A few fixes and enhancements:
- An experimental feature was fixed that automatically replaces certificates which have been revoked. Now it actually works.
- If a certificate is revoked specifically due to key compromise, the compromised key will be rotated and out and the replacement certificate will use a new key.
ObtainCert()
andRenewCert()
have been split intoSync
andAsync
versions, similar toManageSync()
andManageAsync()
, to bring consistency to the exported API, as well as to make room for...- ... forced renewals, which is now a boolean argument passed into
RenewCert*()
methods. This will renew a certificate even if it is not expiring. - Obtain operations will reuse existing private keys if already in storage. It is still a no-op if all certificate assets (cert, key, and meta) are already in storage.
- Improved logging of errors between issuers when obtaining and renewing certificates.
- If DNS resolvers are explicitly configured, they will be used exclusively and not fall back to system resolvers. This makes the DNS challenge solvers work better in weird DNS setups.