github win-acme/win-acme v2.0.0.177
v2.0.0
on GitHub

latest releases: v2.2.8.1635, v2.2.7.1621, v2.2.7.1612...
5 years ago

This is the first stable release of win-acme (WACS) 2.0, the long expected ACMEv2 version of one of the oldest and simplest Windows based tools to generate Let's Encrypt certificates.

Background

WACS has always promised to be a simple tool, so backwards compatibility and ease of use has been a big focus for the past couple of years. The goal has always been to allow xcopy upgrades, enabling admins to roll out more useful and reliable versions without worrying about the details.

Current circumstances have forced our hand though. With ACMEv2, the ISGR has re-invented the protocol, enabling among other things new features such as the much sought wildcard certificates (see #464). This in turn inspired @ebekker to re-architect his excellent ACMESharp library.

With sufficient time and attention we could write code that would remain fully compatible with existing ACMEv1 renewals, while at the same time offering ACMEv2 to new and advanced users. The reason to not choose that approach is that we actually want to use the opportunity to do some housekeeping ourselves, instead of piling on a whole new level of abstraction with all the exceptions and possible failure modes that would entail.

So, going forward we will have the 1.9.x series on 'life support' for ACMEv1 users. That means that there will most likely not be any active development on it except for critical bug fixes. Besides that we will have 2.x in active support and development for ACMEv2 users. We're making it very easy to upgrade though, by offering an option in the main menu and the command line to import certificate settings from 1.9.x.

Major improvements

  • ACMEv2 protocol support including wildcard certificates.
  • Create fully modern certificates with the OCSP Must Staple extension and/or ECDSA private keys, made possible thanks to having full control over the certificate signing requests, which were previously handled by a third party library.
  • In 1.9.x we were constrained by backward compatibility to really clean up our act regarding the way renewals were defined, which prevented us from implementing even some basic features like setting a custom Friendly Name. 2.x has a re-invented renewal and plugin system which is more easily usable by man and machine alike. Each renewal is defined in a separate human-readable .json file on disk, that can be moved around between machines, backed up and edited. This opens a whole new way of interacting with the program, both by humans and other scripts/tooling.
  • Renewals have become smarter. Rather than only looking at the date, renewals automatically become due for renewal when changes in the target are detected. When you add or update a binding in IIS, it's no longer necessary to force a renewal.
  • For the first time some parts of the code have automatic tests written for them. Currently the tests are limited to the target acquisition part but we expect the number of tests will rise in the future, preventing recurring bugs. In the long run this will improve the quality of the tool.
  • There is increased security. By default we no longer write the .key.pem file to disk (for Apache and ngnix users this is still possible though with a new store plugin). We also protect the .pfx files in the cache folder with randomly chosen 256-bits passwords. The passwords themselves are in the aforementioned .json files encrypted with Microsoft's DPAPI. The same goes for FTP/WebDav credentials and of course the digital signature that functions as the 'password' for the ACME account. With these measures in place someone that gains access to the files in the ConfigPath and/or CertificatePath has a lot fewer options for abuse.
  • IDN support has been much improved, including for features like excluded domains, common names, etc.
  • You are now able to configure email notifications to be alerted about failing renewals long before Let's Encrypt starts warning you.

New plugins

The most sought after feature for ACMEv2 is the support for certificates with wildcard identifiers, e.g. *.example.com. Such identifiers can only be validated using the DNS-01 method. That is a difficult one to automate, because there are thousands of different providers. Besides support for writing your own scripts (which was already a feature of 1.9.x, we have made the following improvements

  • Azure has been refactored as separate project and download. This serves as an example/template for others to contribute plugins to WACS.
  • Manual will obviously won't work for automatic renewals, but can be a stop gap measure.
  • acme-dns is a client for the acme-dns server project, the idea here is to CNAME the _acme-challenge record to a self-hosted or otherwise trusted acme-dns instance and let win-acme handle the legwork required to update the tokens.
  • Dreamhost was contributed by @derhally as another example of how to extend win-acme.
  • 'Script` was refactored to be much more flexible with regards to parameter format and the option to reuse the same script for both create and delete.

Breaking changes

  • No more ACMEv1 support. The 1.9.x series will be there if you need it though.
  • Requires .NET Framework 4.7.2 - up from 4.6.2.
  • Custom plugins that you may have written will have to be updated to support the new interfaces. I do not expect any major difficulties, read Custom plugins for more info.
  • Validation
    • Support for TLS-SNI validation has been removed. Let's Encrypt has not supported this validation mode for new accounts and domains for a while now, but if you had successfully validated using this method in the past, it would still allow you to renew that way on the old endpoint. It's no longer possible on the newer one. Imported renewals will automatically be converted to SelfHosting validation. Note that this requires port 80 instead of 443 to be accessible, so it might fail - but it's the best alternative we can offer at this point.
    • Support for IIS validation has been removed. While working fine, it was superfluous with the far simpler and less risky SelfHosting option. Imported renewals will automatically be converted.
  • The CertificatePath by default is now [ConfigPath]\Certificates instead of ConfigPath.
  • Installation
    • The script installer has been renamed from manual to script
  • We no longer output .csr-gen.json and .key-gen.json files for each certificate. I honestly couldn't come up with a use case for them, though if someone has one, please let us know!
  • The main executable has been renamed from letsencrypt.exe to wacs.exe. Let's Encrypt is an ISGR registered trademark and WACS supports different implementations of the ACME protocol (#763, #978)
  • Settings
    • The private key will not exportable from the Windows Certificate store by default (#369)
    • The .key.pem file will not be saved to disk by default, if you need it use --store pemfiles
    • The PFXPassword property has been removed. The passwords for the cache are randomly generated and password for the IIS CCS can be provided on the command line per certificate.
    • Default RSA key length increased from 2048 to 3072 bits, because why not?
  • Command line changes
    • --forcerenewal has been renamed to --force and cannot be used standalone anymore
    • --plugin has been renamed to --target to more accurately reflect what it does
    • --manualhost has been renamed to --host because it can also be used for the IISBinding plugin
    • --centralsslstore is no longer enough to trigger the IIS CCS plugin, it has to be activated properly by adding --store centralssl
  • Settings changes
    • Default date formatting makes a lot more sense now
    • Default ACME endpoints for regular use, test use and importing can be configured
    • Default paths can be configured for the CentralSsl plugin and the PemFiles plugin
Check out latest releases or
releases around win-acme/win-acme v2.0.0.177

Don't miss a new win-acme release

NewReleases is sending notifications on new releases.

Get notifications