New features

• New command line argument --register which can be used to set up a new ACME account in unattended mode without the need to immediately create a certificate. Based on feedback from @ArthurHNL (#2391).
• A new setting Order.DefaultValidDays can now be used to request certificates that are valid for a shorter time than the default offered by the server. Note that this is not supported by Let's Encrypt at this point, but it should work for Sectigo among others. Requested by @timothyd09 (#2394)
• Customize the CSR signature algorithm using the settings Csr.Rsa.SignatureAlgorithm and Csr.Ec.SignatureAlgorithm. The defaults remain unchanged at SHA512withRSA and SHA512withEHDSA respectivky. As requested by @julieolson-gs (#2385).

Enhancements

• The DNS resolver has been refactored to fall back to the default servers whenever authoritative servers cannot be found or contacted. This makes the algorithm more robust in firewalled, misconfigured or other exceptional network environments. On a related note, for new installations, we now also default to the local system DNS instead of trusted external ones like Google (8.8.8.8), which will also prevent users in secured environments from running into issues (based on feedback by @jamesarbrown #2389).
• Azure DNS validation now requires fewer permissions. Specifically it should not be neccessary to give the application read access to the Resource Group anymore. Based on feedback and testing be @sveng-r (#2372).
• When the program fails to send an email notification, the SMTP messages will be shown to allow for easier troubleshooting. Suggested by @Zennate (#2388).
• GoDaddy DNS validation makes it mandatory to provide an API secret. Legacy authentication using only an API key appears to have been deprecated by this provider. Noticed by @rafalsk in #2376.
• Amazon/AWS Route53 DNS validation prompts and messaging is now more clear about expecting an IAM name instead of an ARN, preventing users like @TheSkorm from getting headaches while trying to guess at this (#2378).
• RFC2136 DNS validation has learned to lookup server host names, so that it's no longer required to configure an IP address (#2364, thanks for testing @JensSpanier).
• RFC2136 DNS validation will now try to update/create records in different zones. E.g. if the record _acme-challenge.www.example.com cannot be created in the zone example.com (e.g. because it doesn't exist), it will also try to created it in the zone www.example.com (based on feedback by @jamesarbrown #2389).
• Update various third party dependencies and remove some superfluous ones.

Bug fixes

• The "More options" menu can be used to do inital account setup again, a feature that got lost in v2.2.3 (#2367, reported by @amuen2b).
• Setting ScheduledTask.RenewalMinimumValidDays didn't have the desired effect anymore since v2.3.3 (#2371, reported by @marconfus).
• In some rare cases the error message The added or subtracted value results in an un-representable DateTime could appear when loading renewals after an upgrade, reported by @akuropa.
• The private key would not be including in generated certificate if/when an ACME server decides to preface the PEM data with a comment, as was the case for @Moechen in #2342.
• The program would fail to parse certificates when Windows is configured to use the Thai locale. Thanks to @baxing for reporting this (#2370).
• RFC2136 DNS validation would not clean up records after validation (#2364, thanks for testing @JensSpanier).
• The program would did not import intermediate certificates since v2.1.18, thanks for the PR and bug report @AlexanderS.

Sponsors

This release was funded by

One gold sponsor:

• eGov Strategies

Two silver sponsors:

• Insurance Technology Services
• Enzure

And four bronze sponsors:

• e-shop LTD
• The Proof Group @proofgroup
• imagenia.fr
• Certify the web

Support

If you want professional support for win-acme, your company up here in the release notes, or just want to buy me (@WouterTinus) a beer for maintaining this tool, please sponsor using GitHub Sponsors, Patreon or PayPal.