github fabriziosalmi/certmate v2.0.3
v2.0.3 — Fix Route53 propagation flag & Private CA SSL verification
on GitHub

latest release: v2.0.4
9 hours ago

What's Changed

Bug Fix — AWS Route53: --dns-route53-propagation-seconds unrecognised (#75)

certbot-dns-route53 >= 1.22 removed the --dns-route53-propagation-seconds CLI flag. The plugin now polls Route53 internally until the TXT record propagates and no longer accepts the argument, causing every Route53 certificate request to fail immediately with an "unrecognised arguments" error.

Fix: Added a supports_propagation_seconds_flag property to the DNSProviderStrategy base class (defaults to True). Route53Strategy overrides it to False. The propagation-seconds argument is now only appended to the certbot command when the active strategy explicitly declares support for it.

Bug Fix — Private CA ACME endpoint "Connection failed" with self-signed certificates (#74)

The "Test Connection" button always used Python's system CA bundle (verify=True) to validate the ACME server's TLS certificate. Private CAs with self-signed or internal-root certificates are not in the system bundle, so every connection test reported "ACME endpoint is not accessible" even when the endpoint was fully reachable.

Fix: When a CA certificate is provided in the Private CA configuration, it is written to a temporary PEM file and passed as verify=<path> to requests.get(). The temp file is always removed in a finally block. SSL error messages now include actionable hints — whether to supply a CA certificate or verify the correct root/intermediate was uploaded.

Bug Fix — Residual Route53 / san_domains failures after v2.0.2 (#56)

The san_domains keyword-argument error and the Cloudflare-hardcoded DNS provider fallback were resolved in v2.0.1 and v2.0.2 respectively. The remaining failure mode reported by users (--dns-route53-propagation-seconds unrecognised) is fully resolved by the Issue #75 fix above.

Test Suite

161 passed, 9 skipped, 0 failed (9 skipped require live DNS/CA credentials).

New unit tests added in tests/test_san_domains.py:

  • TestRoute53PropagationFlag (4 tests) — verifies Route53Strategy.supports_propagation_seconds_flag is False, all other strategies are True, and the flag is absent from the constructed certbot command for Route53.
  • TestAcmeConnectionSSLHandling (2 tests) — verifies the temp-file CA bundle logic and the no-cert system-bundle fallback.

Upgrade

# Docker Hub (recommended)
docker pull fabriziosalmi/certmate:v2.0.3
docker compose down && docker compose up -d

# Build from source
git pull origin main
docker compose build --no-cache && docker compose up -d
Check out latest releases or
releases around fabriziosalmi/certmate v2.0.3

Don't miss a new certmate release

NewReleases is sending notifications on new releases.

Get notifications