v0.13.0 - March 19, 2018

  • FEAUTURE: Wildcard certificates can now be issued.
    • See the Wildcard documentation for more details.
    • It is only available when using DNS-based validation (which is a decision left to the end-user)
    • You may need to tune the DNS Challenge Delay if your hosting environment has large DNS clusters or a high zone count.
  • FEATURE: DNS-based validation is now available and is no longer a feature preview.
    • This is an alternative to the default, HTTP-based validation method
    • Both HTTP and DNS methods are available on all new and upgraded installations, but can be controlled by the WHM administrator.
    • The HTTP method remains the default option for new certificate issuances and the recommended option for most users
    • The HTTP method remains the only option for certificates issued via the AutoSSL feature
    • End-users may choose which validation method to use on a per-certificate basis
  • IMPROVEMENT: The AutoSSL feature has been significantly extended:
    • It will now try to include cPanel proxy subdomains e.g. webmail., cpanel., webdisk. This can be disabled by the autossl_skip_proxy_subdomains configuration flag
    • AutoSSL will stop retrying domains that fail continuously for an extended period.
    • AutoSSL will try to issue certificates for virtual hosts without a valid or imminently expiring certificate (48h). Previously, it would refuse to run on any account that had any third-party certificates.
    • AutoSSL remains disabled by default.
  • IMPROVEMENT: Renewals that fail repeatedly are now subject to a number of inhibitions.
    • Only 1 email every 2 days, at most, will be sent per certificate
    • Failing renewals now follow a linear back-off after a threshold.
      • After 10 consecutive renewal failures (~5 days), a delay of max(1 week, (12 hours * max(0, Fail_Count - 10))) is applied at each attempt. This is reset after a successful renewal.
      • This is designed to deprioritize abandoned accounts/domains and save server and CA/rate limit resources.
    • It is always possible to immediately re-issue the certificate from the user interface.
  • MISC: The ACME client implementation has been completely rewritten for ACME v2
    • This should be fully compatible with all existing accounts and certificates and there should be no perceptible difference to end-users.
    • The library is available under an open source licence at https://github.com/eggsampler/acme
  • FIX: BoltDB (embedded database used for non-critical state) has been upgraded and now automatically deals with corruption.
  • MISC: Self-test now tests that BoltDB is functional.
  • MISC: Added a le-cp fetch-licence <order ID> <auth code> convenience command.
  • MISC: Added a le-cp send-logs convenience command.
  • MISC: Upgraded to Go 1.10.