Lemur

~~~~~~~~~~~~~~~~~~~~

This is our first major release due to a dependency on Python 3.8.
Lemur is now using flake8>=4.0 and pyflakes>=2.4, requiring Python 3.8 or higher.
Our GitHub Actions Builds are currently on Python 3.8 and Python 3.9.

~~~~~~~~~~~~~~~~~~~~~

This release includes multiple improvements on many fronts.
The next release will be a major release, requiring Python 3.8 or higher.

Some of the notable changes in this release are:

- CloudFront Plugin: a new endpoint with rotation support
- Improved Endpoint expiration flow; the Sync job now expires old endpoints
- AWS ELB tag supports to opt-out of auto-rotate for load balancers
- Membership plugin
- Moving Travis Build to Node 16
- OAuth2 & Ping Config improvement
- Improved Certificate status check
- Improved ACME plugin:
- reuse existing domain validation resulting in faster issuance
- IP certificate issuance support, accompanied by UI support
- emit remaining domain validation
- Azure destination: Switch to PCKS12 upload
- Improved logs, such as:
- Warning logs for admin role assignment and authority creation
- Audit logs in JSON format for better search
- Improved SES logging

Special thanks to all who contributed to this release, notably:
- `Bob Shannon <https://github.com/bobmshannon>`_
- `sirferl <https://github.com/sirferl>`_
- `Sam Havron <https://github.com/havron>`_
- `Guillaume Dumont <https://github.com/dumontg>`_
- `Joe McRobot <https://github.com/JoeMcRobot>`_

~~~~~~~~~~~~~~~~~~~~~

This release introduces a breaking change (PR `3646 <https://github.com/Netflix/lemur/pull/3646>`_) to the following API endpoint:

- `POST /certificates/1/update/notify <https://lemur.readthedocs.io/en/latest/developer/index.html#lemur.certificates.views.Certificates.post>`_

The endpoint is now:

- `POST /certificates/1/update/switches <https://lemur.readthedocs.io/en/latest/developer/index.html#lemur.certificates.views.Certificates.post>`_

The new endpoint honors the existing `notify` request parameter, and additionally accepts a new `rotation` parameter.
As a result of this change, the certificate table view now includes rotation switches and filtering by rotation status.


Other notable changes in this release:

- ACME:
- New celery task to prevent duplicate certificates from being autorotated
- ACME DNS-01 Challenges are supported in synchronous mode
- DNS provider check fails gracefully if not found
- Authentication:
- SSO auth now returns a newly created user during initial login
- CSRF protection is added to OAuth2.0
- Notifications:
- New reissue failed notification
- New reissue with no endpoints notification
- New revocation notification
- Plugins:
- Plugin option values are validated server-side
- Some plugin option validations updated to compile successfully server-side
- Database:
- Source and Destination deletions remove certificate associations with new confirmation dialog
- Dependency updates and conflict resolutions
- Expanded audit logs

And several smaller bugfixes and improvements.

Special thanks to all who contributed to this release, notably:

- `havron <https://github.com/havron>`_
- `tho <https://github.com/tho>`_
- `mizzy <https://github.com/mizzy>`_

~~~~~~~~~~~~~~~~~~~~

This release fixes three critical vulnerabilities where an authenticated user could retrieve/access
unauthorized information. (Issue `3463 <https://github.com/Netflix/lemur/issues/3463>`_)

~~~~~~~~~~~~~~~~~~~~

This release includes improvements on many fronts, such as:

- Notifications:
- Enhanced SNS flow
- Expiration Summary
- CA expiration email
- EC algorithm as the default
- Improved revocation flow
- Localized AWS STS option
- Improved Lemur doc building
- ACME:
- reduced failed attempts to 3x trials
- support for selecting the chain (Let's Encrypt X1 transition)
- revocation
- http01 documentation
- Entrust:
- Support for cross-signed intermediate CA
- Revised disclosure process
- Dependency updates and conflict resolutions

Special thanks to all who contributed to this release, notably:

- `peschmae <https://github.com/peschmae>`_
- `atugushev <https://github.com/atugushev>`_
- `sirferl <https://github.com/sirferl>`_

~~~~~~~~~~~~~~~~~~~~

This release comes after more than two years and contains many interesting new features and improvements.
In addition to multiple new plugins, such as ACME-http01, ADCS, PowerDNS, UltraDNS, Entrust, SNS, many of Lemur's existing
flows have improved.

In the future, we plan to do frequent releases.


Summary of notable changes:

- AWS S3 plugin: added delete, get methods, and support for uploading/deleting acme tokens
- ACME plugin:
- revamp of the plugin
- support for http01 domain validation, via S3 and SFTP as destination for the acme token
- support for CNAME delegated domain validation
- store-acme-account-details
- PowerDNS plugin
- UltraDNS plugin
- ADCS plugin
- SNS plugin
- Entrust plugin
- Rotation:
- respecting keyType and extensions
- region-by-region rotation option
- default to auto-rotate when cert attached to endpoint
- default to 1y validity during rotation for multi-year browser-trusted certs
- Certificate: search_by_name, and important performance improvements
- UI
- reducing the EC curve options to the relevant ones
- edit option for notifications, destinations and sources
- showing 13 month validity as default
- option to hide certs expired since 3month
- faster Permalink (no search involved)
- commonName Auto Added as DNS in the UI
- improved search and cert lookup
- celery tasks instead of crone, for better logging and monitoring
- countless bugfixes
- group-lookup-fix-referral
- url_context_path
- duplicate notification
- digicert-time-bug-fix
- improved-csr-support
- fix-cryptography-intermediate-ca
- enhanced logging
- vault-k8s-auth
- cfssl-key-fix
- cert-sync-endpoint-find-by-hash
- nlb-naming-bug
- fix_vault_api_v2_append
- aid_openid_roles_provider_integration
- rewrite-java-keystore-use-pyjks
- vault_kv2


To see the full list of changes, you can run

$ git log --merges --first-parent master --pretty=format:"%h %<(10,trunc)%aN %C(white)%<(15)%ar%Creset %C(red bold)%<(15)%D%Creset %s" | grep -v "depend"


Special thanks to all who contributed to this release, notably:

- `peschmae <https://github.com/peschmae>`_
- `sirferl <https://github.com/sirferl>`_
- `lukasmrtvy <https://github.com/lukasmrtvy>`_
- `intgr <https://github.com/intgr>`_
- `kush-bavishi <https://github.com/kush-bavishi>`_
- `alwaysjolley <https://github.com/alwaysjolley>`_
- `jplana <https://github.com/jplana>`_
- `explody <https://github.com/explody>`_
- `titouanc <https://github.com/titouanc>`_
- `jramosf <https://github.com/jramosf>`_


Upgrading
---------

.. note:: This release will need a migration change. Please follow the `documentation <https://lemur.readthedocs.io/en/latest/administration.html#upgrading-lemur>`_ to upgrade Lemur.