Skip to content

1.22.0 (2022-12-11)
Compare
Choose a tag to compare
@mathiasertl mathiasertl released this 18 Feb 10:16
· 828 commits to main since this release
1.22.0
This tag was signed with the committer’s verified signature. The key has expired.
mathiasertl Mathias Ertl
GPG key ID: 70BD9664FA3947CD
Expired
Learn about vigilant mode.
2db18d1
This commit was signed with the committer’s verified signature. The key has expired.
mathiasertl Mathias Ertl
GPG key ID: 70BD9664FA3947CD
Expired
Learn about vigilant mode.

WARNING

  1. docker compose users: Update from 1.20 or earlier? See the update notes to switch to named volumes.
  2. Django app or source users: Changes in cryptography 38 make it incompatible with common versions of certbot. See Warning: cryptography 38.

Changes

  • Add support for Python 3.11, Alpine 3.17, Django 4.1, cryptography 38.0 and acme 2.0.
  • Support for MD5 and SHA1 hashes is removed, as they are no longer supported in upcoming releases of cryptography.
  • New signals pre_sign_cert and post_sign_cert that receive the values as passed to the cryptography library.
  • Add the ability to force inclusion/exclusion of the IssuingDistributionPoint extension in CRLs.
  • Ensure that CRLs are regenerated periodically before the cache expires.
  • Switch to the Djangos built in Redis cache <https://docs.djangoproject.com/en/4.1/topics/cache/#redis>_ in the docker compose setup.

Admin interface

  • Almost all extensions used in end entity certificates can now be modified when creating new certificates. The following additional extensions are now modifiable: Authority Information Access, CRL Distribution Points, Freshest CRL, Issuer Alternative Name, OCSP No Check and TLS Feature.

    Limitations:

    • The CRL Distribution Points and Freshest CRL extensions can only modify the first distribution point. If the selected profile defines more then one distribution point, they are added after the one from the admin interface.
    • The Certificate Policies extension cannot yet be modified. If the selected profile defines this extension, it is still added to the certificate.

  • Initial values for the Authority Information Access, CRL Distribution Points and Issuer Alternative Name extensions are set based on information from the default certificate authority. Values may be masked by the default profile.

  • Selecting a certificate authority will automatically update the Authority Information Access, CRL Distribution Points and Issuer Alternative Name extensions based on the configuration.

  • Because the the user can now modify the extensions directly, the add_* directives for a profile now have no effect when issuing a certificate through the admin interface.

ACMEv2 support

  • Handle clients that do not send the termsOfService field during registration.
  • Improve error handling when the CSR cannot be parsed.
  • An ACME account is now considered usable if it never agreed to the terms of service and the certificate authority does not define any terms of service. Certain versions of certbot (at least version 1.31.0) never ask the user to agree to the terms of service if there are none to agree to.
  • Allow clients to agree to the terms of service when updating the account.

Minor changes

  • The Docker image is now based on python:3.11-alpine3.17.
  • Access Descriptions in the Authority Information Access extension will now always order OCSP URLs before CA Issuers, inverting the previous behavior. The order of values does not matter in practice.

Backwards incompatible changes

  • The docker-compose setup requires at least docker-compose 1.27.0.
  • The docker-compose setup now uses Redis 7.
  • Drop support for cryptography 35.0.
  • Drop support for acme 1.23, 1.24, 1.25 and 1.26.
  • Drop support for Celery 5.0.
  • Require django-object-actions 4.0 or higher.
  • Remove the --ca-crl parameter in manage.py dump_crl (this was a left over and has been marked as deprecated since 1.12.0).
  • Drop django-redis-cache from the redis extra, as the project is abandoned. Please switch to the built in redis cache instead. If you still use Django 3.2, please manually install the backend.
  • ExtendedKeyUsageOID.KERBEROS_CONSTRAINED_DELEGATION was removed, use the identical ExtendedKeyUsageOID.KERBEROS_PKINIT_KDC instead.

Deprecation notices

  • This is the last release to support for Python 3.7.
  • This is the last release to support Django 4.0.
  • This is the last release to support cryptography 36.0.
  • This is the last release to support acme 1.27.0, 1.28.0 and 1.29.0, 1.30.0, 1.31.0 and 2.0.0.
  • This is the last release to support Alpine 3.14 and 3.15.
  • The acme extra will be removed in in the next release.
  • The pre_issue_cert is deprecated and will be removed in django_ca==1.24.0. Use the new pre_sign_cert signal instead.
  • The subject wrapper class django_ca.subject.Subject is deprecated and will be removed in django-ca==1.24.0.
  • Extension wrapper classes in django_ca.extensions are deprecated and will be removed in django_ca==1.24.0.
Assets 2
Loading