github fabriziosalmi/certmate v2.8.0
v2.8.0 — certificate formats, SSO user management, performance
on GitHub

4 hours ago

First minor after the v2.7.0 OIDC/SSO release. Bundles the certificate-format work requested by operators, an SSO user-management hardening pass, a large listing/backup performance fix from the community, and the CA/DNS settings panel fixes.

Features

  • SSO/OIDC user management (#229, #234) — the Users list badges SSO-managed accounts, hides password-reset for them, and refuses a local-password set on an IdP-linked row. The sole remaining admin can no longer be deleted or disabled. Also fixes a pre-existing bug where PUT /api/users/<username> dropped password/enabled (disable and reset silently failed).
  • Encrypted Windows .pfx export (#230, #238) — set a PFX Export Password in Settings → General and each certificate is also written as an encrypted cert.pfx (PKCS#12) on issuance and renewal, downloadable via ?file=cert.pfx (operator role) and included in backups. Empty password disables it.
  • PKCS#1 private-key download (#233, #237) — ?file=privkey.pem&key_format=pkcs1 serves the key in legacy PKCS#1/SEC1 form, converted in-process.
  • Intermediate chain in deploy hooks (#232, #236) — deploy commands now receive CERTMATE_CHAIN_PATH (intermediates only).

Performance

  • Faster certificate listing + lighter backups (#231, thanks @rocogamer) — in-process cryptography parsing replaces a per-row openssl subprocess + temp file, with a short-lived cert-info cache; Azure Key Vault gains a lightweight info read that skips the PFX export; routine backups exclude certbot's logs//work/ scratch while keeping renewal lineage; adds Kubernetes resource guidance.

Fixes

  • CA/DNS settings panels (#226, #235, diagnosis by @balkk1) — the CA Google panel had a duplicate id with the DNS tab so it never appeared; HTTP-01 now hides the DNS provider config panels instead of leaving a stale one visible.
  • OIDC callback log hygiene (#234) — the attacker-controlled IdP error query param is constrained to a known OAuth/OIDC code set before any log/audit sink (CodeQL py/log-injection).

Internal

  • Storage-migrate tests seed a valid API token so the fixture survives the tightened validate_api_token rules (#239).
Check out latest releases or
releases around fabriziosalmi/certmate v2.8.0

Don't miss a new certmate release

NewReleases is sending notifications on new releases.

Get notifications