• Use ENGLISH locale for uppercase/lowercase conversion (fixes #156, thanks to @emirhannaneli)

This is a bugfix release. Update is only necessary if your system's default locale is set to Turkish.

• Documentation has been completely restructured and reviewed. The chapters are now oriented on the different steps, and should help to understand better how acme4j is working.
• Added acme://ssl.com URI for SSL.com. (Thanks to @fergadis, @ifindthanh, @thanhsmvn for the contribution.)
• Added acme://zerossl.com protocol provider for ZeroSSL.
• Simplified the handling of Retry-After headers. Catching AcmeRetryAfterException is not necessary anymore.
• CSR generator now supports domain names with more than 64 characters. The CSR's CN field is now left empty by default. (Thanks to @mcpherrinm for the contribution.)
• Updated ARI support to the latest draft-ietf-acme-ari-03. There is a breaking change in the protocol! If you use ARI and your CA still uses draft 01, do not update to this version!
• For generic ACME URIs, query parameters are now forwarded to the server. (Fixes #152)

No changes to your source code are required, unless you are using ARI.

Please read the Migration Guide for further information and caveats.

ZeroSSL makes use of EAB and the Retry-After header. The example has been changed accordingly. It now shows how to do EAB and how to properly handle the Retry-After header.

This is a maintenance release with updated dependencies. There are no changes to acme4j itself.

Bouncy Castle is updated to version 1.77, which fixes a vulnerability (CVE-2023-33201). acme4j-client was not affected by this CVE, as the X509 certificates from the CA are only passed through. acme4j-smime however is validating certificates, so it could have been affected. If you use the acme4j-smime module, I recommend to update to this release.

Fixes #142.

• External account binding now permits to set individual MAC algorithms (AccountBuilder.withMacAlgorithm()) and usage of HMAC keys of arbitrary length. Thanks to @aarcloudera and @Radranic.
• The draft-ietf-acme-ari-01 implementation was missing a method 'Certificate.markAsReplaced()`. It is added now.
• All classes and methods related to draft-ietf-acme-ari-01 are now marked as @draft. As the draft evolves, they can change without prior notice. SemVer does not apply to parts that are marked as @draft. This is a preparation for draft-ietf-acme-ari-02, which will introduce major and breaking changes.

In the future, I will generally handle all draft implementations like that, as I don't want to do a major version bump of acme4j for every breaking change in a draft.

This is a major update!

Still the migration to v3.0.0 should be easy for most of you. See the migration guide for further information.

• acme4j now adheres to Semantic Versioning.
• The acme4j-utils module has been merged into acme4j-client. You can just remove the dependency on acme4j-utils from your project. This also means that BouncyCastle is now a hard requirement for acm4j. The separation of acme4j-client and acme4j-utils has become a blocker for new features though, so this step had to be taken.
• Requires Java 11. (For Java 8, you can still use acme4j v2, however it will only receive security bugfixes.)
• New method Certificate.findCertificate(String issuer) helps to find a certificate from the given issuer.
• Added support for draft-ietf-acme-ari-01 protocol.
• Reduced return of null values where possible. Methods that could have returned null in v2, will now return an Optional (or throw an exception if more appropriate). Collections may be empty, but are never null.
• PebbleAcmeProvider now accepts a port without having to set a host. Thanks to @mloesch for the contribution!
• A new Order.execute(KeyPair) method takes care for creating a CSR for you. You won't need to do that anymore. See the acme4j-example for how it works.
• New AcmeNotSupportedException is thrown when the ACME server does not support a certain feature.
• HTTP accepts gzip compression. It can be turned off in the NetworkSettings or via org.shredzone.acme4j.gzip_compression system property.
• Uses the java.net.http client now.
• Documentation has been reviewed and extended.
• All deprecated methods have been removed.

The change to v3.0.0 has been blocking acme4j for much too long. I am happy that it is published now, and I can focus on adding new features again.

• S/MIME module now also supports RFC-7508 style header protection. Thanks to @augjoh for help!
• EmailProcessor.smimeMessage() is now deprecated, see the migration guide. It only affects the acme4j-smime module and is quickly resolved.

Note that the S/MIME module is still experimental. I appreciate your feedback!

There is an official acme4j Mastodon feed for release announcements and other acme4j related stuff: @acme4j@foojay.social. Thanks to foojay for providing the instance.

• S/MIME module now also supports the S/MIME validation of incoming challenge e-mails. There was a minor breaking API change for that, see the migration guide. It only affects the acme4j-smime module and is quickly resolved.

Note that the S/MIME module is still experimental. I appreciate your feedback!

Next I am planning an acme4j v3.0.0 release with the following major changes:

• acme4j-utils will be merged with acme4j-client, which means that BouncyCastle will be a hard requirement starting with v3.0.0.
• Starting with v3.0.0, acme4j will adhere to semantic versioning.
• acme4j will now require the second to current Java LTS version. This means that starting with v3.0.0, Java 11 or higher will be required. With the prospect release of Java 21 in September 2023, Java 17 will become the minimum version, and so on.

acme4j v2 will still be maintained for a while, but will only experience security updates.

For the upcoming v3.0.0, I also appreciate your input and feedback. Thank you!

• CSRBuilder and SMIMECSRBuilder have a new method addValue() that allow to set further non-standard CSR attributes. Thanks to @kimmerin for the contribution!
• The new method Dns01Challenge.toRRName() helps building the DNS resource record name for the TXT record needed for domain name validation.

After a much too long time, there's a new release of acme4j!

• acme4j-smime: Moved from JavaMail to JakartaMail. Sadly this is an API breaking change in the S/MIME module. See the migration guide for further details.
• Workaround for an Android bug that only returned an empty certificate chain (issue #127). Thanks to @NielsMasdorp!
• Added a debugging chapter to the documentation.
• acme4j is now tested to work on Android. However, please note that Android is not an officially supported platform.
• Minor bugfixes

• Add support of RFC 8823 for ordering S/MIME certificates (experimental) (documentation)
• It is now possible to register generic challenge implementations (documentation)
• New method Login.bindChallenge(URL, Class) helps binding to a challenge of a known type
• Documentation got a FAQ and some minor enhancements

About the new S/MIME support, please note that the implementation is experimental, and has only been unit tested against the RFC so far. Your feedback is welcome.

Also note that Let's Encrypt does not issue S/MIME certificates (discussion see here).