Highlights
- Opt-in asynchronous issuance. POST
/api/certificates/create(and renew) with"async": truenow returns202 Accepted+ ajob_id; poll it atGET /api/certificates/jobs/<job_id>. Certbot runs on an in-process executor, so request threads and/healthstay responsive while issuance is in flight. Single-instance by design (in-memory job registry; no external broker). The default path is unchanged — async is strictly opt-in. (#280) - New endpoint:
GET /api/certificates/<domain>for single-certificate fetch. (#268)
Internal
- Introduced a
CertificateServiceorchestration layer (prepare / issue / commit phases) behind both the API and web adapters, consolidating create/renew logic into one tested path. (#280)
Fixed
- Dashboard: optimized certificate-list rendering and deployment-check scheduling. (#269)
- Certificates: load settings once and single-read the cert copy in
create_certificate. (#272) - Concurrency: wait briefly for the per-domain lock and return
409when an issuance for that domain is already in progress. (#274) - Diagnostics: count certificates via
iter_cert_domain_dirs. (#273) - Routes: removed a dead/broken certificate-list web route. (#271)
Security
- CodeQL: resolved log-injection and stack-trace-exposure findings in the new code paths (generic client-facing errors; sanitized log fields). (#280)
CI
Docker: linux/amd64 + linux/arm64 images published as certmate:2.11.0.