[Certbot-dev] Certbot 2.6.0 Release

Tue May 9 14:04:08 PDT 2023

Certbot 2.6.0 has just been released. The changelog for the release is:

### Added

* `--dns-google-project` optionally allows for specifying the project that the DNS zone(s) reside in,
  which allows for Certbot usage in scenarios where the auth credentials reside in a different
  project to the zone(s) that are being managed.
* There is now a new `Other` annotated challenge object to allow plugins to support entirely novel challenges.

### Changed

* Optionally sign the SOA query for dns-rfc2136, to help resolve problems with split-view
  DNS setups and hidden primary setups.
  * Certbot versions prior to v1.32.0 did not sign queries with the specified TSIG key
    resulting in difficulty with split-horizon implementations.
  * Certbot v1.32.0 through v2.5.0 signed queries by default, potentially causing
    incompatibility with hidden primary setups with `allow-update-forwarding` enabled
    if the secondary did not also have the TSIG key within its config.
  * Certbot v2.6.0 and later no longer signs queries by default, but allows
    the user to optionally sign these queries by explicit configuration using the
    `dns_rfc2136_sign_query` option in the credentials .ini file.
* Lineage name validity is performed for new lineages. `--cert-name` may no longer contain
  filepath separators (i.e. `/` or `\`, depending on the platform).
* `certbot-dns-google` now loads credentials using the standard [Application Default
  Credentials](https://cloud.google.com/docs/authentication/application-default-credentials) strategy,
  rather than explicitly requiring the Google Compute metadata server to be present if a service account
  is not provided using `--dns-google-credentials`.
* `--dns-google-credentials` now supports additional types of file-based credential, such as
  [External Account Credentials](https://google.aip.dev/auth/4117) created by Workload Identity
  Federation. All file-based credentials implemented by the Google Auth library are supported.

### Fixed

* `certbot-dns-google` no longer requires deprecated `oauth2client` library.
* Certbot will no longer try to invoke plugins which do not subclass from the proper
  `certbot.interfaces.{Installer,Authenticator}` interface (e.g. `certbot -i standalone`
  will now be ignored). See [GH-9664](https://github.com/certbot/certbot/issues/9664).

More details about these changes can be found on our GitHub repo.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.eff.org/pipermail/certbot-dev/attachments/20230509/1f9a64ca/attachment.html>