Five merged community PRs + dependabot security bumps. No behavior change in CertMate's core flow; bug fixes, Docker-secrets ergonomics, and new download flexibility.
From the community
- #119 @rocogamer — generalises the v2.4.3 Azure ambiguous-flag fix (#113) to the base
DNSProviderStrategy.configure_certbot_arguments. Every plugin now uses--authenticator <name>(immune to argparse prefix collisions) instead of the bare--<name>shorthand; more robust than the per-strategy override I shipped in v2.4.3 (also dropped here in favor of the base class fix). Repinscertbot-dns-azure==2.5.0(was a phantom2.11.0not on PyPI; 2.6.0+ requires certbot>=3.0 which would break the certbot 2.10 pin). +4 regression tests. - #120 @langtutheky — adds
SECRET_KEY_FILEandAPI_BEARER_TOKEN_FILEresolution for Docker Swarm / Kubernetes secret-file mounts. Resolution order:*_FILE→ env var → fallback. 15 unit tests cover the edge cases. - #126 @rob-infoglobe —
?file=query param on/api/certificates/<domain>/downloadreturning a single PEM (fullchain.pem,privkey.pem, or a server-sidecombined.pemconcatenation) for clients that can't unzip. Tight whitelist; 400 on anything else, 404 on missing files. +5 e2e regression tests.
Security bumps
- #106 dependabot — postcss 8.5.6 → 8.5.10 (XSS fix in non-bundler cases; dev-dep only)
- #104 dependabot — pip group: requests 2.32.5 → 2.33.0 (CVE-2026-25645), python-dotenv, cryptography
Tests
- 209 unit tests pass (was 143)
- 5 new e2e tests for #126 (all pass against docker container)
- All 47 of #122's domain alias tests pass too (rebased; awaiting reporter re-test before merging)
Still pending
- #122 @ITJamie (DNS alias mode rewrite) — rebased on top of this release, the
dashboard.jsconflict from v2.4.2'sCertMate.htmlrefactor was reconciled. Awaiting the reporter's re-test before merge. Targeted for v2.4.6 / v2.5.0.
Full diff: v2.4.4...v2.4.5