1.19.0 (2021-10-09)

Warning

docker-compose users: See the update notes or you might loose private keys!

  • Implement DNS-01 validation for ACMEv2. Note that ACMEv2 support is still experimental and disabled by default.

  • Support rendering distinguished names with any NameOID known to cryptography.

  • Support creating certificates with a subject containing a dnQualifier, PC, DC, title, uid and serialNumber.

  • Only fetch expected number of bytes when validating ACME challenges via HTTP to prevent DOS attacks.

  • Ensure that a certificates issuer always matches the subject from the CA that signed it.

  • Fix manage.py regenerate_ocsp_key with celery enabled.

  • Fix parsing of ASN.1 OtherNames from the command line. Previously, UTF8 strings where not DER encoded.

  • Fix ACMEv2 paths in NGINX configuration included in Docker images.

  • Include a healthcheck script for uWSGI in the Docker image. Because the image is also shared for the Celery worker, it is not enabled by default, but the docker-compose configuration enables it.

  • Add support for creating certificates with Boolean, Null, Integer, UniversalString, IA5String, GeneralizedTime and UTCTime values in the format described in ASN1_GENERATE_NCONF(3SSL).

  • Preliminary support for OpenSSH CAs via EdDSA keys.

  • The Docker image is now based on python:3.10-alpine3.14.

  • Add support for Python 3.10.

  • Add support for cryptography 35.0.0.

  • Add support for idna 3.0, 3.1 and 3.2.

Backwards incompatible changes

  • Drop support for cryptography 3.0, 3.1 and 3.2.

  • Remove support for configuring absolute paths for manually configured django_ca.views.OCSPView. This functionality was officially supposed to be removed in django-ca 1.14.0.

Minor non-functional changes

  • The whole source code is now type hinted.

  • Consistently use f-strings for faster string formatting.

  • Documentation is now always generated in nitpicky mode and with warnings turned into errors.

  • Remove the now redundant html-check target for documentation generation.

Deprecation notices

  • This is the last release to support Python 3.6.

  • This is the last release to support Django 3.1.

  • This is the last release to support idna<=3.1.

  • The issuer_name field in a profile is deprecated and no longer has any effect. The parameter will be removed in django-ca 1.22.