v3.18.1

• Upgraded BouncyCastle to 1.8.8.2 for version parity with Az.KeyVault to prevent module load errors in PowerShell 6+
• Fixed DuckDNS plugin file locations in .NET 4.6 fork.

v3.18.0

• Added new DNS plugin DuckDNS. Note that due to provider limitations, this plugin can only normally be used for certs with a single name unless you workaround the limitation with custom scripting. See the usage guide for details.
• Fixed an example in Export-PAAccountKey help.
• Added code to detect 4.x configs and gracefully revert in case folks need to downgrade after upgrading to 4.x when it comes out.

v3.17.0

• NOTE: Let's Encrypt is now restricting RSA private key sizes to 2048, 3072, and 4096 for certificates. But Posh-ACME will continue to allow custom key sizes which may still work with other certificate authorities.
• New-PAAccount and Set-PAAccount -KeyRollover now have a -KeyFile parameter that can be used to import an existing private key instead of generating a new one from scratch.
• Added Export-PAAccountKey which can be use to export your ACME account private key as a standard Base64 encoded PEM file.
  • For Boulder-based CAs, this can be used to recover lost ACME account configurations if you run New-PAAccount with the -KeyFile parameter and specify the exported key.
• Updated Zonomi plugin to support alternative providers who use a compatible API. (#282)
• Fixed a bug in OVH plugin that would prevent TXT record deletion in some cases. (#283)
• Fixed a bug in many plugins that would prevent TXT record editing when the record name was also the zone root (#280) (Thanks @ShaBangBinBash)
• Fixed tutorial syntax error (#277) (Thanks @Leon99)
• Fixed errors in Get-PAAuthorizations when returned object has no 'expires' property. (#276) (Thanks @mortenmw)
• Changed bad nonce retry message from Debug to Verbose so people using PowerShell's transcript features will see it more easily.
• A generic platform value has been added to the user agent string the module sends with its ACME requests.
• Tests have been updated for use with Pester v5. Running them in a dedicated PowerShell process is recommended.

v3.16.0

• Added new DNS plugin NameSilo (Thanks @rkone)
• Added Preferred Chain support
  • There is a new -PreferredChain parameter on New-PACertificate, New-PAOrder, and Set-PAOrder.
  • For new or existing orders, you may select an alternate CA chain based on the Issuing CA subject name if alternate chains are offered by the CA.
  • Example: -PreferredChain 'ISRG Root X1'
• Fixed a bug with Submit-Renewal that wasn't properly using -PluginArgs and -NoSkipManualDns parameters when -AllOrders or -AllAccounts switches were also used (#266 #275). (Thanks @f-bader)
• deSEC plugin has added retry logic to address API throttling issues for certs with many names (#275).
• Fixed a bug with Azure plugin when using AZCertPfx authentication from Windows.

v3.15.1

• Fixed Route53 trying to load AWSPowerShell module when not installed (#263)

v3.15.0

• Added new DNS plugin DomainOffensive (Thanks @Armitxes)
• New-PAAccount now has ExtAcctKID, ExtAcctHMACKey, and ExtAcctAlgorithm parameters to support Certificate Authorities that require external account binding. Look for a guide in the wiki soon.
• Added support for the new AWS.Tools modules when using Route53.
• Added support for more restricted API permissions when using OVH. It's now possible to only grant write access to a specific list of zones or even individual TXT records. See the usage guide for details.
• Added pre-registration support for AcmeDns. See the usage guide for details.
• Fixed a bug with GoDaddy that prevented managing DNS-only hosted domains.

v3.14.0

• Added new DNS plugin Hetzner (Thanks @derguterat)
• Fix for Google DNS plugin to ignore private zones. (Thanks @timwsuqld)
• Fix for Azure usage guide for using existing access token. (Thanks @arestarh)
• Fix for RFC2136 plugin which makes it usable for records other than the root domain.

v3.13.0

• Added new DNS plugins
  • Akamai
  • DNSPod (Thanks @WiZaRd31337)
  • Loopia
  • PointDNS (Thanks @danielsen)
  • Reg.ru (Thanks @WiZaRd31337)
  • RFC2136
  • Selectel.ru (Thanks @WiZaRd31337)
  • Yandex (Thanks @WiZaRd31337)
• When creating a new order, chain.cer and fullchain.cer are now backed up along with the other files.
• Added a workaround for non-compliant ACME server Nexus CM (#227)
• Various usage guide corrections. (Thanks @webprofusion-chrisc)
• Fixed a bug where New-PACertificate required the -Force parameter if the previous order was deactivated.
• Fixed the dev install script to account for a redirected Documents folder.
• Minor changes to how Gandi plugin works to address potential edge case bugs.

v3.12.0

• Set-PAOrder now has -DnsPlugin and -PluginArgs parameters to allow changing plugins and associated credentials prior to a renewal operation.
• Upgraded BouncyCastle library to version 1.8.5.2 and renamed the DLL to avoid conflicts with older copies that may get installed into the .NET GAC by other software.
• ACME server errors returned during calls to Revoke-PAAuthorization are now non-terminating errors rather than warnings.
• Fixed bug where new orders created with New-PACertificate and no explicit plugin wouldn't get the Manual default if the account was already authorized for the included names.
• Fixed Get-PAAuthorizations when using explicit account reference
• Fixed datetime parsing issues on non-US culture environments (#208)
• Fixed errors thrown by Submit-Renewal when run against an order with a null DnsPlugin. A warning is now thrown instead.
• Fixed parameter binding error when using -PluginArgs with Submit-Renewal
• Fixed HurricanElectric guide's parameter references
• Fixed Azure tests

v3.11.0

• Added Revoke-PAAuthorization which enables revocation of identifier authorizations associated with an account.
• Get-PAAuthorizations now has an optional -Account parameter and better error handling.
• Get-PAAuthorization has been added as an alias for Get-PAAuthorizations to better comply with PowerShell naming standards. It will likely be formally renamed in version 4.x and the old name should be considered deprecated. This change should allow dependent scripts to prepare for that change in advance.
• Install-PACertificate now supports parameters to select the store name, location, and the exportable flag.
• Workaround for Boulder issue that doesn't return JSON error bodies for old endpoints.
• Fixed bug creating new orders with a changed KeyLength value that was preventing the required new private key from being created.