v4.20.0

• New DNS plugin PowerDNS
• Fixed duplicate identifiers in the Domain parameter causing errors with some ACME servers. Identifiers will now be deduplicated prior to being saved and sent to the ACME server. (#517)
• Added WSHDelayAfterStart param to the WebSelfHost plugin which adds a configurable delay between when the challenge listener starts up and when it asks the ACME server to validate the challenges. (#518)
• Orders where the MainDomain is longer than 64 characters will not include a CN value in the Subject field of the certificate request sent to the ACME server. CNs longer than 64 characters were already being rejected by some CAs like Let's Encrypt because the x509 spec doesn't allow for it. More Info

v4.19.0

• New DNS plugins
  • HurricaneElectricDyn This is an alternative to the existing HurricaneElectric plugin that uses the DynDNS API instead of web scraping. (Thanks @jbrunink)
  • ZoneEdit (#495)
• The CSRPath parameter in New-PAOrder and New-PACertificate will now accept the raw string contents of a CSR file instead of just the path to a file. (#503)
• The Simply plugin has been renamed to SimplyCom at the request of the provider. The new version is exactly the same. The old version will remain until the next major release. Users should update their renewal configs to use the new version to prevent future breakage. Set-PAOrder -Plugin SimplyCom
• Added a workaround to a temporary problem with the Simply.com API in case the issue pops up again. (#502)
• The Route53 plugin now uses IMDSv2 when using the IAM Role support. (#509)

v4.18.0

• The POSHACME_HOME environment variable now supports Windows-style (surrounded by %) environment variable expansion. (#497)
  • So you can set the value to %ProgramData%\Posh-ACME instead of needing to set it explicitly to C:\ProgramData\Posh-ACME for example.
  • NOTE: This requires Windows-style environment variable strings even on non-Windows OSes.
• The Azure plugin no longer tries to re-use cached authentication tokens when using the AZAccessToken parameter set. (#498)
• Fixed a bug with the Azure plugin that broke authentication when submitting multiple orders with different credentials from different tenants. (#498)
• Fixed a problem using Posh-ACME within AWS Lambda due to non-standard dotnet runtime assembly configs. (#418) (Thanks @garthmccormack)
  • This fix involved changing the RevocationReasons enum from a .NET type to a PowerShell native enum.
  • The change constitutes a minor breaking change which makes the enum no longer accessible from outside the module's context, but tab completion and string converted values for the Revoke-PACertificate -Reason parameter work exactly the same as before.

v4.17.1

• Fixed Hetzner plugin for accounts with 100+ zones. (#481) (Thanks @Deutschi)
• Fixed RFC2136 plugin ignoring the DDNSNameserver parameter when set. (#485) (Thanks @gvengel)

v4.17.0

• New DNS plugins
  • Google Domains This should be considered experimental while the Google Domains ACME API is still in testing. (Thanks @webprofusion-chrisc)
  • IONOS (Thanks @RLcyberTech)
  • SSHProxy sends update requests via SSH to another server which is able to do dynamic updates against your chosen DNS provider. (Thanks @bretgiddings)
• The DDNSNameserver parameter is no longer mandatory in the RFC2136 plugin which will make nsupdate try to use whatever primary nameserver is returned from an SOA query.
• Added Basic authentication support to the AcmeDns plugin which should allow it to be used against endpoints that enforce that such as Certify DNS.
• Added support for plugin parameters that are arrays of SecureString or PSCredential objects.
• Fixed PAServer switches getting reset on Set-PAServer with no params (#475)

v4.16.0

• New DNS plugins
  • Active24 (Thanks @pastelka)
  • Bunny.net (Thanks @webprofusion-chrisc)
• Added -Subject parameter to New-PACertificate, New-PAOrder, and Set-PAOrder which will override the default x509 Subject field in the certificate request sent to the ACME CA. This can be useful for private CAs that allow for additional attributes in the Subject that public CAs don't.
• Fix for undocumented NameSilo API change. (Thanks @rkone)
• Fix for All-Inkl plugin that makes the plaintext KasPwd parameter actually send plaintext since All-Inkl has deprecated the SHA1 option.

v4.15.1

• Reverted the embedded BouncyCastle library back to 1.8.8 due to version conflicts with Az.KeyVault in PowerShell 6+. This is temporary while a suitable workaround for version conflicts in other modules is explored.
• Fixed Domeneshop plugin when publishing apex TXT records and added more API output to debug messages.

v4.15.0

• PAOrder objects now have a flag to optionally use modern encryption options on generated PFX files. This will prevent the need to use "legacy" mode when reading the files with OpenSSL 3.x. However, it breaks compatibility with OpenSSL 1.0.x and earlier.
  • You can use the -UseModernPfxEncryption flag with New-PACertificate, New-PAOrder, and Set-PAOrder. When used with Set-PAOrder, existing PFX files will be re-written based on the flag's new value.
  • Use Set-PAOrder -UseModernPfxEncryption:$false to switch back to the default setting.
  • The default for new orders will likely remain off until Posh-ACME 5.x is released.
• Added new DNS plugin PortsManagement (Thanks @wemmer)
• The GCloud plugin has a new optional parameter, GCProjectId that takes one or more string values. This is only required if the DNS zones to modify don't reside in the same project as the service account referenced by GCKeyFile or they reside in multiple projects. When used, be sure to include all project IDs including the one referenced by GCKeyFile.
• Added Google's new free ACME CA to the CA comparison doc
• Upgraded the embedded BouncyCastle library to 1.9.0
• Fixed UKFast plugin to support paging for accounts with many domains (Thanks @0x4c6565)
• Fixed PFX friendly name generation when not provided in the order.

v4.14.0

• Added new DNS plugin Porkbun (Thanks @CaiB)
• Added server shortcuts for Google's new ACME CA, GOOGLE_PROD and GOOGLE_STAGE.
• Added server shortcuts for SSL.com, SSLCOM_RSA and SSLCOM_ECC.
• Added UseAltAccountRefresh switch to Set-PAServer to workaround CAs that don't yet support direct account refreshes such as Google, SSL.com, and DigiCert. (#372) (#394)
  • New configs should have this set by default for CAs known to need it. But you will need to explicitly set it on any existing configs for these CAs.
• Added LifetimeDays param on New-PACertificate, New-PAOrder, and Set-PAOrder to enable user requested cert lifetimes for ACME CAs that support the feature.
  • Google's CA is the only free ACME CA known to currently support this and the order lifetime cannot be changed once it is created. Setting a new value on an existing order will only change the lifetime on subsequent renewals.
• Updated Azure plugin to use the latest stable API version.
• Updated Azure guide to account for breaking changes in the Az module.
• Fixed GoDaddy plugin when using it with delegated sub-zones. (#430)
• Fixed New-PAAccount when importing an existing key on CAs that require external account binding.
• Reduced the number of account refreshes that happen as part of normal operations.

v4.13.1

• Fixed Loopia plugin after an upstream API change broke it. (Thanks @AlexanderRydberg)