• acme4j now requires Java 17 or higher
• A new HttpClient instance was created for every request. Now it is bound to the Session, reducing resource consumption on heavy workloads. (Thanks to @vincentdo for the PR.)
• A Session instance can now be shared between multiple threads, still keeping track of the correct nonce (Thanks to @nsheridan for the pointer.)
• draft-ietf-acme-ari is RFC 9773 now
• Updated draft-aaron-acme-profiles-01
• Added support for draft-ietf-acme-dns-account-label (experimental)
• Added Actalis provider
• Removed Buypass provider (they stopped supporting the ACME protocol)
• Increased the default network timeout to 30 seconds, as a few CAs require more response time
• Use the pebbleHost and pebblePort system properties to change the default Pebble host and port
• Updated Pebble TLS certificate
• Removed deprecated methods

The major version bump was mainly caused by the change to Java 17. If you use the dns-01 challenge, you might need to invoke a different method in one place, but besides that, there is probably not much to do on your side. For further information, please read the migration guide.

• Buypass and Google acme: URIs were not recognized when Java modules were enabled, fixed.
• Main development has moved to Codeberg. The project remains fully mirrored on GitHub. You can open issues and pull requests on both platforms.

• Added providers for Google CA and Buypass. See the documentation for their acme: connection URIs and further notes.
• Added support for draft-aaron-acme-profiles-00 (thanks to @jmcrawford45 for providing a patch)
• Order.getCertificate() now also returns a STAR certificate, so there is no need to use different get methods depending on whether it is a standard or STAR certificate. Order.getAutoRenewalCertificate() is marked as deprecated, but is still working as before.
• OrderBuilder will now check if auto-renewal GET is supported by the CA before ordering such a certificiate.
• Update to draft-ietf-acme-ari-07. No changes to the code are required.

For further information, please see the migration guide.

Until now, order finalization (order.execute()) was started immediately after the domain authorization process was completed. This is working fine for most CAs, but might fail for some CAs that take a while for the order to become READY for finalization. For this reason, I recommend to generally wait for the order status to become READY before invoking order.execute(). If you wait for state changes synchronously, you can use the new order.waitUntilReady() method for that. The example has been updated accordingly.

Waiting for status changes was expected to be implemented by you. There was a waitForCompletion() method in the example client that showed how to wait synchronously. With acme4j v3.4.0, there are now new methods waitForCompletion() and waitUntilReady() that do the heavy lifting for you. You can replace your own waiting code with these new methods if you like to. The new methods wait synchronously, blocking the current thread for several seconds or even minutes. If you have implemented an asynchronous wait, you should prefer to use your own code.

For further information, please see the migration guide and the example client.

• Added waitForCompletion() and waitUntilReady() methods, which will synchronously wait for a status change. They replace the waitForCompletion() boilerplate method in the example implementation, and will make simple acme4j implementations simpler and less bugprone.
• Deprecate update() and AcmeRetryAfterException. Use fetch() instead.
• Update to draft-ietf-acme-ari-04. No changes to the code are required.

• Added chapter about errors and Problem objects.
• OrderBuilder.replaces() set autoRenewal to true, which makes no sense in this context. Fixes #158, thanks to @rcc13 for reporting.

• Added support for subdomain validation (RFC 9444)
• AcmeProtocolException was thrown when a rate limit was reached while fetching a nonce. Now either AcmeRetryAfterException or a generic AcmeException is thrown, depending on the error returned by the server.
• Project could not be built with Java 22, fixed (#157, thanks to @tugalsan for reporting)
• Integration tests against the latest docker image versions of pebble and challtestsrv

I also decided to discontinue acme4j v2, because the codebase diverged a lot now, and I don't want to spend my limited resources on maintenance. Please migrate your code to acme4j v3. For most clients, it is less work than it might look like.

• Use ENGLISH locale for uppercase/lowercase conversion (fixes #156, thanks to @emirhannaneli)

This is a bugfix release. Update is only necessary if your system's default locale is set to Turkish.

• Documentation has been completely restructured and reviewed. The chapters are now oriented on the different steps, and should help to understand better how acme4j is working.
• Added acme://ssl.com URI for SSL.com. (Thanks to @fergadis, @ifindthanh, @thanhsmvn for the contribution.)
• Added acme://zerossl.com protocol provider for ZeroSSL.
• Simplified the handling of Retry-After headers. Catching AcmeRetryAfterException is not necessary anymore.
• CSR generator now supports domain names with more than 64 characters. The CSR's CN field is now left empty by default. (Thanks to @mcpherrinm for the contribution.)
• Updated ARI support to the latest draft-ietf-acme-ari-03. There is a breaking change in the protocol! If you use ARI and your CA still uses draft 01, do not update to this version!
• For generic ACME URIs, query parameters are now forwarded to the server. (Fixes #152)

No changes to your source code are required, unless you are using ARI.

Please read the Migration Guide for further information and caveats.

ZeroSSL makes use of EAB and the Retry-After header. The example has been changed accordingly. It now shows how to do EAB and how to properly handle the Retry-After header.

This is a maintenance release with updated dependencies. There are no changes to acme4j itself.

Bouncy Castle is updated to version 1.77, which fixes a vulnerability (CVE-2023-33201). acme4j-client was not affected by this CVE, as the X509 certificates from the CA are only passed through. acme4j-smime however is validating certificates, so it could have been affected. If you use the acme4j-smime module, I recommend to update to this release.

Fixes #142.

• External account binding now permits to set individual MAC algorithms (AccountBuilder.withMacAlgorithm()) and usage of HMAC keys of arbitrary length. Thanks to @aarcloudera and @Radranic.
• The draft-ietf-acme-ari-01 implementation was missing a method 'Certificate.markAsReplaced()`. It is added now.
• All classes and methods related to draft-ietf-acme-ari-01 are now marked as @draft. As the draft evolves, they can change without prior notice. SemVer does not apply to parts that are marked as @draft. This is a preparation for draft-ietf-acme-ari-02, which will introduce major and breaking changes.

In the future, I will generally handle all draft implementations like that, as I don't want to do a major version bump of acme4j for every breaking change in a draft.