Skip to content

Pebble v2.3.0
Compare
Choose a tag to compare
@pebblebot pebblebot released this 18 Dec 19:38
v2.3.0
295d9c1

Features

  • Added an ACME account "orders list" endpoint for finding order URLs associated with an account. See RFC 8555 §7.1.2.1.
  • Updated pebble-challtestsrv with an API for mocking DNS SERVFAIL responses for a hostname.
  • Added support for ACME external account binding (EAB) for new account requests. See RFC 8555 §7.3.4.

Bug-fixes

  • The pebble-challtestsrv's mock CNAME delete API is fixed to remove the CNAME mock record instead of the CAA mock record for the given hostname.
  • Changed PEBBLE_ALTERNATE_ROOTS intermediate certificates to have the same subject, matching the issuer of issued leaf certificate's.
  • Fixed key rollover request handling for requests that fail inner JWS verification.
  • Finalize requests that include a CSR that specifies a certificate public key already used by an ACME account now receive a badCSR type problem. See RFC 8555 §11.1.
  • Authorizations for ACME-IP identifiers are fixed to only contain HTTP-01 and TLS-ALPN-01 challenges, not DNS-01. See draft-ietf-acme-ip §7.
  • Added support for POST-as-GET requests in addition to GET/HEAD for directory and newNonce endpoints. See RFC §6.3
  • Fixed handling of HTTP-01 validation requests that are redirected to a different port (e.g. 443).

Misc

  • A Subject Key Identifier value is now included in all issued certificates. See RFC 5280 §4.2.1.2.
  • The Pebble ACME API and management API ports (14000 and 15000) are now marked exposed in Dockerfile metadata.
  • TLS 1.3 for Pebble's validation requests is explicitly enabled by env var in the Docker environment.
  • The project and CI now use Go 1.13 and golangci-lint v1.21.0

New configuration options

  • The PEBBLE_WFE_ORDERS_PER_PAGE env var can be used to control the account orders list endpoint's pagination. By default up to 15 order URLs are returned per response.
  • The "externalAccountBindingRequired" config file boolean field can be used to control whether all newAccount requests must use external account binding.
  • The "externalAccountMACKeys" config file key/value object field can be used to specify external account binding key IDs and encoded MAC keys See test/config/pebble-config-external-account-binding.json for an example.

Heartfelt thanks to @felixfontein, @sergioaugrod, @0pq76r, @Drakezul, @JoshVanL and @munnerz for their contributions to this release.

Assets 6
Loading