v4.18.0

• The POSHACME_HOME environment variable now supports Windows-style (surrounded by %) environment variable expansion. (#497)
  • So you can set the value to %ProgramData%\Posh-ACME instead of needing to set it explicitly to C:\ProgramData\Posh-ACME for example.
  • NOTE: This requires Windows-style environment variable strings even on non-Windows OSes.
• The Azure plugin no longer tries to re-use cached authentication tokens when using the AZAccessToken parameter set. (#498)
• Fixed a bug with the Azure plugin that broke authentication when submitting multiple orders with different credentials from different tenants. (#498)
• Fixed a problem using Posh-ACME within AWS Lambda due to non-standard dotnet runtime assembly configs. (#418) (Thanks @garthmccormack)
  • This fix involved changing the RevocationReasons enum from a .NET type to a PowerShell native enum.
  • The change constitutes a minor breaking change which makes the enum no longer accessible from outside the module's context, but tab completion and string converted values for the Revoke-PACertificate -Reason parameter work exactly the same as before.

v4.17.1

• Fixed Hetzner plugin for accounts with 100+ zones. (#481) (Thanks @Deutschi)
• Fixed RFC2136 plugin ignoring the DDNSNameserver parameter when set. (#485) (Thanks @gvengel)

v4.17.0

• New DNS plugins
  • Google Domains This should be considered experimental while the Google Domains ACME API is still in testing. (Thanks @webprofusion-chrisc)
  • IONOS (Thanks @RLcyberTech)
  • SSHProxy sends update requests via SSH to another server which is able to do dynamic updates against your chosen DNS provider. (Thanks @bretgiddings)
• The DDNSNameserver parameter is no longer mandatory in the RFC2136 plugin which will make nsupdate try to use whatever primary nameserver is returned from an SOA query.
• Added Basic authentication support to the AcmeDns plugin which should allow it to be used against endpoints that enforce that such as Certify DNS.
• Added support for plugin parameters that are arrays of SecureString or PSCredential objects.
• Fixed PAServer switches getting reset on Set-PAServer with no params (#475)

v4.16.0

• New DNS plugins
  • Active24 (Thanks @pastelka)
  • Bunny.net (Thanks @webprofusion-chrisc)
• Added -Subject parameter to New-PACertificate, New-PAOrder, and Set-PAOrder which will override the default x509 Subject field in the certificate request sent to the ACME CA. This can be useful for private CAs that allow for additional attributes in the Subject that public CAs don't.
• Fix for undocumented NameSilo API change. (Thanks @rkone)
• Fix for All-Inkl plugin that makes the plaintext KasPwd parameter actually send plaintext since All-Inkl has deprecated the SHA1 option.

v4.15.1

• Reverted the embedded BouncyCastle library back to 1.8.8 due to version conflicts with Az.KeyVault in PowerShell 6+. This is temporary while a suitable workaround for version conflicts in other modules is explored.
• Fixed Domeneshop plugin when publishing apex TXT records and added more API output to debug messages.

v4.15.0

• PAOrder objects now have a flag to optionally use modern encryption options on generated PFX files. This will prevent the need to use "legacy" mode when reading the files with OpenSSL 3.x. However, it breaks compatibility with OpenSSL 1.0.x and earlier.
  • You can use the -UseModernPfxEncryption flag with New-PACertificate, New-PAOrder, and Set-PAOrder. When used with Set-PAOrder, existing PFX files will be re-written based on the flag's new value.
  • Use Set-PAOrder -UseModernPfxEncryption:$false to switch back to the default setting.
  • The default for new orders will likely remain off until Posh-ACME 5.x is released.
• Added new DNS plugin PortsManagement (Thanks @wemmer)
• The GCloud plugin has a new optional parameter, GCProjectId that takes one or more string values. This is only required if the DNS zones to modify don't reside in the same project as the service account referenced by GCKeyFile or they reside in multiple projects. When used, be sure to include all project IDs including the one referenced by GCKeyFile.
• Added Google's new free ACME CA to the CA comparison doc
• Upgraded the embedded BouncyCastle library to 1.9.0
• Fixed UKFast plugin to support paging for accounts with many domains (Thanks @0x4c6565)
• Fixed PFX friendly name generation when not provided in the order.

v4.14.0

• Added new DNS plugin Porkbun (Thanks @CaiB)
• Added server shortcuts for Google's new ACME CA, GOOGLE_PROD and GOOGLE_STAGE.
• Added server shortcuts for SSL.com, SSLCOM_RSA and SSLCOM_ECC.
• Added UseAltAccountRefresh switch to Set-PAServer to workaround CAs that don't yet support direct account refreshes such as Google, SSL.com, and DigiCert. (#372) (#394)
  • New configs should have this set by default for CAs known to need it. But you will need to explicitly set it on any existing configs for these CAs.
• Added LifetimeDays param on New-PACertificate, New-PAOrder, and Set-PAOrder to enable user requested cert lifetimes for ACME CAs that support the feature.
  • Google's CA is the only free ACME CA known to currently support this and the order lifetime cannot be changed once it is created. Setting a new value on an existing order will only change the lifetime on subsequent renewals.
• Updated Azure plugin to use the latest stable API version.
• Updated Azure guide to account for breaking changes in the Az module.
• Fixed GoDaddy plugin when using it with delegated sub-zones. (#430)
• Fixed New-PAAccount when importing an existing key on CAs that require external account binding.
• Reduced the number of account refreshes that happen as part of normal operations.

v4.13.1

• Fixed Loopia plugin after an upstream API change broke it. (Thanks @AlexanderRydberg)

v4.13.0

• Added new DNS plugin LeaseWeb
• Simply plugin migrated to v2 of the API. No changes should be necessary for existing users.

v4.12.0

• The WebRoot plugin now supports multiple paths for the WRPath parameter. (#411)
• ClouDNS plugin error handling was modified so that invalid credential errors are properly surfaced instead of just throwing generic "zone not found" errors. (#414)
• Fixed a potential bug with Submit-OrderFinalize when multiple orders have the same MainDomain property.
• Fixed New-PACertificate not properly updating an existing order with updated order params (#412)