github slauger/netscaler-certbot-hook v2.0.0
on GitHub

6 hours ago

v2.0.0 (2025-11-25)

Breaking

  • feat!: implement 31-char limit for chain names with hash suffix

Chain certificate names are now limited to 31 characters (NetScaler limit)
and use hash suffixes for uniqueness when names exceed this limit.

Changes:

  • Names > 31 chars: truncated to 24 chars + hyphen + 6-char SHA256 hash
  • Names <= 31 chars: preserved as-is
  • Hash ensures uniqueness (e.g., GoDaddy G2 vs G3 have different hashes)
  • Apostrophes are removed completely instead of replaced

Examples:

  • "R11" → "R11" (unchanged)
  • "ZeroSSL RSA Domain Secure Site CA" → "ZeroSSL RSA Domain Secur-f38a3d"
  • "Go Daddy Secure Certificate Authority - G2" → "Go Daddy Secure Certific-68a0d1"
  • "Go Daddy Secure Certificate Authority - G3" → "Go Daddy Secure Certific-499691"

BREAKING CHANGE: Chain certificate auto-detection now uses the certificate's
Common Name (CN) instead of the hardcoded "letsencrypt" default. Existing
deployments must either:

  1. Explicitly specify --chain letsencrypt to maintain old behavior
  2. Delete/rename the old "letsencrypt" chain certificate on NetScaler
    Otherwise, certificate installation will fail because NetScaler only allows
    one instance of each CA certificate. (3c408ef)

Feature

  • feat: add noDomainCheck flag and auto-detect chain certificate name

This commit adds two major improvements to handle chain certificate updates:

  1. New --no-domain-check flag: Adds explicit control over the NITRO API's
    noDomainCheck parameter. This is required when updating chain certificates
    because they are registered to different domains (CA domains) than the
    end-entity certificate. The flag can be used for:

    • Chain certificate updates (required)
    • Multi-domain/SAN certificates
    • Certificates bound to multiple virtual servers
    • Any scenario triggering "Certificate is registered to a different domain" error

  2. Auto-detect chain certificate name: The chain certificate name is now
    automatically detected from the Common Name (CN) in the certificate, instead
    of using a hardcoded "letsencrypt" default. This automatically adapts to
    Let's Encrypt issuer changes (e.g., R10, R11, E5, E6, E7, E8). Users can
    still override with --chain if needed.

Changes:

  • Added --no-domain-check CLI parameter
  • Added get_certificate_cn() function to extract CN from certificates
  • Modified nitro_install_cert() to accept no_domain_check parameter
  • Auto-detect chain name from certificate CN in get_config()
  • Updated README.md with comprehensive documentation
  • Updated process_chain_certificate() to use config['no_domain_check']
  • Updated install_or_update_certificate() to use config['no_domain_check']

Fixes #10 (7fb9c3d)

Fix

  • fix: install package in editable mode for GitHub Actions tests

This ensures the netscaler_certbot_hook module can be imported in CI/CD. (2c1603c)

Test

  • test: add comprehensive tests for certificate CN extraction

This commit adds extensive test coverage for the certificate CN extraction
and sanitization functionality:

  1. Unit tests (tests/test_certificate_cn.py):

    • Test simple alphanumeric CNs (Let's Encrypt R10, E5, etc.)
    • Test CNs with spaces (preserved for readability)
    • Test CNs with special characters (sanitized to hyphens)
    • Test valid special characters (underscore, hyphen, space)
    • Test NetScaler compatibility validation
    • Test error handling (file not found, invalid certificate)
    • Test real-world CA naming patterns

  2. CA certificate test script (test_ca_certificates.py):

    • Downloads real intermediate certificates from multiple CAs
    • Tests Let's Encrypt (R10, R11, E5, E6)
    • Tests ZeroSSL/Sectigo RSA intermediate
    • Tests GoDaddy G2 intermediate
    • Validates sanitized names are NetScaler-compatible
    • Handles both PEM and DER certificate formats

  3. Sanitization rules (updated in cli.py):

    • Conservative whitelist: alphanumeric, underscore, hyphen, space
    • Explicitly excludes: # : . @ = and other special chars
    • Apostrophes are removed completely (not replaced)
    • Must start with alphanumeric or underscore
    • Preserves spaces for readability (shorter names)

  4. GitHub Actions workflow (.github/workflows/tests.yml):

    • Runs tests on Python 3.8-3.12
    • Executes unit tests and CA certificate tests
    • Verifies module import

All tests pass successfully! (579a30f)

Unknown

  • Merge pull request #11 from slauger/fix/10-chain-update-domain-check

feat: add noDomainCheck flag and auto-detect chain certificate name (920a6f1)

Check out latest releases or
releases around slauger/netscaler-certbot-hook v2.0.0

Don't miss a new netscaler-certbot-hook release

NewReleases is sending notifications on new releases.

Get notifications