New

• @guywyers contributed a new plugin for DNSExit, many thanks!
• @msschl contributed a new plugin for Hetzner, bringing the total number of DNS validation plugins up to 20!
• @mcnc-clovett contributed an example script for AD DS (NTDS) (#2551)

Enhancements

• This release changes the implementation of ARI (ACME Renewal Information) from the draft 1 to draft 3 of the specification, to remain compatible with the leading implementation in Boulder / Let's Encrypt. Previous win-acme releases from 2.2.3 to 2.2.8 are currently reporting non-fatal errors because draft 1 compatibility was dropped by Let's Encrypt (#2582).
• Certificate handling now leans almost exclusively on the BouncyCastle library instead of native .NET methods. Only to store certificates in the Windows Certificate Store a conversion is done, which makes the whole system more robust against the quirky ways that Windows can handle private keys under specific circumstances (e.g. missing/temporary user profiles, group policies, etc.),
• In rare cases the program would hang indefinitely at startup due to a bug in the proxy detection logic somewhere in the Microsoft platform. In this release the first connection attempt times out after 30 seconds and then automatically retries with proxy detection disabled. Reported by @eliassal in [#2567], but previously seen a lot in AWS instances (e.g. [#1127], [#2203])
• Improve support for EnTrust and possibly other not-quite standard ACME implementations. Reported and tested by @danieltintinkarlsson (#2570)
• @cboyce428 improved error logging for various DNS plugins (#2577)
• When using --nocache, any previously succesful validations are discarded before starting the run, suggested by @jt-moore (#2583)
• Use proper random passwords instead of empty strings or GUIDs for in-memory manipulation of certificates.
• Updated various third party dependencies to their latest versions

Bugs

• @cjs59 fixed a bug in the InstallExchangeHybrid.ps1 example script that caused it to fail for Sectigo and other ACME providers (#2568)
• Version 2.2.8 was missing a new .dll file required for the Azure DNS plugin, first reported by @oeriksen (#2536)
• The Aliyun (Alibaba) plugin was not working for sub domains. Reported by @LEIRONGHUA and fixed by @zgcwkj (#2537)
• Fixed the dreaded CryptographicException: Bad Data error that happened for some users, thanks for @akintali for testing (#2493)
• The --import command now respects the --notaskscheduler option.
• @rmja fixed the Simply plugin for DNS records with empty priority fields

Sponsors

This release was funded by

One gold sponsor:

• eGov Strategies

Two silver sponsors:

• Insurance Technology Services
• Enzure

And four bronze sponsors:

• e-shop LTD
• The Proof Group @proofgroup
• imagenia.fr
• Certify the web

Support

If you want to support the win-acme project, your company up here in the release notes, or just want to buy me (@WouterTinus) a beer for maintaining this tool, please sponsor using GitHub Sponsors, Patreon or PayPal.