This plugin contains a full ACME protocol implementation based on the
acme.sh project.  According to the authors, it's probably "the easiest
and smallest and smartest shell script" to automatically issue and renew
the free certificates from Let's Encrypt.

WWW: https://github.com/acmesh-official/acme.sh

Plugin Changelog
================

4.11

Added:
* add support for Hetzner Cloud DNS API (#5020)
* add support for Selectel.ru V2 API (#4824)
* add support for mijn.host DNS API (#4446)
* add support for AzureDNS System Assigned Managed Identity #4830 (4830)
* add support for ZoneEdit DNS API (#4671)

Changed:
* use mwexec/file_safe for HTTP-01/TLSALPN challenge types (core #9325)

Fixed:
* fix deprecated PHP syntax in cron settings (#4824)

Deprecated:
* deprecate support for HTTP-01 challenge types (no removal date yet)

4.10

Added:
* new automation to reload www/caddy (#4692)
* new automation to upload to Proxmox Backup Server (#4785)
* add support for Websupport.sk DNS API (#4540)
* add SFTP option: Preserve Modification Time (#3862)

Changed:
* automatically fix account config if CERT_HOME is set (#4622)
* automatically resolve cron job mismatch (#4627)
* change default SFTP options to NOT preserve modification time (#3862)
* migrate SFTP/SSH operations to AcmeClient logging
* add detailed SFTP/SSH logging when debug logging is enabled
* add new log messages and improve existing ones

Fixed:
* deploy hooks may use the old CERT_HOME (#4622)
* acme.sh is always called with "--days 1" (#4711)
* avoid startup error: "rmdir... Not a directory" (#4743)
* fails to create/update cron job on UUID mismatch (#4627)
* accounts/certificates not visible on 25.7 alpha (#4790)

Removed:
* remove stdout (CLI) logging from SFTP library

4.9

Added:
* Add support for Scaleway DNS API (#4492)

4.8

BREAKING CHANGE: Let's Encrypt ends support for the OCSP Must Staple
extension on 30.01.2025. Issuance requests will fail if this option is
still enabled past this date.

Changed:
* Add note regarding the support of OCSP

Fixed:
* SFTP automation unable to transfer certs (#4477)

4.7

Added:
* Add support for MyDNS.JP DNS API (#4328)
* Add support for fornex DNS API (#4389)
* Add support for OTP Code to Synology deploy hook (#4045)
* Add support for Shared Secret to INWX DNS API (#3942)

Changed:
* Convert Synology deploy hook variables to uppercase (#4286)
* Migrate to MVC Trust storage

Fixed:
* SFTP/SSH automation results in fatal PHP error (#4363)
* Typo in INWX password field name
* Certs not fully functional after import into Trust storage (#4401)

4.6

Added:
* add Lima-City DNS API (#3566)

Fixed:
* fix Hashicorp Vault support, added Vault token (#4270)
* fix acme.sh error: "Cannot find dns api hook for..."

4.5

Fixed:
* fix empty System Log
* avoid unnecessary error log messages (#3860)
* don't log errors for successful commands (#3955)
* fix more PHP deprecation messages (#4008)

4.4

Fixed:
* fix EasyDNS variable assignment (#4068)

4.3

Fixed:
* fix acme.sh debug log levels (#3933)

4.2

Added:
* add ArtFiles DNS API (#3866)
* add dnsHome DNS API (#3882)
* add Oracle Cloud Infrastructure DNS API (#3901)

Fixed:
* fix PHP deprecation messages (#3892)

4.1

Fixed:
* automation does not start (#3790)
* bugfixes for HTTP-01 and TLS-ALPN-01 challenge types (#3813)

4.0

NOTE: This is a new major release with backwards-incompatible changes.
Downgrade to older releases is not supported. Be sure to create a
full backup and include /var/etc/acme-client.

NOTE: Lexicon is deprecated and most configurations are converted
to native acme.sh DNS APIs. However, in some case manual reconfiguration
may be necessary.

Added:
* add nic.ru DNS API (#3684)
* add Aurora DNS API
* add ConoHa DNS API
* add Constellix DNS API
* add Exoscale DNS API
* add internetbs.net DNS API
* add PointHQ DNS API
* add Rackspace DNS API
* add rage4 DNS API

Changed:
* use a dedicated acme.sh runtime directory for every cert (#3127)
* migrate lexicon provider aliyun to acme.sh DNS API (#2920)
* migrate lexicon provider aurora to acme.sh DNS API (#2920)
* migrate lexicon provider azure to acme.sh DNS API (#2920)
* migrate lexicon provider cloudflare to acme.sh DNS API (#2920)
* migrate lexicon provider cloudns to acme.sh DNS API (#2920)
* migrate lexicon provider cloudxns to acme.sh DNS API (#2920)
* migrate lexicon provider conoha to acme.sh DNS API (#2920)
* migrate lexicon provider constellix to acme.sh DNS API (#2920)
* migrate lexicon provider digitalocean to acme.sh DNS API (#2920)
* migrate lexicon provider directadmin to acme.sh DNS API (#2920)
* migrate lexicon provider dnsimple to acme.sh DNS API (#2920)
* migrate lexicon provider dnsmadeeasy to acme.sh DNS API (#2920)
* migrate lexicon provider dnspod to acme.sh DNS API (#2920)
* migrate lexicon provider dreamhost to acme.sh DNS API (#2920)
* migrate lexicon provider easydns to acme.sh DNS API (#2920)
* migrate lexicon provider exoscale to acme.sh DNS API (#2920)
* migrate lexicon provider gandi to acme.sh DNS API (#2920)
* migrate lexicon provider godaddy to acme.sh DNS API (#2920)
* migrate lexicon provider googleclouddns to acme.sh DNS API (#2920)
* migrate lexicon provider gratisdns to acme.sh DNS API (#2920)
* migrate lexicon provider henet to acme.sh DNS API (#2920)
* migrate lexicon provider hetzner to acme.sh DNS API (#2920)
* migrate lexicon provider infoblox to acme.sh DNS API (#2920)
* migrate lexicon provider internetbs to acme.sh DNS API (#2920)
* migrate lexicon provider inwx to acme.sh DNS API (#2920)
* migrate lexicon provider linode to acme.sh DNS API (#2920)
* migrate lexicon provider linode4 to acme.sh DNS API (#2920)
* migrate lexicon provider luadns to acme.sh DNS API (#2920)
* migrate lexicon provider namecheap to acme.sh DNS API (#2920)
* migrate lexicon provider namesilo to acme.sh DNS API (#2920)
* migrate lexicon provider netcup to acme.sh DNS API (#2920)
* migrate lexicon provider nfsn to acme.sh DNS API (#2920)
* migrate lexicon provider nsone to acme.sh DNS API (#2920)
* migrate lexicon provider online to acme.sh DNS API (#2920)
* migrate lexicon provider ovh to acme.sh DNS API (#2920)
* migrate lexicon provider plesk to acme.sh DNS API (#2920)
* migrate lexicon provider pointhq to acme.sh DNS API (#2920)
* migrate lexicon provider powerdns to acme.sh DNS API (#2920)
* migrate lexicon provider rackspace to acme.sh DNS API (#2920)
* migrate lexicon provider rage4 to acme.sh DNS API (#2920)
* migrate lexicon provider route53 to acme.sh DNS API (#2920)
* migrate lexicon provider transip to acme.sh DNS API (#2920)
* migrate lexicon provider vultr to acme.sh DNS API (#2920)
* migrate lexicon provider yandex to acme.sh DNS API (#2920)
* migrate lexicon provider zeit to acme.sh DNS API (#2920)
* migrate lexicon provider zilore to acme.sh DNS API (#2920)
* migrate lexicon provider zonomi to acme.sh DNS API (#2920)

Fixed:
* fix sporadic command failure with gcloud DNS API (#3745)
* fix errors when the same Common Name is used multiple times (#3127)
* fix crash on invalid automations (#3752)

Deprecated:
* deprecate support for lexicon DNS APIs (no removal date yet)

3.20

Added:
* add Bunny DNS API (#3715)
* add DNSExit DNS API (#3724)
* add World4You DNS API (#3722)

Changed:
* support token authentication in Gandi LiveDNS (#3526)

Fixed:
* fix 2FA support in Synology automation (#3627)

Removed:
* remove automation: Highwinds CDN (#3626)

3.19

Added:
* add IPv64.net DNS API (#3504)

Fixed:
* fix Proxmox VE deployhook (#3517)

3.18

Added:
* add support for TrueNAS deployhook (#3421)
* add support for Proxmox VE deployhook (#3422)
* add server,port and node name values for Proxmox VE deployhook (#3516)
* add Google Domains DNS API

3.17

Added:
* add DNS.services DNS API (#3399)
* add RegRu DNS API (#3359)

3.16

Added:
* add RegRu DNS API
* add JD Cloud DNS API (#3315)
* new automation: deploy certificates on Palo Alto Networks Firewall (#3289)

3.15

Added:
* add online.net DNS API (#3213)

Changed:
* increase max value for certificate renewal interval (#3219)

3.14

NOTE: Users of Selfhost need to manually fix their configuration, see
https://github.com/acmesh-official/acme.sh/wiki/dnsapi2#151-use-selfhost-dns-api

Added:
* add support for Google CA (#3029)
* add support for querying public DNS services (#3079)

Fixed:
* fix Selfhost DNS API (#3122)
* fix invalid cert state due to deploy error (#3120)

Changed:
* change default DNS sleep time to 0 (#3079)
* remove saved deploy hook from acme.sh config files (#3120)

3.13

Added:
* add Mythic Beasts DNS API (#2998)

3.12

Added:
* add Simply.com DNS API (#2888)
* add Active24 challenge type (#3049)
* add united-domains Reselling challenge type (#3066)
* add support for Zone ID in Cloudflare challenge type (#2973)
* new automation: upload certificate to Vault (#2796)

Fixed:
* re-order function parameters due to PHP8 deprecation notice (#3043)

Changed:
* simplyfi DNS service names
* relax port number restriction in SSH/SFTP automations (#3005)

3.11

Fixed:
* add missing <style> field for TransIP (#2981)

3.10

Added:
* new automation: run remote commands via SSH (#2757)

Fixed:
* unable to configure key in TransIP API (#2924)

3.9

Added:
* add support for Transip DNS API ( #2871)
* execution order of automations can be changed (#2833)

Fixed:
* fix the use of a self hosted ACME-DNS service (#2898)

3.8

NOTE: Support for the cPanel and Selfhost API is not functional. It requires
a new version of acme.sh, which has not been released yet.

Added:
* add support for cPanel HTTP API (#2731)
* add support for Selfhost DNS API (#2746)

Fixed:
* fix calculation of renewal date (#2721)
* properly handle ecc certs in automations (#2723)

Changed:
* show CA in accounts list

3.7

Fixed:
* fix SFTP buttons not visible (#2712)
* fix invalid default value when no WAN interface can be found (#2712)
* fix incompatibility with new gcloud SDK (#2710)

3.6

Added:
* new automation: update local Unifi keystore (#2664)
* add support for dynv6 HTTP API (#2678)
* add support for TLS-ALPN-01 challenge type (#2661)

Fixed:
* fix SFTP upload (#2671)
* fix PHP error when acme.sh deploy hook returns an error (#2674)
* fix path for storing pf config files when using HTTP-01

3.5

Added:
* new automation: cert upload to Synology DSM (#2236)
* new automation: cert upload to FRITZ!Box router

Fixed:
* fix logging when clog is disabled (#2555)

Changed:
* refactor code to support acme.sh deploy hooks

3.4

Changed:
* rename "Linode Cloud API" to "Linode API (v4)" (#2609)
* rename "Linode API" to "Linode API (v3/deprecated)" (#2609)

3.3

Added:
* add support for custom ACME CAs (#2529)
* add support for Porkbun API (#2561)

Fixed:
* fix ACME Client reset (#2562)

Changed:
* change default Challenge Type from HTTP-01 to DNS-01

3.2

Added:
* add button to (re-) import a certificate into the trust storage

Fixed:
* associate certificates with the correct CA when multiple CAs use the same name (#2550)

3.1

Changed:
* rename "LE Account" to "ACME Account" in certificate dialog (#2526)

3.0

Added:
* add support for new ACME CAs: buypass, buypass_test, sslcom, zerossl (#2361)
* add CA setting to accounts, make it possible to use multiple CAs
* add introduction pages and an option to hide them
* add tooltips for account command buttons (#2188)
* add support for custom ACME EAB kid/hmac when registering accounts

Fixed:
* properly set/get the UUID of LE objects

Changed:
* rename plugin from "Let's Encrypt client" to "ACME Client" (#2361)
* change the suffix for imports to the certificate storage to "ACME Client" (#2361)
* rename "Let's Encrypt Environment" to "ACME CA" and move to account settings (#2361)
* preserve old LE accounts/certs by adding a compatibility layer (#2361)
* update tooltip style for 21.7 (#2188)
* show more options in list view for challenge types and automations

Removed:
* remove the legacy log file and only rely on syslog logging (#2366)
* remove obsolete account parameters: certificateAuthority, lastUpdate

2.6

Added:
* add support for Nederhost DNS API (#2407)
* add support for DDNSS DNS API (#2415)
* add support for Zone.eu DNS API (#2417)
* add support for Njalla DNS API (#2446)
* add support for Domeneshop DNS API (#2390)
* add support for IONOS domain API (#2345)

Fixed:
* sftp update of write protected cert files with a numeric owner (#2426)

Changed:
* Namecheap: change IP discovery URL to avoid rate-limits (#2419)

2.5

Added:
* add native support for Vultr DNS API (#2344)

Fixed:
* ensure that the auto renewal cron job is properly disabled (#2178)

Changed:
* reload settings page to show/hide cron tab

2.4

Added:
* add new page to show AcmeClient entries from system log
* add tooltips for certificate command buttons (#2188)

Fixed:
* fix missing "--ecc" parameter when renewing ECC certs (#2223)
* fix log file location (#2227)
* fix GUI log formatting (by using the syslog log)
* fix OCSP setting not honored (#2234)

Changed:
* let acme.sh log through syslog
* revamp logs page, move acme.sh log to a sub tab
* remove legacy logs page

2.3

Added:
* add support for Infomaniak domain API (#2169)

Fixed:
* fix "auto renewal" options not working in certificate and plugin settings (#2178)
* fix Aliyun DNS API (#2200)

2.2

Added:
* add support for hexonet.com DNS API (#2134)

Fixed:
* fix DNS challenge alias mode (#2128, #2130)

Changed:
* BREAKING: use configured DNS sleep time for Namesilo instead of hardcoded value (#2121)
* BREAKING: use configured DNS sleep time for Lexicon/Namesilo instead of hardcoded value
* BREAKING: use configured DNS sleep time for Linode instead of hardcoded value
* BREAKING: use configured DNS sleep time for Linode v4 instead of hardcoded value
* BREAKING: use configured DNS sleep time for Netcup instead of hardcoded value

2.1

Added:
* add support for deSEC.io domain API (#2120)

Fixed:
* fix creation of nsupdate secrets file
* fix certificate chain when existing cert was signed by a new CA (#2126)

2.0

Added:
* add new OOP backend to improve reliability and maintainability (#1398)
* add status for accounts to backend and WebGUI
* add button to manually trigger account registration
* add support for All-Inkl.com domain API (#1130)
* add plugin changelog

Fixed:
* fix bug where configuration changes could get lost (#1526)
* fix Cyon DNS API (password not set)

Changed:
* now an Automation may run multiple times during bulk issue/renewal (previously only once)
* rename "Validation Methods" to "Challenge Types" to adopt official LE wording
* rename menu entry "Automation" to "Automations"
* specify python version for gcloud SDK
* rephrase several log messages
* add more detailed output when debug logging is enabled

1.36

Added:
* add ability to rerun automations (#1962)

1.35

Added:
* add support for Linode Cloud API (#1940)
* add support for 1984Hosting API (#1945)

Changed:
* remove outdated bundled version of dns_opnsense.sh (#1888)

1.34

Added:
* add support for dnsapi ArvanCloud (#1834)
* add support for dnsapi Hetzner (#1870)

Changed:
* restore proper sorting in DNS API list

1.33

Added:
* add NSUPDATE_ZONE support to nsupdate DNS-01 service (#1851)

1.32

Added:
* add support for Acmeproxy DNS provider (#1838)

Changed:
* improve support for dnsapi Euserv.eu (#1790)

1.31

Added:
* add support for dnsapi SchlundTech (#1728)
* add support for dnsapi Euserv (#1779)
* add support for dnsapi Leaseweb (#1670)

Changed:
* sftp export: make the "fullchain" filename configurable (#1776)

1.30

Changed:
* update acme.sh GitHub link to new repo URL (#1744)

1.29

Added:
* add support for CloudFlare token (#1625)
* add support for MailinaBox DNS API (#1531)
* add support for Plesk XML API (#1567)
* add support for Variomedia DNS API

Fixed:
* fix IPv6 support for "automatic port forward" validation method (#1590)

Changed:
* validate IPv4 and IPv6 addresses before using them for "automatic port forward"
* enable IPv6 support on local ACME webservice (when system.ipv6allow is enabled)

1.28

Changed:
* correct minor spelling error (#1628)
* log filename not compatible with new log view (#1593)

1.27

Added:
* add support for Loopia DNS API (#1529)
* automations can now restart Captive Portal or IPsec service after cert renewal (#1534)
* add support for 60+ DNS APIs through Lexicon (#1524)

Fixed:
* don't break accounts when switching between stg/prod Let's Encrypt environments (#1528)

Changed:
* add py-dns-lexicon as plugin dependency to support it in DNS-01 out-of-the-box
* support acme.sh debug log level 2 and 3 (#1546)

1.26

Added:
* new automation: support cert upload via sftp (#1455)
* add support for OPNsense's BIND plugin (#1491)
* add support for DNS alias mode (#1492, #1301)

Changed:
* add headers for certificate options for the sake of clarity

1.25

Added:
* add support for netcup DNS API (#1350)

Fixed:
* updating an existing cert in Highwinds API failed with a 404 error (wrong HTTP method)

Changed:
* fix "Use of undefined constant" PHP errors
* treat certificate serial number as string not as integer
* move "remove certificate" button to the end of the button list

1.24

Added:
* add support for Domain-Offensive LetsEncrypt API dns_doapi (#1294)
* add support for Namecheap API (dns_namecheap)
* add support for Google Cloud DNS API dns_gcloud (#549)
* run acme.sh --remove when a cert is removed from the GUI (#1380)
* add a new button to remove the private key (#990)

Fixed:
* certificate status not correctly updated (#1307)

Changed:
* add log message when certificate status is updated (refs #1307)

1.23

Fixed:
* renewal interval is ignored (#1221)

1.22

Added:
* support DNS-01 with hosting.de API (#1234)

Changed:
* streamline log messages, use "AcmeClient" instead of "LE"

1.21

Added:
* possible breaking change: the API endpoint to update individual certs/accounts/etc. has been renamed from "set" to "update"

Fixed:
* bulk deleting does not work (#1163)

Changed:
* migrate to mutable controller (required to fix #1163)

1.20

Added:
* new button to reset all acme states, useful after importing a config backup to a new installation (#243)

1.19

Added:
* new automation: automatically upload certificates to Highwinds CDN (proof-of-concept, support for other APIs possible)

Changed:
* rename "Restart Actions" to "Automation" (the old name has always been rather clumsy)
* change "Automation" position in Menu (it's optional, the new position reflects this)

1.18

Added:
* add support for GratisDNS.dk (#1042)
* add support for ACME DNS

1.17

Fixed:
* fix OCSP always enabled (#794)
* fix acme operations when using multiple accounts (#789)

1.16

Added:
* add support for OCSP Must Staple extension

Fixed:
* fix ecc certs renewal bug

1.15

Added:
* add support to multiple dns api providers (#712)

Changed:
* mask passwords by using password fields (#707)

1.14

Added:
* add support for ClouDNS (#574)

1.13

Added:
* update acme.sh to 2.7.5 (#418)

Changed:
* fix missing fields for several DNS providers (#481)

1.12

Added:
* compatibility with HAProxy plugin version 2.0 (refs #330)

Fixed:
* fix missing fields for Hurricane Electric (#334)

1.11

Fixed:
* add missing field for DuckDNS (#287)

1.9

Added:
* update acme.sh to version 2.7.2 (#210)
* add support for new DNS API hooks (#225)

Fixed:
* Rename Certificate "Name" to "Common Name" for better clarity (#214)
* Fix title in "Renew" and "Revoke" dialogs
* Add dependency to BIND to fix nsupdate support
* fix 'Compilation failed: number too big' (#227)

1.8

Added:
* drop bundled acme.sh in favour of the FreeBSD port

Fixed:
* rename validation method "OPNsense Port Forward" to "OPNsense Web Service" to make it more clear that we're using an internal web service

1.7

Fixed:
* fix $backend is not declared (#132)
* fix null exception in api

1.6

Fixed:
* fix broken translation strings

1.5

Fixed:
* try to solve disconnection issue (mostly during auto-renewal) (#109)
* try to fix "Node no longer exists"

1.4

Changed:
* rename label "Validation Method" to "Challenge Type"

1.3

Changed:
* remove support for custom restart actions (#100)
* avoid log message on missing restart action
* simplify JS code

1.2

Fixed:
* properly import CA certificates (#84)
* don't make sensitive data world-readable

Changed:
* hide params for restart actions when not selected
* remove prefixes from validation name
* hide http service entries when not selected
* log acme status for each cert

1.1

Added:
* add HAProxy integration

Fixed:
* avoid API exception when HAProxy integration is incomplete
* avoid error message if no restart action was specified
* do not run restart actions if cert was not changed

Changed:
* add hide() trickery to hide entries when not selected
* relax fields validation (#70)

1.0

Initial release (#6)
