Features
- Import existing certificates via a new CLI command and a discovery UI that scans for certificate/key pairs on disk. (#1716, #1724)
- Self-signed certificate support, including dedicated error codes and renewal notifications. (#1655, #1688)
- Add a Mattermost external notifier. (#1721)
- DNS: support IP version selection for DDNS. (#1695)
- Certificate issuance now preserves the existing configuration and retries on failure. (#1694)
- Support riscv64 Docker images and OpenWrt installs. (#1551)
- Migrate legacy recovery codes to the new format. (#1684)
Bug Fixes
- cert: restore the lego v4 DNS-01 propagation behavior so DNS-01 issuance/renewal no longer times out behind split-horizon or private resolvers after the lego v5 upgrade. (#1711, #1719)
- dashboard: count nginx worker processes when nginx runs in a separate container. (#1704)
- setup: surface the one-time install secret in the logs for Docker/non-interactive installs, and stop logging the node secret in a way that was mistaken for it. (#1705)
- backup: make the "granted access paths" error actionable instead of looking like a missing directory. (#1714)
- 2fa: auto-retry the original request after a step-up challenge so protected actions complete in a single prompt. (#1700)
- log indexing: keep the config search index in memory and reduce write amplification to avoid excessive disk I/O. (#1707)
- nginx_log: repair advanced search filters and status faceting. (#1687)
- docker: upgrade the persisted bundled nginx-ui.conf safely and preserve forwarded proto/host for nginx in a container. (#1696)
- expand TLS includes for maintenance mode. (#1692)
- normalize DNS provider environment values and clarify DNS domain provider scope. (#1682)
- harden the recovery migration flow and prevent websocket cleanup leaks.
- count private network interfaces correctly and avoid a version-mismatch warning for unknown node versions.
- support the OpenWrt 25 install script. (#1658)