New features

• #1466 - The program now supports the use of substitute domains for DNS validation. If your goal is to get a certificate for example.com using DNS validation, but the DNS provider for that domain does not support automation and/or your security policy doesn't allow third party tools like win-acme to access the DNS configuration, then you can set up a CNAME from _acme-challenge.example.com to another (sub)domain under your control that doesn't have these limitations. acme-dns (which we also support) is based on this principle, but now the same trick can be applied to any of the DNS plugins, meaning it can be done for Azure, Route53, Cloudflare, Dreamhost and your own scripts. The program will automatically recognize that you've created a CNAME and instruct the plugin to act accordingly.

Enhancements

• #1435 - It's now possible to get the friendly name and thumbprint of the previously issued certificate as parameters to the script installation plugin. Contributed by @Jaecen, thanks!
• #1437 - We have implemented MailKit to enable support for mail servers that offer implicit TLS (typically on port 465). Previously only servers with explicit TLS (typically port on 587) were supported. Thanks @ktoonsez for bringing this to our attention.
• #1441 - Increased default timeout waiting for ACME server to validate domains and create certificates from ~30 seconds to ~90 seconds. This gives Let's Encrypt and other services more time to do thourough validation. Note that due to the way settings are implemented, the new defaults don't automatically apply to existing installs. If you are faced with this issue please update your settings.json manually.
• #1445 - The IIS FTP installation plugin now also checks and updates the default FTP site settings in IIS, requested by @medialabs-at. Note that it is still not possible to set up a new certificate directly targeting those settings, but they will be updated if the previous certificate has been manually linked there.
• #1459 - For a long time the program has cached issued certificates for each renewal in order to a) provide additional information to the installation steps and b) prevent users from running into rate limits while experimenting with the program. Due to recent changes the latter use became mostly broken. Version 2.1.6 therefor implements a new order cache that works as an extra layer on top of the certificate cache and thus protects users from running in to rate limits even when creating new renewals. Among others this was noted by @barrar.
• #1364 - Solve warning in Cloudflare plugin and improved error messages, thanks to @georg-jung for contributing!

Bug fixes

• #1431 - Improved parsing of common name, reported by @los93sol
• #1434 - --baseuri can now be a direct link to the ACME service directory, we no longer assume that the directory lives under {baseuri}/directory, reported by @Stan-Tastic in regards to DigiCert ACME services
• #1448 - Accept HTTP status 201 as a valid answer in response to the finalizeOrder call. Encountered in the Nexus ACME tooling and not expressly forbidded by the RFC. Reported by @oregano87, thanks!
• #1447 - @oregano87 spotted an issue that caused the renewal setup process to continue even though a fatal error has been encountered in setting up the acme-dns registration.
• #1460 - Preliminary validation would potentially not see the correct TXT record when multiple records are present on the same host, cause it to mistakenly report an error, thanks @lazzaronetu for getting us on the scent of that issue.
• #1473 - Cancelling the certificate creation process in --test mode would incorrecly prompt the user that the process has failed. It will now report that the process has been aborted.