1] - 2024-09-07\n\nThe auto ordering logic was updated to make Cert Warden more friendly to all ACME\nservers (instead of focusing on Let's Encrypt). Renewal time is now calculated\nbased on the percentage of a certificate's validity that is remaining instead of\na static number of days. A tooltip was added to easily see this information in the \nDashboard. Eventually the ACME Renewal Information (ARI) Extentsion will be used\nbut since the relevant spec is not yet finalized, I have chosed to not implement\nit yet.\n\n### Added\n- Add tooltip on frontend Dashboard when hovering over the days until expiration.\n Tooltip shows percentage of validity remaining and the anticipated automatic\n renewal date.\n\n### Fixed\n- Updated grpc dependency on backend. I don't believe the issue actually\n impacts Cert Warden but the update was done anyway.\n\n### Changed\n- Change auto ordering (i.e., renewal) logic. Instead of a fixed number of\n days remaining, calculate when 1/3 of the certificate's validity remains\n and then place the new order. For extremely short dated certificates, a\n backstop value of 10 days is used and if validity drops below that regardless\n of percentage, a new order will be placed.\n- Update frontend expiration days coloring to match the same logic as backend.\n Warning color is used when a cert is within a week of renewal and red is used\n when renewal is imminent or overdue.\n- Convert backend Order object time int members to time.Time.\n- Overhaul frontend Flag component to separate logic out for different flags.\n- Update pagination package so default value will return all results from the db.\n- Update axios to 1.7.4 and vite to 5.4.0.\n- Tighten some linting rules and lint accordingly.\n- Use math/rand/v2 in safecert package.\n\n### Removed\n- Remove `valid_remaining_days_threshold` config option in favor of new\n certificate renewal logic.\n- Remove some dead validTo/validFrom code in backend.\n\n\n## [v0.22.0] - 2024-07-11\n\n> [!IMPORTANT]\n> Old API routes using the `/legocerthub` prefix were previously\n> deprecated but are now completely removed. Anything still using the\n> old routes after upgrade will break.\n> Additionally, the `legocerthub` docker builds will no longer be \n> updated. Builds starting with this version will only be posted under\n> `certwarden` on both GitHub and DockerHub.\n\nThis release removes some old remnants of LeGo CertHub and also adds some\nminor features.\n\n### Added\n- Add ability to specify the desired Root Certificate for a certificate.\n This option was added under the CSR of a Certificate and behaves the \n same way as Certbot's `--preferred-chain` flag.\n- Add confirmation dialog for certificate order revocation. Additionally,\n the confirmation dialog allows specifying a recovation code.\n- Add a button on the frontend edit account screen to easily copy the\n account URL.\n\n### Fixed\n- Fix footer theme icon to correctly use my custom component.\n\n### Changed\n- Changed orders table to show the root cert's Common Name moving\n forward. Since this information was not parsed in previous versions,\n it will not be displayed on existing orders, only on orders fulfilled \n in this version and later.\n\n### Removed\n- Remove old `/legocerthub` redirect routes. This will break anything\n still using the old routes.\n- Disable posting of new docker builds under the old `legocerthub`\n name.\n\n\n## [v0.21.6] - 2024-07-02\n\nMinor updates and fixes.\n\n### Added\nN/A\n\n### Fixed\n- Fix percentage formatting in `dns_checker` debug messages.\n- Fix key pem formatting. In rare cases, an extra blank line was added\n incorrectly.\n- Update a few dependencies to address Dependabot alerts.\n- Fix backend mod file to properly set Go `1.22.4`.\n\n### Changed\n- The key pem formatting function was tweaked for code clarity and is\n likely a little more robust now as a result.\n- Update Node JS to 18.20.3.\n- Update Alpine to 3.20.\n\n### Removed\nN/A\n\n\n## [v0.21.5] - 2024-07-02\n\nRemoved due to issues with Go 1.22.5.\n\n\n## [v0.21.4] - 2024-06-13\n\nMinor updates and fixes.\n\nIf you are coming from <0.21.0, please read the warnings on 0.21.0.\n\n### Added\n- Add better async order fulfillment. This was already supported but\n the additional changes make it more robust. If you have the\n `debug` log level set you will see more API calls to the remote\n ACME server.\n- Add more robust checking of downloaded certificate chains. Also\n lay the groundwork for preferred chain selection in a future\n version. Add some additional log messages related to this.\n\n### Fixed\n- Fix linux install script and service files.\n\n### Changed\n- Update some log messages for clarity.\n- Update to Go 1.22.4.\n- Minor code cleanup for var type and name clarity.\n- Change some usage of ToLower to EqualFold instead as a better\n coding practice.\n- Update `braces` pkg.\n\n### Removed\nN/A\n\n\n## [v0.21.3] - 2024-05-17\n\nMinor updates and fixes.\n\nIf you are coming from <0.21.0, please read the warnings on 0.21.0.\n\n### Added\nN/A\n\n### Fixed\n- Fix default certname. The app was looking for `certwarden` instead\n of `serverdefault`.\n- Fix various issues in dependencies.\n\n### Changed\n- Update to Go 1.22.3.\n- Update all dependencies (backend and frontend).\n\n### Removed\nN/A\n\n\n## [v0.21.2] - 2024-05-07\n\nMinor updates and fixes.\n\nIf you are coming from <0.21.0, please read the warnings on 0.21.0.\n\n### Added\n- Always show Account URL. Some ACME providers (like Let's Encrypt)\n allow CAA records that specify specific account(s) that are allowed\n to issue certificates. Make the account URL always visible to make\n it easier to generate such records.\n- Add refresh Account button on the edit account page. The button\n queries the ACME server for the current state of the account and\n saves it to Cert Warden.\n- Add debug log message that lists which dns servers dns_checker is\n configured to use.\n\n### Fixed\n- Update net package to address a dependabot alert re: http/2.\n- Fix some file downloads having duplicate extension in the name of\n the file (e.g. `.pem.pem`).\n- Fix retry after badNonce error for some ACME servers. (This is not\n a Cert Warden bug. Some ACME servers apparently don't follow the \n spec for how to handle badNonce. This fix allows Cert Warden to\n handle these non-compliant servers. Cert Warden will log a warning \n when this happens and the issue should be reported to the maintainer \n of the non-compliant server.)\n- Fix some error messages printing in a garbled format.\n\n### Changed\n- Minor API path rename for account registration.\n- Minor styling changes in nonce manager.\n\n### Removed\nN/A\n\n\n## [v0.21.1] - 2024-04-19\n\nMinor updates and fixes.\n\nIf you are coming from <0.21.0, please read the warnings on 0.21.0.\n\n### Added\n- Add ability to use = (equal sign) in environment param values.\n\n### Fixed\n- Fix environment param name and value checking. Be more strict about\n what is allowed in a param name. Make the frontend logic match the\n backend logic exactly.\n- Fix environment params slice not properly stripping quotes.\n- Fix time parsing of old backup file names. (If you saw a bunch of\n `warn` messages in your logs about backups and times, this is the\n fix.)\n\n### Changed\nN/A\n\n### Removed\nN/A\n\n\n## [v0.21.0] - 2024-04-15\n\nLeGo CertHub has changed to Cert Warden! This was done to avoid confusion\ndue to name overlap with another project. As part of this transition, a\nnumber of things changed. I made efforts to make this upgrade cause \nlittle to no pain, but there are changes that could trip you up.\n\n> [!CAUTION]\n> You should not perform this updated in an unattended fashion. Something\n> might break and you may need to make tweaks. If you have problems, \n> please open an issue or post on the forum.\n\nCompatibility Notes:\n- Names of binaries, install, and upgrade scripts have changed. This includes\n the default paths and user name. If you're using a build outside of docker, \n you may need to update your local service to match the new file names. \n Review the changes in \n https://github.com/gregtwallace/certwarden-backend/blob/master/scripts/linux/install.sh\n https://github.com/gregtwallace/certwarden-backend/blob/master/scripts/linux/upgrade.sh\n and\n https://github.com/gregtwallace/certwarden-backend/blob/master/scripts/linux/legocerthub.service\n- The Cert Warden Client route was changed. The server will attempt to\n post to the old route if the new route 404'd.\n- The sqlite db was renamed to `appdata.db`. The old file should be \n automatically renamed on first start.\n- The default certificate name this app uses has changed from `legocerthub`\n to `serverdefault`. The db version will be updated on first start and if\n one named `legocerthub` exists, it will be renamed to `serverdefault`.\n- The basepath for the app and api changed from `/legocerthub` to \n `/certwarden`. Redirects are in place (for now) but you should update\n clients ASAP. A warning will be logged on the server any time a legacy\n path is accessed. The warning includes the IP of the client so you\n can go fix it.\n- Log and backup filename prefixes were changed but the old files should\n still be accessible and viewable as if they had the new 'correct' name.\n\n\nMost of the backwards compatibility bandages will be removed in a later\nversion. Please update clients asap to avoid future issues.\n\n### Added\nN/A\n\n### Fixed\nN/A\n\n### Changed\n- Update to Vite 5 and use the new CSP injection feature (instead of the\n custom implementation previously used).\n- Update to Go 1.22.1 and Node 18.20.2.\n- Update a number of other dependencies.\n- DB schema version changed from 5 to 6. The schema didn't actually change\n but this was done to help with the name change migration.\n\n### Removed\nN/A\n\n\n## [v0.20.4] - 2024-03-25\n\nMinor updates and fixes.\n\nI plan to rename this project. Please let me know if you have any ideas!\nSee: https://community.letsencrypt.org/t/new-client-lego-certhub/215010\n\n### Added\n- Add basic validation to frontend when editing envrionment variables, as\n well as an error message specifying the correct format.\n\n### Fixed\n- Fix email validation on frontend (thanks @oliverl-21).\n\n### Changed\n- Overhaul environment variables for providers and certificates. These can\n now have quotes around the name, value, both, or neither and still work\n correctly. This was done as this format is common to other tools when\n setting these.\n- Certain fields are no longer redacted when outputted (e.g. API Keys).\n They are still redacted in the logs though.\n- The go-acme provider will now use the system default DNS server(s)\n instead of Google (if they can be determined, which they should be on all\n OSes).\n- Update go jose, protobuf, and do go mod tidy.\n- Update axios and follow-redirects.\n- Update some func names on backend pem output. This is in preparation to\n add output in other formats (e.g., pfx).\n- Update frontend copyright notice to 2024.\n\n### Removed\n- Removed provider config preview when viewing the page that shows all\n providers. Edit a provider to see the full config.\n\n\n## [v0.20.3] - 2024-03-06\n\nUpdate to Go 1.22.1, which includes some security fixes.\n\n\n## [v0.20.2] - 2024-03-05\n\nMinor release that adds OCSP stapling and fixes a graceful shutdown bug.\n\n### Added\n- Add OCSP stapling to the certificate that LeGo serves to clients \n connecting to it.\n\n### Fixed\n- Fix auth session cleaning service. Timer had a bug that stopped it from\n running and also caused graceful shutdown to hang.\n\n### Removed\n- Removed some unused dead code and vars.\n\n\n## [v0.20.1] - 2024-03-01\n\nHotfix to prior version.\n\n\n## [v0.20.0] - 2024-02-29\n\nThis release breaks up the work being done to fulfill certificates and the\nwork that is done after they are fulfilled (post processing). This is done\nto make it more clear what work is being done. It is also with an eye to\npotential future functionality to allow canceling and rescheduling of jobs.\nI have not yet decided what to do in that regard though.\n\nIt also adds an Extra Extensions option to certificates' CSRs. Certain ACME \nServers may support Extra Extensions on certificates and this allows the\nuser to specify desired extensions. There is a built-in button to add the\nOCSP Must Staple extension. Note: Servers may or may not honor extensions\non the CSR and if they don't honor them, they may still continue and issue\na certificate without them. This is advanced functionality and your mileage\nmay vary. You should confirm what your ACME Server does and does not \nsupport and verify that the resulting certificates that are produced \nactually match your expectations.\n\n### Added\n- Add separate post processing work queue to clearly separate this work\n from certificate order work.\n- Add support for additional certificate extensions. There is also a \n button to add the OCSP Must Staple extension.\n- Add help link to the CSR section of certificates.\n\n### Fixed\n- Fix missing field in form field func in frontend code.\n- Fix integer checking on frontend. Prevents things like page number `2.5`\n from being interpreted as `2`.\n\n### Changed\n- Move SafeMap to its own package.\n- Some minor code cleanup in a couple areas removing unused vars / code.\n- Don't include blank CSR fields as part of the CSR. Reduces size of the\n CSR that is transmitted to the ACME Server.\n\n\n## [v0.19.2] - 2024-02-24\n\nMinor bug fix.\n\n### Fixed\n- Fix safe map read which caused bug in http-01 internal server.\n\n\n## [v0.19.1] - 2024-02-18\n\nMinor bug fix.\n\n### Fixed\n- Fix broken 'submit' button on edit account page. It looks like this\n was introduced during the conversion to TypeScript.\n\n\n## [v0.19.0] - 2024-02-17\n\nThis version adds help links to the official documentation on most pages \nof the frontend app. There are also a couple of minor bug fixes and \ndependency updates.\n\n### Added\n- Help links on most frontend pages.\n\n### Fixed\n- Fix possible memory leaks from time.After() calls.\n- Fix missing field error related to go-acme le-go.\n- Update follow-redirect package to fix CVE-2023-26159.\n\n### Changed\n- Update to Go 1.22.\n- Update to Node 18.19.0.\n- Update to math/rand/v2 standard library.\n- Update github actions fo Node.js 20 versions.\n- Update docker container to Alpine 3.19.\n- Shorten application binary name in docker container.\n\n\n## [v0.18.4] - 2024-02-02\n\nMinor updates.\n\n### Added\n- Add post processing variable names for custom environment variables. Instead\n of being forced to use `LEGO_CERTIFICATE_COMMON_NAME` the string \n {{CERTIFICATE_COMMON_NAME}} can be used as a value in a custom named\n variable. This allows more versatility in post processing.\n- Add ability to run binaries in post process, in addition to scripts.\n\n### Fixed\n- Fix issue where time might print strangely in log message about \n auto-ordering.\n- Fix wrong tooltip over the ignore update X button.\n- Fix frontend form validation on provider domains. Wildcards are not allowed\n on providers as the domain is already assumed to include all subdomains, \n including wildcard subdomains. The backend already properly validated this\n but the frontend did not.\n\n### Changed\n- Update Vite to 4.5.2.\n\n\n## [v0.18.2] - 2024-01-11\n\nMinor updates.\n\n### Added\n- Add new API route to download key, cert, and certchain all in one file.\n- Add ability to view all DNS names on any given order.\n- Docker: Add timezone support (use the TZ environment variable).\n\n### Changed\n- Change key name display on a given order to show an icon instead of the \n long name, with a tooltip containing the key name. Clicking the icon \n still navigates to the key.\n\n\n## [v0.18.1] - 2024-01-06\n\nMinor fixes to prior release.\n\n### Fixed\n- Fix backend post to LeGo client.\n- Fix missing field error on frontend.\n\n\n## [v0.18.0] - 2024-01-05\n\nThis release is pretty beefy with a number of significant code changes. Of \nmost interest to users is the addition of support for EVEN MORE dns providers \nthanks to the integration of go-acme/lego.\n\nDNS providers supported by the new provider option: \nhttps://go-acme.github.io/lego/dns/\n\nI'm also working on a client container that can receive certificate updates \nand restart designated docker containers (so they pick up new certs). The \ncode for the client is available at \nhttps://github.com/gregtwallace/certwarden-client \nbut builds aren't yet published and use is not yet recommended unless you \nreally want to live on the bleeding edge.\n\n### Added\n- Add go-acme le-go provider type. This adds even more dns provider options.\n- Add LeGo Client post processing option. Causes the db to upgrade to user \n version 4. The client is still under development and compiled versions are \n not yet posted.\n\n### Fixed\n- Fix possible provider update having a nil-deref if sending API payload \n without a config.\n- Fix expiration check when trying to manually run post-processing. The wrong \n expiration was previously being used causing post processing to fail if the \n order was over ~1 week old.\n- Fix logging during challenge checking for valid/invalid. There was a bad\n variable.\n- Update some dependencies to address possible vulnerabilities.\n\n### Changed / Improved\n- Decoupled domains from provider configs. Providers do not need knowledge of \n the domains. No changes to the config.yaml file though, this was just some \n code cleanup.\n- Simplify provider manager code a little bit by getting rid of an unneeded\n map.\n- Rollback cloudflare api package as a test to observe impact in pprof. This \n should have no user facing impact.\n\n\n## [v0.17.3] - 2024-01-02\n\nMinor fixes.\n\n### Added\n- Add ability to specify different provider(s) for subdomains. This allows \n provider A to service example.com but use provider B for sub.example.com.\n\n### Fixed\n- Fix nil deref during automatic backup of app prior to config file version \n upgrade.\n- Fix mismatch of domain to provider in case where domains have overlapping \n names (e.g. testexample.com would have matched to example.com).\n- Several possible CVEs addressed via dependency updates and Go version \n update to 1.21.5.\n\n\n## [v0.17.2] - 2023-12-30\n\nMinor fixes.\n\n### Fixed\n- Fix spawning of zombie `ssl_client` process in docker container.\n- Fix label on private key API Key showing as `old` even though it is the \n only API Key.\n\n\n## [v0.17.1] - 2023-12-21\n\nMinor fixes to the prior release.\n\n### Fixed\n- Ensure backup folder gets created.\n- Fix possible hang of shutdown during failed backup waiting to retry.\n- Fix post processing logging so it is more clear what's going on.\n\n\n## [v0.17.0] - 2023-12-20\n\nThis release adds backup functionality. It also adds the ability to run \na script on the server after the successful completion of certificate \ncreation or renewal.\n\n### Added\n- Add backup functionality both to store locally on disc and to download \n to client. Automatic backups are enabled by default but backup settings \n can be changed in the config file. See the config example, change log, \n and default for more info.\n- Add post-processing script options to certificate. If you want to push \n new certificates to clients you can use a script on the LeGo server to \n do so and specify the script path and environment variables in the \n certificate settings.\n- Add post-processing button to certificates' orders. Useful for testing \n post processing is working without having to repeatedly order new \n certificates. This can also be used to rollback to previous orders, if \n needed.\n\n### Changed / Improved\n- Relocate db and config file to ./app sub folder of main data folder. \n Files will be moved automatically from the previous location.\n- Cloudlare now permits wrong config. This is so the app still starts \n even if the internet is down. To compensate, log messages are clear in \n the logs to highlight the problem.\n- Allow non-existent scripts in dns01manual method. This is to allow \n configuration before the script is in the folder and also to avoid \n failures to start if a file gets moved. Errors will be logged \n accordingly.\n- Make grids on front end look a little nicer.\n\n### Fixed\n- Fix frontend idle logout. The timer was not properly resetting so early \n timeout would trigger.\n\n### Removed\n- Remove notice about Let's Encrypt on the ACME Servers page. Support is \n more general now, so no need to warn.\n\n\n## [v0.16.3] - 2023-12-13\n\n> [!CAUTION]\n> You need to upgrade to this release **IMMEDIATELY** if you are running \n> version 0.15.1 through 0.16.2. These versions contain a critical \n> security flaw which potentially allowed unauthorized access to private \n> keys.\n\nThe sole change in this release is addressing a critical security flaw.\n\nDepending on the sensitivity of your environment, the most secure action \nafter updating your version is to revoke all your certificates, rotate all \nof your account private keys, and reissue all of your certificates with \nnew keys.\n\nIf you're just running a home lab or have access denial measures in \nplace to prevent access to your server, this is almost certainly overkill. \nI have been running these versions too and all I am doing is rotating \nmy account keys as an extra precaution.\n\nYou can also manually review your logs between instllation of 0.15.1 \nand now to see if the keys were actually downloaded by an unauthorized \nclient.\n\nThis vulnerability did not allow access to any other sensitive \ninformation such as the config file, API keys, etc. Only the download of \nprivate keys was impacted.\n\n### Added\nN/A\n\n### Changed / Improved\nN/A\n\n### Fixed\n- Fix critical security vulnerability that allowed unauthenticated \n clients to download sensitive files.\n\n### Removed\nN/A\n\n\n## [v0.16.2] - 2023-12-05\n\n> **Warning**\n> This release fixes a security issue where the wrong permissions \n> were set on the database and config files. Please manually verify \n> your ./data/config.yaml and ./data/lego-certhub.db are set to \n> 0600 (RW for owner only).\n\nRelease to address the security issue in the warning and ensure files \nhave the proper permissions set on creation.\n\nAlso a doc fix and install script fix.\n\n### Added\nN/A\n\n### Changed / Improved\nN/A\n\n### Fixed\n- Fix security issue where db and config might not be created with \n the proper permissions (0600).\n- Fix Linux install script. Empty config file causes an error so just \n let LeGo create the file on first run.\n- Update config example, defaults, and change log to include info \n about the pprof change in the last release (oops, forgot).\n\n### Removed\nN/A\n\n\n## [v0.16.1] - 2023-12-03\n\nA laundry list of fixes and improvements.\n\nNote: The config schema will update from 2 to 3 due to change in the\npprof port config variable.\n\n### Added\n- Add exponential backoff and retry for a number of functions (acme \n directory refresh, dns record checking, acme order processing and\n challenge solving).\n- Add more detailed error for when actions run with an empty acme\n directory (i.e. the directory url is currently failing).\n- Add automatic config backup before writing automated schema updates.\n- Add automatic db backup before writing automated schema updates.\n- Add security headers and access logging to pprof server.\n\n### Changed / Improved\n- Improve acme post signed debug logging to be more helpful in the \n event troubleshooting is needed. Logging now occurs of items before\n they are encoded (and thus not easily readable by a human). Log\n unencoded payload and destination, indent server responses before\n logging, and add logging for csr common name and dns name on finalize\n action.\n- Make acme error type more straightforward.\n- Improve acme post signed logic.\n- Improve order fulfillment logic.\n- Cap order fulfillment at 2 hours before failing (instead of a set\n number of loops through the logic).\n- Do not allow order actions if the certificate form above is change.\n This is intended to prevent accidentally doing an action with stale\n (unsaved) data.\n\n### Fixed\n- Fix pprof with HSTS header by having pprof also run in https mode\n when server has a valid cert. As a result, config now has a \n separate port option for http and https. Also add the new default\n port to Docker files.\n- Directory refresh edge case that could result in double refresh.\n- Ensure app doesn't shutdown before challenge record deprovisioning\n is complete.\n- Use proper errors Is and As instead of assertions and plain\n comparisons.\n- Use proper error types for error comparisons (e.g. Cloudflare \n dns record already exists error and dns check error is not found).\n- Fix default permissions on db when creating new.\n- Fix frontend cert revoke button color.\n- Fix showing a priority on idle workers on the frontend. Priority \n should be blank since there is no job.\n- Fix Place New Order button not being disabled during an action.\n\n### Removed\n- Remove redirect to frontend root on login timeout. This was added in\n the last update and is just kind of annoying without much benefit.\n\n\n## [v0.16.0] - 2023-11-25\n\nThe frontend has been completely updated to TypeScript with full type\nsafety. This involved a ton of code changes, please report any issues.\n\nIf you experience something breaking, the previous version has the same\nconfig and database versions, so report the issue and downgrade both\nthe frontend and the backend binary to the previous version.\n\n### Added\n- Add redirect if invalid page is specified when viewing a table of\n things (e.g. keys, certs, etc).\n- Add redirect of any frontend path when logged out to the main root\n path.\n\n### Changed\n- Complete overhaul to implement TypeScript.\n- Overhaul backend responses to be more detailed and consistent.\n- Update contexts and hooks on frontend for a little bit more sanity.\n- Updated input handler to use recursion and support any depth object.\n Also changed methodology of the handler to make it compatible with\n type safety.\n- Show success or error message on password change.\n- Update frontend server url validation to confirm only valid\n characters in addition to https.\n- Submit button on forms is always enabled.\n- Use regex for field name matching to look up value type and error\n message.\n- Remove some info from displaying on providers summary page. To get\n all of the details, click into 'Edit'.\n- Update type for validation errors and method of recording errors.\n- Update frontend dependencies.\n\n### Fixed\n- Update Axios version to address a security issue.\n- Show success or error message on password change.\n- Fix sorting of account list by environment column.\n- Add missing CSR 'State' field.\n\n### Removed\nN/A\n\n\n## [v0.15.2] - 2023-11-06\n\nThis release is quality of life. It mainly addresses things related to\nlogging.\n\n### Added\n- Info log logout success.\n\n### Changed\n- Tweak wording on frontend describing the order queue.\n- Reorder CSP params.\n- Rename error handling middleware to not use the word error.\n\n### Fixed\n- Fix inaccurate info logging of certain information when serving the\n frontend. This was creating log clutter that should only be in debug.\n- Fix CSP whitespace on default policy.\n- Fix typing of json response Message field.\n\n### Removed\nN/A\n\n\n## [v0.15.1] - 2023-10-31\n\nThis release is mostly quality of life improvements. Various security\nmechanisms are fine tuned and some minor bugs are fixed.\n\n### Added\n- Add Referrer-Policy and set to no-referrer.\n- Add more security headers to all server responses.\n- Use nonce for styles in Content Security Policy by setting on a meta\n property and using some crafty on the fly code tweaking when the backend\n serves the relevant js file.\n\n### Changed\n- Tighten up Content Security Policy.\n- Rewrote backend middleware logic to make code easier to follow and to make\n it easier to adjust middlewares moving forward.\n- Don't use CORS on 404 error.\n- Secure change password and logout routes with access token. (This was\n secure before, the logic is just more consistent now.)\n- Simplify backend logout logic.\n- Auth minor code cleanup for clarity.\n- Rename refresh token to session token and update references to 'session'\n for consistency.\n- Update dns_checker log messages.\n- Use full base64 character set for nonce generation.\n- Simplify (streamline) frontend useAuth hook.\n\n### Fixed\n- Fix broken checkbox when editing an ACME Server.\n- Fix Vary header usage logic for download.\n- Update auth log message format to match new format.\n- Add proper fallback options to Content Security Policy.\n- Fix retry logic on frontend during access token refresh (fewer unneeded\n retries will occur).\n\n### Removed\n- Remove nonce from scripts in Content Security Policy and only allow\n 'self' in script Content Security Policy.\n\n\n## [v0.15.0] - 2023-10-23\n\n> **Warning**\n> You must ensure your config.yaml is at least config_version: 1 prior to\n> installing or LeGo will not start.\n\nNote: If you are new or don't have a config.yaml, one will be created for\nyou on the first run of LeGo.\n\nMoving forward LeGo will enforce config_version but will migrate seemlessly\nunless there are notes to the contrary. Notes will include specific needed\nactions. To assist with changes across versions, all releases now include a\nconfig.changelog.md which notes all changes, not just breaking changes.\n\nIf you are already on the previous version (0.14.1) you can just manually\ninsert `config_version: 1` without any other changes. You should still\nreview the config default and example to ensure you have the options you\nwant.\n\nThis version also includes a bunch of other features, most of which revolve\naround adding more security to LeGo.\n\n### Added\n- Create config.yaml if one does not exist.\n- Add strict enforcement of config.yaml schema version.\n- Add auto update schema from 1 to 2. Older version 0 or unspecified\n version will need manual intervention (at a minimum config_version\n will need to be added).\n- Add HTTP Strict Transport Security (HSTS) header by default. Config has\n an option to disable the header (`disable_hsts`).\n- Add relatively strict `Content-Security-Policy` header, including nonces\n on scripts. Vite does not yet support nonces for style but I will add\n it later when it does.\n- Add headers to prevent MIME type sniffing and iframes.\n- Add `frontend_show_debug_info` config option to set frontend to show\n debug info and do some console.logging.\n- Add ability to clear the update notification from the left side\n navigation bar.\n- Add logout tooltip.\n- Add theme toggle tooltip.\n- Add data-preload on style, script, and link tags.\n- Add timeout context on Cloudflare API calls.\n- Include config.changelog.md in releases. This file details changes to\n config.yaml over time.\n\n### Changed\n- Move theme toggle to just an icon in bottom right corner in footer.\n- Rewrite frontend file handler on the Go backend. Needed to provide\n more consistent headers and nonce support.\n- Update to Go 1.21.3, Node 18.18.2, and Vite 4.5.0.\n- Update all other dependencies in frontend and backend.\n- Update acme.sh script to 3.0.7 (adds a couple more dns providers).\n- Update Cloudflare provider to utilize newest Cloudflare Go api.\n- Some minor code cleanup.\n- Rename `cors_permitted_origins config option` to \n `cors_permitted_crossorigins`.\n- Minor navbar restyling.\n- Change status/new version information and update frontend to properly\n show the changed information.\n- Redact certain senstive information when the frontend is set to log\n debug info to the console.\n\n### Fixed\n- Fix accidentally allowing all cross-origins by default. If no origins\n are specified, CORS is disabled.\n- Explicitly set dockerbuild tool versions so binary releases and docker\n releases are built in the same way.\n\n### Removed\n- Removed dockerfile generation of empty config file. This is now handled\n by the backend when it runs for the first time.\n- Remove frontend Settings link to backend URL. Link just goes to a 404\n so there isn't really a point.\n- Remove Roboto font include and move it to external files.\n\n\n## [v0.14.1] - 2023-10-17\n\nThe are two significant updates in this version. The first is the removal\nof dev mode and related feature disablement over http. This provides more\nconfiguration flexibility (e.g. behind a reverse proxy) but does forego\nsome security. Users are trusted to choose what is right for them.\n\nThe other major update is the addition of the ability to review orders\nthat are in progress or queued up to be worked. The new section \"Order\nQueue\" shows both orders actively being worked by a worker and also\norders awaiting an available worker. The list of orders show under edit\ncertificate also reflects if a particular order is already in the queue\nand the \"Retry\" button is disabled if the order already queued up. This\nfeature should eliminate some of the \"guessing\" about what LeGo is doing\nin the background without having to look through the logs.\n\n### Added\n- Add ability to view orders currently being worked on and queued to be\n worked on when a worker is available.\n\n### Changed\n- Update worker log messages to include worker number.\n- Return 404 for bad routes instead of 401.\n- Frontend dev mode replaced with show/log debug info. This is set by the\n backend if log level is debug.\n- Change some minor styling on frontend.\n- On frontend edit certificate, update order status to reflect information\n if the order is in the order worker queue.\n\n### Fixed\n- Fix border colors on input array of objects of text fields.\n\n### Removed\n- Remove dev mode.\n- Remove disabling of certain functions when server is running over http\n (instead of https).\n- Remove password complexity requirements.\n\n\n## [v0.14.0] - Skipped\n\n## [v0.13.1] - 2023-10-12\n\nThis release adds the ability to add, edit, and delete providers via the\nfrontend GUI. It is now possible to setup LeGo without manually editing\nthe config file. You should still check the config example to see if you\nneed or want to set any of those options.\n\n### Added\n- Add ability to add, edit, and delete providers via the GUI and without\n having to restart LeGo.\n- Add example config to release packages and docker image. This should\n have been added last version.\n\n### Changed\n- If dns_checker can't properly configure dns servers, fallback to sleep\n for 2 minutes. This is to avoid app start failure in this instance and\n instead to use a reasonable alternative. An error is still logged.\n- Change deprecated substr func to substring func.\n- Set 'Revoke' button on certificate orders to be red.\n- Don't redact acme-dns provider info. It isn't sensitive enough to\n justify the additional complexity.\n- Always log some basic info when orders are placed and completed.\n Previously this was only showing at debug log level.\n\n### Fixed\n- Fix sometimes non-unique key on GUI display of provider config.\n- Fix handling of redacted info when it is POSTed.\n\n### Removed\nN/A\n\n\n## [v0.13.0] - 2023-10-10\n\n> **Warning**\n> Please read as there are breaking changes requiring manual intervention.\n\n1: LeGo config MUST be updated using the new provider format which includes\nspecifying domains. See the example config file. A wildcard provider can also\nbe configured (single domain of *) and LeGo will use this provider if there\nis no provider configured for a given domain. If you only use one provider,\nyou should add the wildcard domain and you're done.\n\n2: Domain arg has been removed from dns manual scripts. Domain cannot be reliably\ndetermined and as such it has been removed. This caused the position of the args\nfor these scripts to move and your scripts will need an update if you use this\nmethod.\n\n3: Removed redirects from old paths. When LeGo added the base path /legocerthub\nold routes at base / were given redirects to prevent breakage. These redirects\nare now removed and any clients using the old paths will need their scripts\nupdated.\n\nThis release does away with the need to select a challenge provider for each\ncertificate. It also has several tweaks and minor fixes.\n\nThe groundwork is also in place to add/edit/delete providers via the GUI. This\nwill be added in a future version.\n\n### Added\n- Add environment output on sample dns scripts.\n- Add backend functionality to modify providers while server is running via\n routes. Frontend modification not yet added.\n- Add ability to view providers in the frontend.\n\n### Changed\n- Update to logging of some debug info.\n- Separate default config from example config to make it more apparent what the\n default settings are.\n- Reduce API key length from 48 to 32. This is based on an entropy calculation\n and still provides adequate security.\n- Move ACME Servers to side bar in frontend navigation.\n- Update config version from 0 to 1 (see notes above).\n- Code clean up in several spots.\n- Clarified various log messages.\n- Clean up and streamline logic for form handling on frontend, including\n common input handler.\n\n### Fixed\n- Do a better job of redacting certain sensitive information in debug logs.\n- Fix api keys form unchanged calculation.\n- Add openssl to dockerbuild (needed for acme.sh).\n- Fix usage of access_token by frontend.\n- Fix manifest paths.\n\n### Removed\n- Remove need to select a challenge method. Instead, domains are configured\n and LeGo automatically selects the correct provider based on the domains\n in the certificate.\n\n\n## [v0.12.6] - 2023-08-20\n\nReleasing solely to fix importing of private keys via the frontend UI.\nThere are other minor changes but they are so minor they probably aren't\nrelevant to users.\n\n### Added\nN/A\n\n### Changed\n- Generic-ify SafeMap (minor code clean improvements).\n- Minor update to handling of empty acme time in Order object NotBefore\n and NotAfter fields.\n- Verify session is still valid before refreshing a session. This was\n already being done, but made it more explicit.\n\n### Fixed\n- Fix private key import via frontend UI.\n\n### Removed\nN/A\n\n\n## [v0.12.5] - 2023-08-11\n\nThis release adds shutdown and restart functions. Otherwise, it mainly\nfixes some minor bugs and optimizes some code.\n\nConfig Note: 'private_key_name' is no longer a config field. The key\nis now derived from 'certificate_name'.\n\n### Added\n- Add shutdown and restart routes with buttons in frontend to trigger\n those routes.\n\n### Changed\n- Update some route names.\n- Update LeGo https certificate reload logic to no longer require a go\n routine. LeGo cert will update as soon as it renews.\n- Optimize view log handler for better memory footprint.\n- Update output package to remove unneeded vars.\n\n### Fixed\n- Fix broken log download handler and optimize related code.\n- Modify logger so it is gracefully closed on exit, though it is not\n perfect due to lumberjack bug:\n https://github.com/natefinch/lumberjack/issues/56\n- Fix log view handler failing to close file.\n\n### Removed\n- Remove LeGo config option for private key. Private key is now derived\n from the certificate name.\n\n\n## [v0.12.4] - 2023-08-08\n\nThis release resolves a significant issue with the challenge solver\nfailing in certain cases involving wild card certificates or multiple\nACME providers.\n\n### Added\n- Add an error if user tries to enable acme.sh on a Windows server.\n- Add better notes in default config regarding acme.sh options.\n- Add shutdown handler for client to trigger LeGo shutdown.\n- Make WorkTracker data type for reuse.\n\n### Changed\n- Move pprof to its own http server and port.\n- Significant overhaul of custom http client to make it more sane.\n- Rework how challenge resource provisioning is tracked. Instead of in\n each method, centralize in Challenges package.\n- Some minor code tidy up.\n\n### Fixed\n- Fix when multiple workers are trying to solve Challenges that use\n the same resource name. This could cause Orders to fail under certain\n conditions. Instead, queue the resources and solve the Challenges\n one at a time.\n- Make Cloudflare use the app's http Client with the proper settings.\n\n### Removed\nN/A\n\n\n## [v0.12.3] - 2023-08-06\n\nThis version is mostly minor fixes. Pprof support is also added.\n\n### Added\n- Add pprof support. Default config option has it disabled though.\n- On account object output, include EAB and TOS fields for the relevant\n ACME server.\n\n### Changed\n- Conditionally show EAB fields only when they're needed.\n- Only show KID on frontend if debug and it is known.\n- Use http.ServeContent to serve zip files.\n- Deprecate 'domain' arg in dns01 manual method.\n- Set directory refresh to occur at 1am + random minute rather than 24\n hours from the last one.\n\n### Fixed\n- Fix Cloudflare challenge method failing for domains where the zone has\n more than two parts (e.g. some-name.in.ua).\n See: https://github.com/gregtwallace/certwarden/issues/22\n- Minor code cleanup (move an error, remove an export, and fix a typo).\n\n### Removed\n- Cloudflare zone map does not require safety, so mutex was removed.\n\n\n## [v0.12.2] - Skipped\n\n## [v0.12.1] - Skipped\n\n## [v0.12.0] - 2023-07-27\n\nThis version brings support for conditional headers. It also cleans up\nsome of the backend logic and fixes a couple of issues.\n\n### Added\n- Add etag header to pem files when they're sent.\n- Add last-modified time stamp to pem files when they're sent.\n- Add support for request headers if-match and if-none-match.\n- Add support for request headers if-modified-since and\n if-unmodified-since.\n- Add support for request header if-range.\n\n### Changed\n- Use http.ServeContent to send pem files to clients instead of previous\n Write method.\n- Switch to a separate CORS package for ease of use and to ensure proper\n specs are followed without having to maintain it myself.\n- Overhauled logic in storage and download packages so pem output is a\n little more sane.\n- Updated output package logging to make it a little cleaner and clarify\n some log messages.\n\n### Fixed\n- Fixed issue where legacy request api keys would be saved to log.\n- Fixed check that always said db needs an upgrade in new version even\n when it didn't.\n- Added missing x-api-key and apikey headers to CORS list.\n\n### Removed\nN/A\n\n\n## [v0.11.1] - 2023-07-26\n\nThe only fix in this update is acme.sh being added to the Docker\ncontainer. If you're not using Docker, there is no difference between\n0.11.0 and 0.11.1.\n\n### Added\nN/A\n\n### Changed\nN/A\n\n### Fixed\n- Fixed acme.sh not installing into the Docker container.\n\n### Removed\nN/A\n\n\n## [v0.11.0] - 2023-07-25\n\nThis release streamlines new certificate creation by allowing simultaneous\nkey generation. In the new certificate 'private key' drop down, there is a\nnew option to generate a key. This eliminates the need to make a new key\nseparately first. The key name, description, and other fields are copied\nfrom what is specified on the certificate.\n\n### Added\n- Add ability to generate a key simultaneously with a new certificate.\n\n### Changed\n- Set default new key to Generate and ECDSA P-256.\n\n### Fixed\nN/A\n\n### Removed\nN/A\n\n\n## [v0.10.5] - 2023-07-22\n\nThis update fixes the acme.sh challenge method when running in Docker\ncontainer. It also bundles the acme.sh scripts with LeGo so no extra\nmodifications are needed to use this method.\n\n### Added\n- Bundle acme.sh scripts (v3.0.6) with LeGo.\n\n### Changed\nN/A\n\n### Fixed\n- Fix acme.sh challenge method when running in Docker.\n- Fix linux scripts (primarily install and upgrade scripts).\n\n### Removed\nN/A\n\n\n## [v0.10.4] - 2023-07-18\n\nThis release mainly upgrades code dependencies.\n\n### Added\n- Some default config comments regarding Docker.\n\n### Changed\n- Upgrade to Go 1.20.6.\n- Upgrade to Node 18.17.\n- Upgrade to Vite 4.4.4.\n- Upgrade to eslint 8.45.0.\n- Upgrade to semver 6.3.1.\n- Upgrade @emotion/react ^11.10.6 → ^11.11.1\n- Upgrade @emotion/styled ^11.10.6 → ^11.11.0\n- Upgrade @fontsource/roboto ^4.5.8 → ^5.0.5\n- Upgrade @mui/icons-material ^5.11.16 → ^5.14.0\n- Upgrade @mui/material ^5.12.2 → ^5.14.0\n- Upgrade @types/react ^18.0.28 → ^18.2.15\n- Upgrade @types/react-dom ^18.0.11 → ^18.2.7\n- Upgrade @vitejs/plugin-react-swc ^3.0.0 → ^3.3.2\n- Upgrade axios ^1.3.6 → ^1.4.0\n- Upgrade eslint-plugin-react-refresh ^0.3.4 → ^0.4.3\n\n### Fixed\n- Fixed refresh cookie when running in http mode.\n- Fixed typo in NODE_VERSION build var.\n\n### Removed\nN/A\n\n\n## [v0.10.3] - 2023-07-05\n\nThis release adds the ability to manually edit API keys. This functionality\nis intended for advanced users only.\n\nThere are also a number of minor bug fixes.\n\n### Added\n- Added ability to directly edit API keys. This is generally discouraged\n though.\n\n### Changed\n- Improved Cloudflare error logging.\n- Reorganize file structure of some frontend components.\n\n### Fixed\n- Fixed bad app redirect from root path `/`.\n- Fixed bad redirect from http to https in certain configurations.\n- Fixed sql query for PUT on certs.\n- Fixed sql query for PUT on keys.\n- Fixed edit cert re-render due to incorrect comparison of subject alt\n arrays.\n\n### Removed\nN/A\n\n\n## [v0.10.2] - 2023-06-30\n\nMinor updates including modifying the base path for services so LeGo can sit\nbehind a reverse proxy.\n\nIdeally you would update all client scripts to include the new base path when\naccessing the api (e.g. `/legocerthub/api`), however, redirect routes were\nadded so this isn't necessary (yet).\n\n### Added\n- Add base path of `/legocerthub` for both /app and /api. This allows LeGo to\n sit behind a reverse proxy. Redirect routes were added to provide backward\n compatibility with scripts calling the old paths (assuming LeGo isn't behind\n a reverse proxy).\n- Add comments regarding how to configure cloudflare dns challenges.\n\n### Changed\n- Cloudflare dns challenge no longer requires specifying zone names when using\n an API token. LeGo automatically queries for available zones.\n- Cloudflare dns challenge confirms that the proper permission exists (edit dns)\n before adding a zone (domain) to the configured list. If the permission is\n missing, a warning is logged.\n\n### Fixed\n- Modify `netcap` command in linux install and update scripts. Some OSes\n will error if the command uses a wildcard.\n- Fix typo relating to cloudflare dns challenges in config.default.yaml.\n\n### Removed\n- Removed unused var when backend creates environment for frontend.\n\n\n## [v0.10.1] - Skipped\n\n## [v0.10.0] - 2023-06-19\n\nPrimarily this update adds support for custom ACME Servers instead of just\nhardcoding Let's Encrypt. This functionality can be found in the web UI\nSettings. I've done some testing with Google Cloud but that's about it. LE\nis still the most tested provider but feel free to open issues if you run\nacross problems with others.\n\nWarning: Your database schema will be modified upon install, so make sure you do\na backup just in case.\n\nWarning 2: If you've changed the default ACME server in the last version you\nwill need to manually edit the database after upgrade to fix the directory\nURLs. The upgrade assumes prior use of LE servers and sets those values.\n\n### Added\n- Add acme_servers package to manage acme services. This allows users to define\n which ACME Servers they want to use instead of just Let's Encrypt.\n- Add comments in default config to elaborate on what dev_mode does.\n- Add db user_version as part of db creation.\n- Add db user_version upgrade logic from v0 to v1 (these changes are to\n implement the new acme_servers package).\n- Add information on server status and new versions regarding db version.\n- Add warning in frontend if new version will update db user_version.\n- Add widget in Settings to link to ACME Servers viewing and editing. This is\n instead of adding a sidebar link.\n\n### Changed\n- Update Vite to version 4.3.9.\n- Refactor challenges so storage does not depend on it. This also changes the\n logic for who enabled/disabled is reported.\n- Don't export Storage service members.\n- Modify frontend to reflect changes to backend status and new version reporting.\n- Lint Button component.\n\n### Fixed\n- Fix a broken error check in certificates.\n- Fix frontend password length check to match backend (which was changed last\n version).\n\n### Removed\nN/A\n\n\n## [v0.9.4] - 2023-06-02\n\nThis fixes the docker health check and http redirect.\n\n### Added\n- Add a debug log line for the start up of the dns_checker service.\n- Add `/api/health` endpoint. This endpoint does not require authentication and\n returns a 204 if the server is running.\n\n### Changed\n- Reduce min password length from 10 to 8 characters. This is less secure, please\n don't actually do it! If you're doing dev work and want a bad password strictly\n for testing, turn devMode on and min length is completely removed.\n\n### Fixed\n- Fix docker healthcheck failing. Corrected healthcheck in Dockerfile and also\n set it to the `/api/health` endpoint.\n- Fix unlikely case where isRefreshing may not properly change back to false on\n the frontend if the token refresh errored.\n- Fix http redirect in cases where bind address is not the correct browser address.\n For example, previously binding to `0.0.0.0` would cause an incorrect redirect to\n https://0.0.0.0 rather than the actual server. The new method uses the same\n hostname as was in the original request so it doesn't matter what the bind\n address is set to or what alias the client is using to connect.\n\n### Removed\nN/A\n\n\n## [v0.9.3] - 2023-05-20\n\nFixes dns_checker null pointer bug where dns methods don't work if Cloudflare\nmethod was not enabled (even if not using Cloudflare).\n\n### Added\n- Add External Account Binding support, though support of alternate CAs is\n still considered experimental.\n- Add generic error code catcher on ACME calls.\n\n### Changed\n- Require email on accounts.\n\n### Fixed\n- Fix issue where dns_checker didn't start if dns-01 was being used but\n Cloudflare was disabled.\n- Fix non-standard account field `createdAt`.\n- Fix response processing of account key rollover action.\n- Fix issue where frontend would erroneously display a `0` in form footers.\n\n### Removed\nN/A\n\n\n## [v0.9.2] - 2023-05-19\n\nThanks to those that have made contributions!\n\n### Added\n- Build arm64 support both as binary and as docker image.\n- Add docker-compose.yml sample to repo.\n- Add sample docker build & commands.\n- Docker first run includes `config_version` now.\n- EXPERIMENTAL: Allow changing of ACME directories in config.\n\n### Changed\n- Changed docker binary to match other binaries.\n- Made acme.sh temp script name more specific.\n\n### Fixed\nN/A\n\n### Removed\n- All logging saves to log files now. `log` package has been completely \n removed.\n- Removed frontend references to Let's Encrypt.\n\n\n## [v0.9.1] - 2023-05-17\n\nTwo additional challenge methods have been added. Most excitingly, if you\nclone the acme.sh repo you can use ANY dns provider supported by that set\nof scripts without having to edit any scripts yourself.\n\nSupport for acme-dns was also added.\n\nYou should add `config_version: 0` to your config file as this is a new\ncheck. Nothing will break without it but you will get an error in the log.\n\n### Added\n- Config version check to help flag when breaking changes are anticipated\n during a version upgrade.\n- Support for acme-dns server (https://github.com/joohoi/acme-dns)\n- Support for acme.sh (https://github.com/acmesh-official/acme.sh)\n- Support for environment variables in dns-01 manual shell scripts.\n\n### Changed\n- Change update check display to show time last checked.\n\n### Fixed\n- Logging of stderr for dns-01 manual shell scripts.\n\n### Removed\nN/A\n\n\n## [v0.9.0] - 2023-05-13\n\nThis release brings a number of changes including an automatic check for new\nversions as well as docker support. Please review the config.default.yaml to\nensure you're using all of the desired settings.\n\n### Added\n- Added update check that queries a remote json file daily to determine if a\n new version is available. Auto update is not part of this and may be added at\n a later date.\n- Docker support.\n- Log app version on start to make logs clear as to which version was running\n during an event.\n\n### Changed\n- Allow really poor passwords in dev mode (removed min character length).\n\n### Fixed\n- Minor type fix in challenges.\n- Minor simplification of auth construction.\n- Flexbox on navbar.\n- Password change error not properly displaying.\n- Missing useEffect dependency in main.\n\n### Removed\n- Removed 'hostname' config option. Backend now configures the self hosted\n frontend with an absolute path so a hostname isn't needed.\n\n\n## [v0.8.0] - 2023-05-04\n\n> **Warning**\n> Please read as there are breaking changes requiring manual intervention.\n\nlego-certhub.db, config.yaml, and the log folder need to be manually moved to\na /data subfolder if coming from a prior release.\n\nYou may also need to update your config file:\n- 'bind_address' added to specify what address the server should bind to. The\n default is blank which binds to all available addresses.\n- 'cors_permitted_origins' should be set if you need cross-origin support.\n\n### Added\nBackend\n- Added 'bind_address' configuration option which defaults to all addresses.\n- Added 'cors_permitted_origins' to define permitted origins for cross-origin\n requests.\n\nFrontend\n- Added highlighting on active navbar route.\n\n### Changed\nBackend\n- Moved db, config, and log storage to /data subfolder (primarily to make\n docker mounting easier).\n- Updated cross-origin configuration to better match intent.\n- API URL for hosted frontend is based on config 'hostname'. This should be\n a dns resolvable fqdn.\n- Updated some log messages regarding server start and bind address.\n- 'hostname' functionality was clarified.\n- Simplified subject validation functions on certificates.\n- Did some linting on certificates put function.\n\nFrontend\n- Updated ApiError wording.\n- Updated navbar components to make a little nicer.\n\n### Fixed\nBackend\n- Fixed cookie to properly permit cross-origin refresh. If cross-origin is not\n configured, cookie SameSite is set to strict for added security.\n- Fixed inability for ACME Accounts secured by RSA key to validate DNS\n challenges. (https://github.com/gregtwallace/certwarden-backend/issues/1)\n\nFrontend\n- Fixed a path that was not properly updated when moving to Vite.\n- Fixed auth_expiration management by moving from a cookie to session storage.\n- Fixed app rendering where the wrong render would briefly appear before App\n had loaded session storage data.\n\n### Removed\nBackend\n- Localhost is no longer always allowed by cross-origin header.\n- Removed some details regarding backend configuration when querying status.\n- Removed login expiration cookie.\n\nFrontend\n- Removed details related to backend status call change.\n\n\n## [v0.7.0] - 2023-04-29\n\nMajor updates were made to the frontend in this release, including removing\nCreate React App and replacing it with Vite.\n\n### Added\nBackend\n- Added tests for validation package.\n\nFrontend\n- Defined props with prop-types.\n- Added sublabel on text array component.\n- Added placeholder message on empty InputSelect fields.\n\n### Changed\nBackend\n- Log Cloudflare domains at Info level.\n- Updated email validation regex and method. Domain piece uses domain validator\n and email username is separately validated.\n- DNS Manual Script name updated.\n\nFrontend\n- Port from Create React App to Vite (CRA is deprecated).\n- Moved constants to a separate file.\n- Updated paths for navigation when using cancel and submit buttons. Next\n destination is now explicit rather than relative.\n- Login form clears if backend rejects the login.\n\n### Fixed\nFrontend\n- Did a ton of linting.\n- Fixed issue where Axios errors could cause a loop on logout and also cleaned\n up Axios error handling in general.\n- Fixed issue where Rollover Account Key would still show loading message even\n after loaded.\n\n### Removed\nFrontend\n- Removed dummy forms.\n- Removed duplicative FormError component and replaced with common ApiError\n component.\n\n\n## [v0.6.11] - 2023-03-12\n\n### Added\n- Added debug log message when dns checker is configured to skip the check.\n\n### Changed\n- Update dependency versions: x/text, x/net, x/time, x/crypto, & go-retryablehttp\n- Abort dns checker sleep when configured to skip and shutdown signal is received.\n\n### Fixed\n- Patched several CVEs by upgrading dependencies, including CVE-2022-32149,\n CVE-2022-41721, CVE-2022-27664, and CVE-2022-41723.\n- Add missing error check in Cloudflare challenge provider.\n\n### Removed\nN/A\n\n\n## [v0.6.10] - 2023-03-08\n\n### Added\nN/A\n\n### Changed\n- Update Go version and move Node and Go versions to global variables in build script.\n- Rename DNS example scripts to avoid accidental overwrite.\n- Minor code clarification in CORS.\n\n### Fixed\nN/A\n\n### Removed\nN/A\n\n\n## [v0.6.9] - 2023-01-29\n\n### Added\n- Config option to disable dns checker module. Instead, specify a time to sleep and\n then assume dns propagated successfully.\n- Manual DNS script challenge validation module. Calls external scripts to create\n and remove DNS records. This allows support for any DNS provider. Add example scripts\n to show variables available to scripts.\n- Add some more config comments on dns checker config.\n\n### Changed\n- Better logging for config parsing.\n- Better authentication logging for audit trail.\n- Better download logging for audit trail.\n- Exit on improperly formatted config.yaml\n\n### Fixed\n- Fix install and upgrade linux scripts to work when called from any path.\n- Fix logic auto order logic that could sometimes result in the job being called\n twice on the same day.\n- Include subject in the CSR DNSNames field (not just Alt Names). LE accepted the\n previous method but Pebble returns an error without this.\n- Frontend: Fix missing Staging Flag in All Certificates.\n- Frontend: Fix wrong information in confirm delete certificate Dialog.\n\n### Removed\nN/A\n" }, { "path": "Dockerfile", "content": "# example build:\n# docker build . --build-arg=BACKEND_VERSION=v0.8.0 --build-arg=FRONTEND_VERSION=v0.8.0 -t certwarden:v0.8.0\n\n# example master branch build and export\n# docker builder prune -a \n# docker build . --build-arg=BACKEND_VERSION=master --build-arg=FRONTEND_VERSION=master -t certwarden:v0.24.5-a1\n# docker save -o ./out/cw0.24.5-a1.tar certwarden:v0.24.5-a1\n# import into docker\n# docker load -i ./cw0.24.5-a1.tar\n\n# example run\n# docker run -d --name certwarden -e TZ=Europe/Stockholm -v ./data:/app/data -p 4050:4050 -p 4055:4055 -p 4060:4060 -p 4065:4065 -p 4070:4070 ghcr.io/gregtwallace/certwarden:latest\n\n# Versions - keep in sync with build_releases.yml\nARG ALPINE_VERSION=3.23\nARG GO_VERSION=1.26.2\nARG NODE_VERSION=24.15.0\n# https://hub.docker.com/_/alpine\n# https://hub.docker.com/_/golang\n# https://hub.docker.com/_/node\n\nFROM node:${NODE_VERSION}-alpine${ALPINE_VERSION} AS frontend_build\n\nARG FRONTEND_VERSION\n\nWORKDIR /\n\nRUN apk add git && \\\n git clone --depth 1 --branch \"${FRONTEND_VERSION}\" https://github.com/gregtwallace/certwarden-frontend.git /src && \\\n cd /src && \\\n npm clean-install && \\\n npm run build\n\n\nFROM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS backend_build\n\nARG BACKEND_VERSION\nARG CGO_ENABLED=1\n\nENV CGO_CFLAGS=\"-D_LARGEFILE64_SOURCE\"\n\nWORKDIR /\n\nRUN apk add git gcc musl-dev && \\\n git clone --depth 1 --branch \"${BACKEND_VERSION}\" https://github.com/gregtwallace/certwarden-backend.git /src && \\\n cd /src && \\\n go build -o ./certwarden ./cmd/api-server\n\n\nFROM alpine:${ALPINE_VERSION}\n\nWORKDIR /app\n\n# acme.sh dependencies\nRUN apk add bash\nRUN apk add curl\nRUN apk add openssl\nRUN apk add oath-toolkit-oathtool\nRUN mkdir -p /root/.acme.sh\n\n# timezone support\nRUN apk add --no-cache tzdata\n\n# copy app\nCOPY --from=backend_build /src/certwarden .\nCOPY --from=backend_build /src/config.default.yaml .\nCOPY --from=backend_build /src/config.example.yaml .\nCOPY --from=backend_build /src/config.changelog.md .\nCOPY --from=backend_build /src/scripts/linux ./scripts\nCOPY --from=frontend_build /src/dist ./frontend_build\nCOPY ./README.md .\nCOPY ./CHANGELOG.md .\nCOPY ./LICENSE.md .\n\n# permissions for scripts (*.sh files only)\nRUN find ./scripts -type f -name \"*.sh\" -print0 | xargs -0 chmod 755\n\n# make default data folder\nRUN sh -c \"mkdir /app/data\"\n# defer empty config file generation to Cert Warden on first run (if not manually made by user prior)\n\n# Note: Do not disable http redirect once https is configured or healthcheck will break\nHEALTHCHECK CMD curl --silent --output /dev/null --fail http://localhost:4050/certwarden/api/health || exit 1\n\n# http / https server\nEXPOSE 4050/tcp \nEXPOSE 4055/tcp\n\n# http challenge server\nEXPOSE 4060/tcp\n\n# pprof http / https\nEXPOSE 4065/tcp\nEXPOSE 4070/tcp\n\nCMD [\"/app/certwarden\"]\n" }, { "path": "LICENSE.md", "content": "Personal, private (non-commercial) use of this software is permitted.\n\nAll Rights Reserved\n\nCopyright (c) 2022-25 Greg T. Wallace\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN\nTHE SOFTWARE.\n\nALL CONTRIBUTIONS TO THIS SOFTWARE SUBMITTED VIA ISSUES, PULL REQUESTS, OR\nANY OTHER METHOD CONSTITUTE A RELEASE OF ANY AND ALL RIGHTS TO SAID\nCONTRIBUTION. IN ADDITION TO THE AFORMENTIONED RELEASE, CONTRIBUTIONS BECOME\nGOVERNED BY THIS LICENSE AND ALL RIGHTS ARE RESERVED TO THIS PROJECT'S\nCOPYRIGHT HOLDER.\n" }, { "path": "README.md", "content": "# Cert Warden\nCentralized Certificate Management\nConveniently Leverage Let's Encrypt to Secure Your Infrastructure\n\n\n## More Information\nhttps://www.certwarden.com/\n\n\n## Download\nBinary Releases\n\nhttps://github.com/gregtwallace/certwarden/releases\n\nGitHub Packages\n\nhttps://github.com/gregtwallace/certwarden/pkgs/container/certwarden\n\n\n## Sources\nBackend\nhttps://github.com/gregtwallace/certwarden-backend\n\nFrontend\nhttps://github.com/gregtwallace/certwarden-frontend\n" }, { "path": "build.ps1", "content": "# Parent dir is root\n$scriptDir = Get-Location\n$rootDir = Split-Path -Path $scriptDir -Parent\n$outDir = Join-Path -Path $scriptDir -ChildPath \"/out\"\n\n## Backend\nSet-Location $rootDir/certwarden-backend\n\n# Include config example\nCopy-Item -Path $rootDir/certwarden-backend/config.default.yaml -Destination $outDir\n\n# Mandatory env flag for sqlite\n$env:CGO_ENABLED = 1\n\n# Windows x64\n$env:GOARCH = \"amd64\"\n$env:GOOS = \"windows\"\ngo build -o $outDir/certwarden.exe ./cmd/api-server\n\n## Frontend\nSet-Location $rootDir/certwarden-frontend\nnpx vite build\n\n# remove old build\nRemove-Item -Path $outDir/frontend_build -recurse\nNew-Item -ItemType Directory -Force -Path $outDir/frontend_build\n\n# move to out\nMove-Item -Path $rootDir/certwarden-frontend/dist/* -Destination $outDir/frontend_build\n\n# Return to original path\nSet-Location $scriptDir\n" }, { "path": "build.sh", "content": "#/bin/bash\n\nrepo=/home/greg/certwarden-backend\ncertwarden_path=/opt/certwarden\n\ncd $repo\ngit fetch origin\ngit pull\n\nexport CGO_ENABLED=1\n\ngo build -o $repo/certwarden ./cmd/api-server\n" }, { "path": "docker-compose.yml", "content": "version: '3'\n\nservices:\n certwarden:\n container_name: certwarden\n image: ghcr.io/gregtwallace/certwarden:latest\n restart: unless-stopped\n ports:\n - 4050:4050 # server interface (http)\n - 4055:4055 # server interface (https)\n - 4060:4060 # http-01 challenge server (http)\n - 4065:4065 # pprof debug server (http)\n - 4070:4070 # pprof debug server (https)\n volumes:\n - ./data:/app/data\n" }, { "path": "version.json", "content": "[\n {\n \"channel\": \"beta\",\n \"version\": \"0.29.3\",\n \"config_version\": 5,\n \"database_version\": 11,\n \"url\": \"https://github.com/gregtwallace/certwarden/releases/tag/v0.29.3\"\n }\n]\n" } ]