pypi certbot 4.1.0
Certbot 4.1.0
on Python PyPI

latest releases: 5.2.2, 5.2.1, 5.1.0...
7 months ago

Added

  • ACME Renewal Info (ARI) support. https://datatracker.ietf.org/doc/draft-ietf-acme-ari/
    certbot renew will automatically check ARI when using an ACME server that supports it,
    and may renew early based on the ARI information. For Let's Encrypt certificates this
    will typically cause renewal at around 2/3rds of the certificate's lifetime, even if
    the renew_before_expiry field of a lineage renewal config is set a later date.

Changed

  • Switched to src-layout from flat-layout to accommodate PEP 517 pip editable installs
  • acme.client.ClientNetwork now makes the "key" parameter optional.
  • Deprecated acme.challenges.TLSALPN01Response
  • Deprecated acme.challenges.TLSALPN01
  • Deprecated parameter alpn_protocols from acme.crypto_util.probe_sni
  • Deprecated acme.crypto_util.SSLSocket
  • Deprecated acme.standalone.TLSServer
  • Deprecated acme.standalone.TLSALPN01Server
  • Deprecated parameter enforce_openssl_binary_usage from certbot.ocsp.RevocationChecker.
  • Dropped support for Python 3.9.0 and 3.9.1 for compatibility with newer
    versions of the cryptography Python package. Python 3.9.2+ is still
    supported.

Fixed

  • Order finalization now catches orderNotReady response, polls until order status is
    ready, and resubmits finalization request before polling for valid to download
    certificate. This conforms to RFC 8555 more accurately and avoids race conditions where
    all authorizations are fulfilled but order has not yet transitioned to ready state on
    the server when the finalization request is sent. It also respects retry-after when
    polling for finalization readiness.
  • The --preferred-profile and --required-profile flags now have their values stored in
    the renewal configuration so the same setting will be used on renewal.
  • Fixed an unintended change introduced in 4.0.0 where renew_before_expiry could not be
    shorter than certbot's default renewal time. If the server does not provide an ARI
    response, renew_before_expiry will continue to override certbot's default. However,
    an early ARI response will override a later renew_before_expiry time, to account for
    notifications in case of certificate revocation, especially with the impending deprecation
    of OCSP (https://letsencrypt.org/2024/12/05/ending-ocsp/). To force a later date, users
    can replace certbot's default cron job and/or systemd timer with one of their own timing.

More details about these changes can be found on our GitHub repo.

Check out latest releases or
releases around certbot 4.1.0

Don't miss a new certbot release

NewReleases is sending notifications on new releases.

Get notifications