Bugs

• Fixed an issue that caused the script validation plugin to fail outside of interactive mode runs. Reported by @Trickfilm400 in #259.

Features

• The script validation plugin can now also be used to handle HTTP challenges, providing a powerful escape hatch for those looking to use this validation method through unconventional means like custom API calls, starting temporary web servers, etc. The command line arguments have been renamed in official documentation to reflect the more universal nature of the plugin, but rest assured that the old ones will continue to work indefinitely.
• @webnames-ca contributed a plugin for webnames.ca, bringing the total number of available DNS validation providers to 23! If you're interested in contributing number 24, please take a look at the reference implementation that is a great starting point for development.
• A new setting IIS.BindingFlags can be used to specify any optional binding flags that you need added to new or updated bindings. While checked flags have always been preserved on renewal, some users prefer to have this program set them automatically. Currently available flags as of Windows Server 2025 are DisableHTTP2, DisableOCSPStp, DisableQUIC, DisableTLS13, DisableLegacyTLS and NegotiateClientCert. Requested by @asmith3006 in win-acme/win-acme#2801.

Enhancements

• By default the administrators group (or localized equivalent) will be granted full control access over the private key of certificates imported into the Windows Certificate Store. This is to resolve an inconsistency between the initially created certificate (running wacs.exe under a priviledged user account) and subsequent renewals (executed by the scheduled task running runs as SYSTEM). With this change, both certificates will have the same permissions.
• We now allow users (ignoring certain hints and warnings) to to select plugins that would otherwise be disabled for user-resolvable reasons (i.e. a required network port being in use, missing permissions). This can be useful in cases where the PreExecutionScript fixes the issues before the execution stage actually runs into it. We still do not allow users to pick plugins that are disabled for more fundamental reasons (i.e. HTTP validation can never be used for wildcard certificates). Based on a discussion started by @cjs59 in https://github.com/orgs/simple-acme/discussions/162.
• Resolved an incompatibility between BouncyCastle and the native certificate handling code in .NET which forced us to fall back to a "dangerous" parser setting, triggering a log warning. Because the underlying issue was resolved this fallback has now been disabled by default, but can be re-enabled (in the unlikely case that someone came to rely on it) via the new setting AllowDangerousCertificateReparse. Based on feedback from @FootStark in #171.
• Disable the (undocumented) /help style for passing arguments on Linux so that Unix-style paths can be passed on the command line without escaping. Based on feedback by @chrswk in #177.

Bugs

• For HTTP-01 challenges, when pre-validation fails to find the correct token, actual validation would not be attempted anymore. This is supposed to be a warning signal only. Reported by @viewhero in #170.
• The file system plugin on Linux was using Windows-style directory separators (\ instead of /). Reported by @iceburgy in #158.
• The command line argument --validation [dns plugin] did not work anymore without also specificying --validationmode dns-01. The fix restores the original and intenteded behaviour, where the second argument is only required in rare cases in which plugins with the same name are available for multiple challange types. First reported by @medster10 in https://github.com/orgs/simple-acme/discussions/163.
• The DefaultValidDays setting was not working properly in v2.3.3, as discovered by @frazeradam in #190.
• Attempt to remedy an issue with the RFC2136 validation plugin where it appearantly incorrectly processes the DNS server response on second or third try requests. The issue appears to be in the underlying library and has not been reproduced, but the hope is that reconnecting for every request will improve reliability. Reported by @marco-musolesi-dinova-one in #193
• Add explicit reference to the AWSSDK.SecurityToken package to avoid crash when using an STS role to authenticate. Reported by @GeneralFox in #238.

Code

• Update various third party package references, including a couple with security vulnerabilities that were uncaught by @dependabot because they were indirect references brought in via another package.

Features

• Support Certificate Profile Selection. This allows users to opt in to different types of certificates offered by servers. In case of Let's Encrypt, they currenty offer a tlsserver profile and a shortlived profile. This will be asked in "full options" mode when using the UI, can be specified from the command line using the --profile option and the default value can be configured in settings.json.

Enhancements

• Option to inherit settings.json per-endpoint and per-renewal, as to enable more advanced configuration scenarios. For example if you need one of your certificates to have 4096 bit keys while others need 2048 bit keys, you would previously have to install two copies of the program side-by-side, whereas now that's a relatively simple configuration fix.
• Global validation options can now be configured from the command line using the arguments --globalvalidation and --globalvalidationpriority, making them easier to set up for unattended scenarios. Requested by @LegendaryTokash95 in win-acme/win-acme#2770.
• Introduce the --challengeroot arguments as an alternative to the --webroot argument for remote HTTP validation (e.g. FTPS). Instead of linking to the website root, this new argument should be a path straight to the .well-known/acme-challenge path, allowing you to use credentials with more limited access. In interactive mode this translates to an extra question for the user. Requested by @a82kd in win-acme/win-acme#2716.
• The Route 53 plugin can now be configured for different AWS regions beside the default us-east-01, which is particularly useful for Chinese users. Requested by @yang-xiaodong in win-acme/win-acme#2790.
• Plugins can now be loaded from a configurable folder (default: %programdata%\simple-acme\{endpoint}\plugins), making them easier to manage especially for users of the dotnet tool distribution of the program.
• IIS installer changes:
  • We have become slightly more agressive in updating bindings for first-time installations. All matching bindings on the site are replaced instead of only the first or best matching one(s). This is more in line with user expectations yet still allows alternative/manual certificates to co-exist with the ACME managed ones for subsequent renewals.
  • If you are using a manual source, the --installationsiteid parameter is no longer required. Not specifying it will ensure that matching bindings for all sites are replaced.
  • Code has been enabled to allow it to create bindings for IP Address Certificates. For now IP address certificates can only be requested using the manual source.

Bugs

• On certificate shape changes (new/removed host names), the wrong ID was sent to the server for ARI replacement.
• The desired friendly name for the certificate would get lost if the server included leading comments in the PEM data. Reported by @Moechen in #134.
• For the Domaneshop plugin the --clientsecret argeument was not marked as a "Secret", which allowed it to be reflected in the logs.
• When unspecified, the default ProtectionMode for the certificate cache will now be "Legacy" instead of "Default", improving compatibility for upgraders. Discovered by @LumKitty in https://github.com/orgs/simple-acme/discussions/30.

Code

• Published a new repository for reference scripts. Going forwards this will be the preferred distribution channel for validation, execution and installation scripts, preventing people from becoming overly dependent on the /Examples folder distributed with the program.
• New reference project for DNS validation plugins. It combines all best practices for a basic implementation of a DNS provider with a REST API without any bells and whistles, but with verbose comments to guide you (or your favorite AI assistent 🤖) to fill in the gaps. Contributions of new DNS plugins are always welcome.
• Generate documentation for settings.json from the code, making it easier to keep the website up to date.
• Improved and more JSON schemas (i.e. validation.json and secrets.json), providing a better editor experience in Visual Studio Code and other editors with support for this. Plugins without manually crafted schema's published for them are now still included with an automatically generated schema.
• Update various third party packages.

Features

• The manual validation plugin can now handle HTTP challenges as well, instead of only DNS challenges. While manual validation is not recommended (especially with certificate lifetimes becoming ever shorter) it is a tool on the belt that's been requested by several users over the years, most recently @pnmsib in https://github.com/orgs/simple-acme/discussions/34
• A new none validation plugin can be selected if your domain(s) have been pre-authorized by the ACME server. This is especially useful for pre-authorized wildcards, where the program would previously force the user to configure one of the DNS based options. Requested by @mattTrustzone in https://github.com/orgs/simple-acme/discussions/27
• It is now possible to use an external script as the source for a renewal. This may be used to request a CSR from a third party tool. Requested by @kentuckyvmdude in win-acme/win-acme#2718
• Two new (read only) secret vault plugins are shipped with the program. The script vault calls a script configurable in settings.json to retrieve a secret and is intended as a bridge to connect to third party secret management solutions that do not have native plugin available (yet). The environment vault looks at environment variables and is intended for servers that are under configuration management.
• @jbubik contributed an example script that renews certificates in Sparx ProCloud (#29)

Enhancements

• A new settings called DnsPropagationDelay allows users to configure an additional delay after DNS prevalidation is succesful. This allows certain providers with multi-homed IP infrastructure (e.g. GoDaddy, DNS Made Easy) to complete world-wide synchronisation before the challenge answer is submitted.

Bugs

• Renewals that failed once, could also fail on future runs, due to the ARI replacement metadata included with the request. Thanks for the report @ithielnor.
• Configuring Route 53 DNS validation interactively was broken in release v2.1.3.9. Reported by @gp-jraynes in #47
• Data loss could occur if the drive containing the {ConfigurationPath} (default: C:\) would run out of free space. Reported by @JashanChittesh in win-acme/win-acme#2765.
• HTTP responses would not be logged if the the Content-Length header was not set by the server

Code

• *.renewal.json files will now contain a reference to a published JSON schema, improving the manual editing experience. Note that not all plugins have their specific schemas published yet, contributions in this are most welcome.
• simple-acme and its plugins are now available via official Chocolatey packages. Previously community members have created unofficial packages, but these ones are automatically created and updated during the release process.
• Activated Dependabot to make GitHub automatically create pull requests when there are third party dependency updates, and automatically merge them if they are minor updates that pass basic checks.
• Updated various third-party dependencies.

Features

@zgcwkj contributed a new DNS validation plugin for HuaWeiCloud (#7).

Enhancements

• Prefer the original BaseUri setting/argument for all ACME servers that are not Let's Encrypt, saving users of alternative servers from unnecessary warnings at startup about the /directory endpoint not existing.
• @P6g9YHK6 contibuted example scripts that open and close port 80 on the Windows firewall before and after attempting a renewal (#11)
• @c-s-cott contributed an example script for the DNS script plugin to use with ZoneEdit (#13)
• The Route 53 (AWS) DNS validation plugin is now able to authenticate using a full ARN role, requested by @slauger in #24.

Bug fixes

• We now handle a BaseUri with query string parameters properly, requested by @jure123
  (win-acme/win-acme#2704)
• The setting UseNextGenerationCryptoApi was broken in v2.2.9.1, reported by @lukas-m (win-acme/win-acme#2757).
• Improved compatibility with serles-acme, thanks for debugging @nwalther4 (win-acme/win-acme#2747)
• Editing a renewal would unnecessarily recreate the scheduled task. Reported by @LumKitty (win-acme/win-acme#2755).
• @ptsoccer fixed the ImportRDListener.ps1 example script to support Windows Server 2025 (#8)
• Fix for the DNS script validation plugin leaking secrets from the vault (if used as command line parameters) to the log. From this release they will show as **** in the log, like in other places.
• @moorereason fixed a typo (#19).

Code

• All binaries are now signed with a valid code signing certificate, thanks to a new sponsorship by SignPath.io. This allows users to verify that the builds published have been created from (only) the public source and even specifically from which exact commit the build has been made. This should also eliminate warnings from Windows about the software publishing being "untrusted" and might reduce false positives from anti-virus software.
• Upgrade from .NET8 to .NET9 (required to fix win-acme/win-acme#2757).
• Update various third-party dependencies.

Features

• A new store plugin is include to generate .p7b files for those who need them. Based on feedback by @mtolentino47

Enhancements

• It's now possible to configure the location that the program should use download the public suffix list from with the setting Acme.PublicSuffixListUri. This also makes it possible to entirely disable updates, by configuring an empty string. Based on feedback by @Jakl-H.
• @zvillian updated the example script ImportNTDS.ps1 (#3)
• @fardarter added support for user-assigned managed identities in the common Azure library, which means that is now support for both Azure DNS validation and Azure KeyVault storage.
• It's now possible to set the maximum number of host names that is allowed to be included in a single certificate using the setting Acme.MaxDomains. This was previously hard-coded to 100 because that is the long-standing limit for Let's Encrypt, but it may be higher for other services or private solutions. Based on feedback by @rvarma639.

Code changes

• Configured some automatic checks for pull requests like CodeQL and unit tests

Welcome to simple-acme!

This project is the technical and spiritual successor of win-acme. Drop-in compatible, but cross platform and for the first time fully owned by the guy who's been maintaining it for the last 6 years. You can read more about the backstory on the brand new website: simple-acme.com. With that introduction out of the way, we'll kick this change log off right after the most recent release of win-acme, which was 2.2.9.1.

Features

• It's now possible to run the program on Linux. This should be considered a beta feature as it has only been tested on Ubuntu 24.04 in WSL so far. The Linux version uses a cronjob instead of the Windows Task Scheduler and aside from some very Windows-specific plugins supports all the features that you know and love from the Windows builds.
• The website has been completely redesigned and rebuilt. Not only does it use a new HTML/CSS template, but all content has been revised more parts are automatically generated based on data files generated by the program itself, to ensure more consistency between the documentation, the build process, and the code.
• A new setting Validation.PreValidateDnsLocal was added to instruct the program to wait for local DNS server to see the validation record before submitting the challenge answer. When set to false (which is the default) the program only waits for the authoritative name servers to reflect the correct TXT record, but this is seemingly not enough in some cases. Specifically GoDaddy exhibits this issue, as reported by @chargerback-ron in #2639.
• Improved control over encryption options for generated PKCS12 archives (PFX files), allowing users to choose between RC2-40 encryption (weaker and therefor not supported by OpenSSL 3.x, but supported on all versions of Windows) or AES-256 encryption (stronger but only supported on Windows 2019 and above). This is now configurable for the internal cache, the CentralSsl store plugin and the PfxFile store plugin. Based on feedback provided by @acomick #2606.
• A new command line switch --config outputs some nice-to-have details about the program version and current configuration in JSON format, which can be used for automation purposes.

Enhancements

• Output of the --help switch was cleanup up. Previously its output also served as markdown for the documentation website, but now there are separate functions for console rendering and generation of .yml files for the documentation website.
• The --eab-key switch may now be a reference to the secret vault.
• Improved logging
  • We now log all messages to disk, even those that previously only appeared on the screen during early initialization.
  • We clearly mark different runs of the program for the same day.
  • We capture exception details for warnings, instead of only for errors.
  • Switched off the spammy debug messages for the Autofac scopes.
  • Include timestamp for every line in the disk log
• Self-hosting plugins for HTTP and TLS challenges now test if they're actually able to create listeners to determine their enabled states, instead of relying on the general heuristic that privileged users should be able to do so. This makes it possible for non-administrators to be authorized to use this method (on Windows) using the netsh http urlacl command, and makes sure the program detects ports being in use at earlier stage.
• Plugin loader prevents loading the same plugin twice and also showing the same exception twice.
• When using --source iis, --installation iis is now implied, whereas previously that would have to explicitly added. If you do not want or need the installation step, you now need to specify --installation none. Suggested by @pinepunch in #2654.
• If the program fails to create the scheduled task, it will now quit with a non-zero exit code, making it easier for automation to detect the problem. Suggested by @BrukerJWD in #2643.
• Improved error handling for startup errors, such as missing/invalid BaseUri. Based on feedback from @tenscrolls in #2643.

Bug fixes

• Fixed an issue where the desired notAfter date was actually passed as notBefore, causing orders to fail for users with the option Order.DefaultValidDays set. Reported by @jshall in #2628.
• Fixed a crash when installing a certificate to IIS when the original installation site has been stopped or deleted. Reported by @Spetsen in #2616.
• Fixed an issue where the --test switch didn't affect the default self-hosted validation, making it more difficult to diagnose any problems related to it. Reported by @Somebodyisnobody in #2664.
• Fixed an ArgumentOutOfRangeException that could occur when the program would attempt to create a DNS validation record in the wrong zone. Noticed by @ArmandasRokas in #2638.
• Fixed a crash when the program is not allowed to apply ACL settings to its configuration folder. Noticed by @billsey in #2604.
• Fixed ARI related information being sent to servers that do not indicate support for it, potentially causing exceptions like the one reported by @danhausman in #2607.
• Fixed bug that caused authentication failures when using the Azure China Cloud or Azure Government Cloud, reported by @benjessie in #2669.

Code changes

• Upgraded from .NET7 to .NET8 and applied C# 12.0 refactorings.
• Source organization: move WebDAV, FTP(S), acme-dns and SFTP plugins to separate projects, removing some third party dependencies from the core library. A future release of simple-acme might publish these plugins as separate downloads instead of integrated components.
• Build scripts have been enhanced. For plugins, we automatically detect which additional .dll files are added relative to the base build. This means it's less work to create and maintain plugins and permanently gets rid of issues similar to #2623 reported by @rme-wtag and #2636 reported by @admwallw.
• We now automatically calculate and publish SHA256 hashes for all build artifacts so that you can verify the distributed files' integrity after downloading them.
• Update various third party dependencies.