LeGo CertHub v0.16.0

[v0.16.0] - 2023-11-25

Caution

This version's binary and docker images have been removed due to
a security flaw. Migrate away from this version IMMEDIATELY!

The frontend has been completely updated to TypeScript with full type
safety. This involved a ton of code changes, please report any issues.

If you experience something breaking, the previous version has the same
config and database versions, so report the issue and downgrade both
the frontend and the backend binary to the previous version.

Added

• Add redirect if invalid page is specified when viewing a table of
  things (e.g. keys, certs, etc).
• Add redirect of any frontend path when logged out to the main root
  path.

Changed

• Complete overhaul to implement TypeScript.
• Overhaul backend responses to be more detailed and consistent.
• Update contexts and hooks on frontend for a little bit more sanity.
• Updated input handler to use recursion and support any depth object.
  Also changed methodology of the handler to make it compatible with
  type safety.
• Show success or error message on password change.
• Update frontend server url validation to confirm only valid
  characters in addition to https.
• Submit button on forms is always enabled.
• Use regex for field name matching to look up value type and error
  message.
• Remove some info from displaying on providers summary page. To get
  all of the details, click into 'Edit'.
• Update type for validation errors and method of recording errors.
• Update frontend dependencies.

Fixed

• Update Axios version to address a security issue.
• Show success or error message on password change.
• Fix sorting of account list by environment column.
• Add missing CSR 'State' field.

Removed

N/A

LeGo CertHub v0.15.2

[v0.15.2] - 2023-11-06

Caution

This version's binary and docker images have been removed due to
a security flaw. Migrate away from this version IMMEDIATELY!

This release is quality of life. It mainly addresses things related to
logging.

Added

• Info log logout success.

Changed

• Tweak wording on frontend describing the order queue.
• Reorder CSP params.
• Rename error handling middleware to not use the word error.

Fixed

• Fix inaccurate info logging of certain information when serving the
  frontend. This was creating log clutter that should only be in debug.
• Fix CSP whitespace on default policy.
• Fix typing of json response Message field.

Removed

N/A

LeGo CertHub v0.15.1

[v0.15.1] - 2023-10-31

Caution

This version's binary and docker images have been removed due to
a security flaw. Migrate away from this version IMMEDIATELY!

This release is mostly quality of life improvements. Various security
mechanisms are fine tuned and some minor bugs are fixed.

Added

• Add Referrer-Policy and set to no-referrer.
• Add more security headers to all server responses.
• Use nonce for styles in Content Security Policy by setting on a meta
  property and using some crafty on the fly code tweaking when the backend
  serves the relevant js file.

Changed

• Tighten up Content Security Policy.
• Rewrote backend middleware logic to make code easier to follow and to make
  it easier to adjust middlewares moving forward.
• Don't use CORS on 404 error.
• Secure change password and logout routes with access token. (This was
  secure before, the logic is just more consistent now.)
• Simplify backend logout logic.
• Auth minor code cleanup for clarity.
• Rename refresh token to session token and update references to 'session'
  for consistency.
• Update dns_checker log messages.
• Use full base64 character set for nonce generation.
• Simplify (streamline) frontend useAuth hook.

Fixed

• Fix broken checkbox when editing an ACME Server.
• Fix Vary header usage logic for download.
• Update auth log message format to match new format.
• Add proper fallback options to Content Security Policy.
• Fix retry logic on frontend during access token refresh (fewer unneeded
  retries will occur).

Removed

• Remove nonce from scripts in Content Security Policy and only allow
  'self' in script Content Security Policy.

LeGo CertHub v0.15.0

[v0.15.0] - 2023-10-23

Warning
You must ensure your config.yaml is at least config_version: 1 prior to
installing or LeGo will not start.

Note: If you are new or don't have a config.yaml, one will be created for
you on the first run of LeGo.

Moving forward LeGo will enforce config_version but will migrate seemlessly
unless there are notes to the contrary. Notes will include specific needed
actions. To assist with changes across versions, all releases now include a
config.changelog.md which notes all changes, not just breaking changes.

If you are already on the previous version (0.14.1) you can just manually
insert config_version: 1 without any other changes. You should still
review the config default and example to ensure you have the options you
want.

This version also includes a bunch of other features, most of which revolve
around adding more security to LeGo.

Added

• Create config.yaml if one does not exist.
• Add strict enforcement of config.yaml schema version.
• Add auto update schema from 1 to 2. Older version 0 or unspecified
  version will need manual intervention (at a minimum config_version
  will need to be added).
• Add HTTP Strict Transport Security (HSTS) header by default. Config has
  an option to disable the header (disable_hsts).
• Add relatively strict Content-Security-Policy header, including nonces
  on scripts. Vite does not yet support nonces for style but I will add
  it later when it does.
• Add headers to prevent MIME type sniffing and iframes.
• Add frontend_show_debug_info config option to set frontend to show
  debug info and do some console.logging.
• Add ability to clear the update notification from the left side
  navigation bar.
• Add logout tooltip.
• Add theme toggle tooltip.
• Add data-preload on style, script, and link tags.
• Add timeout context on Cloudflare API calls.
• Include config.changelog.md in releases. This file details changes to
  config.yaml over time.

Changed

• Move theme toggle to just an icon in bottom right corner in footer.
• Rewrite frontend file handler on the Go backend. Needed to provide
  more consistent headers and nonce support.
• Update to Go 1.21.3, Node 18.18.2, and Vite 4.5.0.
• Update all other dependencies in frontend and backend.
• Update acme.sh script to 3.0.7 (adds a couple more dns providers).
• Update Cloudflare provider to utilize newest Cloudflare Go api.
• Some minor code cleanup.
• Rename cors_permitted_origins config option to
  cors_permitted_crossorigins.
• Minor navbar restyling.
• Change status/new version information and update frontend to properly
  show the changed information.
• Redact certain senstive information when the frontend is set to log
  debug info to the console.

Fixed

• Fix accidentally allowing all cross-origins by default. If no origins
  are specified, CORS is disabled.
• Explicitly set dockerbuild tool versions so binary releases and docker
  releases are built in the same way.

Removed

• Removed dockerfile generation of empty config file. This is now handled
  by the backend when it runs for the first time.
• Remove frontend Settings link to backend URL. Link just goes to a 404
  so there isn't really a point.
• Remove Roboto font include and move it to external files.

LeGo CertHub v0.14.1

[v0.14.1] - 2023-10-17

The are two significant updates in this version. The first is the removal
of dev mode and related feature disablement over http. This provides more
configuration flexibility (e.g. behind a reverse proxy) but does forego
some security. Users are trusted to choose what is right for them.

The other major update is the addition of the ability to review orders
that are in progress or queued up to be worked. The new section "Order
Queue" shows both orders actively being worked by a worker and also
orders awaiting an available worker. The list of orders show under edit
certificate also reflects if a particular order is already in the queue
and the "Retry" button is disabled if the order already queued up. This
feature should eliminate some of the "guessing" about what LeGo is doing
in the background without having to look through the logs.

Added

• Add ability to view orders currently being worked on and queued to be
  worked on when a worker is available.

Changed

• Update worker log messages to include worker number.
• Return 404 for bad routes instead of 401.
• Frontend dev mode replaced with show/log debug info. This is set by the
  backend if log level is debug.
• Change some minor styling on frontend.
• On frontend edit certificate, update order status to reflect information
  if the order is in the order worker queue.

Fixed

• Fix border colors on input array of objects of text fields.

Removed

• Remove dev mode.
• Remove disabling of certain functions when server is running over http
  (instead of https).
• Remove password complexity requirements.

LeGo CertHub v0.13.1

[v0.13.1] - 2023-10-12

This release adds the ability to add, edit, and delete providers via the
frontend GUI. It is now possible to setup LeGo without manually editing
the config file. You should still check the config example to see if you
need or want to set any of those options.

Added

• Add ability to add, edit, and delete providers via the GUI and without
  having to restart LeGo.
• Add example config to release packages and docker image. This should
  have been added last version.

Changed

• If dns_checker can't properly configure dns servers, fallback to sleep
  for 2 minutes. This is to avoid app start failure in this instance and
  instead to use a reasonable alternative. An error is still logged.
• Change deprecated substr func to substring func.
• Set 'Revoke' button on certificate orders to be red.
• Don't redact acme-dns provider info. It isn't sensitive enough to
  justify the additional complexity.
• Always log some basic info when orders are placed and completed.
  Previously this was only showing at debug log level.

Fixed

• Fix sometimes non-unique key on GUI display of provider config.
• Fix handling of redacted info when it is POSTed.

Removed

N/A

LeGo CertHub v0.13.0

[v0.13.0] - 2023-10-10

Warning
Please read as there are breaking changes requiring manual intervention.

1: LeGo config MUST be updated using the new provider format which includes
specifying domains. See the example config file. A wildcard provider can also
be configured (single domain of *) and LeGo will use this provider if there
is no provider configured for a given domain. If you only use one provider,
you should add the wildcard domain and you're done.
I forgot to bundle the example in the release files and docker image. For now, here is the link:
https://github.com/gregtwallace/legocerthub-backend/blob/v0.13.0/config.example.yaml

2: Domain arg has been removed from dns manual scripts. Domain cannot be reliably
determined and as such it has been removed. This caused the position of the args
for these scripts to move and your scripts will need an update if you use this
method.

3: Removed redirects from old paths. When LeGo added the base path /legocerthub
old routes at base / were given redirects to prevent breakage. These redirects
are now removed and any clients using the old paths will need their scripts
updated.

This release does away with the need to select a challenge provider for each
certificate. It also has several tweaks and minor fixes.

The groundwork is also in place to add/edit/delete providers via the GUI. This
will be added in a future version.

Added

• Add environment output on sample dns scripts.
• Add backend functionality to modify providers while server is running via
  routes. Frontend modification not yet added.
• Add ability to view providers in the frontend.

Changed

• Update to logging of some debug info.
• Separate default config from example config to make it more apparent what the
  default settings are.
• Reduce API key length from 48 to 32. This is based on an entropy calculation
  and still provides adequate security.
• Move ACME Servers to side bar in frontend navigation.
• Update config version from 0 to 1 (see notes above).
• Code clean up in several spots.
• Clarified various log messages.
• Clean up and streamline logic for form handling on frontend, including
  common input handler.

Fixed

• Do a better job of redacting certain sensitive information in debug logs.
• Fix api keys form unchanged calculation.
• Add openssl to dockerbuild (needed for acme.sh).
• Fix usage of access_token by frontend.
• Fix manifest paths.

Removed

• Remove need to select a challenge method. Instead, domains are configured
  and LeGo automatically selects the correct provider based on the domains
  in the certificate.

LeGo CertHub v0.12.6

[v0.12.6] - 2023-08-20

Releasing solely to fix importing of private keys via the frontend UI.
There are other minor changes but they are so minor they probably aren't
relevant to users.

Added

N/A

Changed

• Generic-ify SafeMap (minor code clean improvements).
• Minor update to handling of empty acme time in Order object NotBefore
  and NotAfter fields.
• Verify session is still valid before refreshing a session. This was
  already being done, but made it more explicit.

Fixed

• Fix private key import via frontend UI.

Removed

N/A

LeGo CertHub v0.12.5

[v0.12.5] - 2023-08-11

This release adds shutdown and restart functions. Otherwise, it mainly
fixes some minor bugs and optimizes some code.

Config Note: 'private_key_name' is no longer a config field. The key
is now derived from 'certificate_name'.

Added

• Add shutdown and restart routes with buttons in frontend to trigger
  those routes.

Changed

• Update some route names.
• Update LeGo https certificate reload logic to no longer require a go
  routine. LeGo cert will update as soon as it renews.
• Optimize view log handler for better memory footprint.
• Update output package to remove unneeded vars.

Fixed

• Fix broken log download handler and optimize related code.
• Modify logger so it is gracefully closed on exit, though it is not
  perfect due to lumberjack bug:
  natefinch/lumberjack#56
• Fix log view handler failing to close file.

Removed

• Remove LeGo config option for private key. Private key is now derived
  from the certificate name.

LeGo CertHub v0.12.4

[v0.12.4] - 2023-08-08

This release resolves a significant issue with the challenge solver
failing in certain cases involving wild card certificates or multiple
ACME providers.

Added

• Add an error if user tries to enable acme.sh on a Windows server.
• Add better notes in default config regarding acme.sh options.
• Add shutdown handler for client to trigger LeGo shutdown.
• Make WorkTracker data type for reuse.

Changed

• Move pprof to its own http server and port.
• Significant overhaul of custom http client to make it more sane.
• Rework how challenge resource provisioning is tracked. Instead of in
  each method, centralize in Challenges package.
• Some minor code tidy up.

Fixed

• Fix when multiple workers are trying to solve Challenges that use
  the same resource name. This could cause Orders to fail under certain
  conditions. Instead, queue the resources and solve the Challenges
  one at a time.
• Make Cloudflare use the app's http Client with the proper settings.

Removed

N/A