• New DNSExit plugin (#668) (Thanks @joxdev13)
• Preliminary support for dns-persist-01
  • Adds functions Publish-DnsPersistChallenge and Unpublish-DnsPersistChallenge. These are subject to change while the spec is still in a draft state.
  • I wanted to get these released early so folks can start testing the DNS plugins with them. No other core module changes have been added to support the cert workflow for this challenge type yet.
  • It is highly recommended to test these functions using your preferred DNS plugin. I suspect there are some bugs in some of the plugins that might surface because they have only been tested creating ACME challenge TXT records until now. Please submit issues for plugins that have problems.
• Fixed bug in Infoblox plugin that caused errors when TxtValue required URL escaping
• Added better error handling in Get-PAPluginArgs when decrypting encrypted args fails (#654)

Potentially Breaking Change

• Generated CSRs no longer include the Enhanced Key Usage (EKU) extension.
  • This is a fix for CAs that have started rejecting CSRs containing the Client Authentication EKU such as Google due to its deprecation across all public CAs.
  • This change has been tested successfully against all known free public ACME CAs. The resulting certs still contain the EKU extension, but which EKUs get added is dependent on the CA as it has always been.
  • However, there are many commercial and private CAs I was unable to test against which is why this might be a breaking change for them. PLEASE test if you're not using one of the free public ACME CAs.
  • If for some reason your preferred CA rejects the new CSRs, you may always fall back to supplying your own CSR using the -CSRPath param in many of the functions.

• Fixed bug in CSR generation for IP address certs. IPs will no longer be added to CSR Common Name. If an IP address is the "MainDomain" of the order, the CSR CN will be empty. (#658)

• New Technitium DNS plugin. (#653) (Thanks @shalafi99)
• Added CSR property to the output of Get-PACertificate which is the path to the CSR file used for the request. (#650) (Thanks @skyblaster)
• Fixed bug in HetznerCloud plugin due to duplicate ErrorAction param use (#656)

• Fixed Simply and SimplyCom plugins which now require trailing slashes to API endpoints. (#646) (Thanks @tomsommer)

• New HetznerCloud plugin (#642) (Thanks @humnose)
  • This is for Hetzner users who have migrated their zones from the legacy "DNS Console" to the new "Hetzner Console". NOTE: New API tokens are needed.
• Added AZArcAgentAPIVersion param for Azure IMDS parameter set (#636) (Thanks @semics-tech)
  • This may be necessary systems running older versions of the Azure Managed Identity Agent that don't work with the default version identifier.
• Added ACTALIS_PROD to the list of well-known directory shortcuts. They've also been added to the ACME CA Comparison guide.
• Removed BUYPASS_PROD and BUYPASS_TEST from the list of well-known directory shortcuts since they are no longer in operation.
• Removed a workaround for a BuyPass server bug which is no longer necessary.
• Fixed Windows plugin breaks when not using WinUseSsl or WinSkipCACheck switches (#637) (Thanks @jmpederson1)
• Fixed PS 5.1 compat with DeSEC and EuroDNSReseller by removing -Depth param from ConvertFrom-Json calls (#643)
• Fixed null ref errors in CoreNetworks plugin when no matching zone found. Added additional debug logs. (#616)

• The current ACME server directory endpoint is now refreshed on module import to ensure server changes are reflected before actions are performed. If the previously used ACME server is unreachable, a warning is thrown and previously cached data is used.
  • This should fix anyone who is getting 404 errors when renewing Let's Encrypt certs due to an unannounced change to their ARI endpoint. Users can also fix this problem without upgrading by running Get-PAServer -Refresh.

• Fixed param set resolution error with New-PACertificate when using CSRPath/CSRString params (#629)
• Added workaround for non-compliant order response from KeyFactor ACME provider (#626)
• Added additional logging to DuckDNS plugin (#628)
• Tweaked debug output for ACME responses for better human readability

• Fix Route53 plugin when used with AWS Tools for PowerShell 5.x (#627)

• New DNS Plugins
  • Netcup (#602)
  • TransIP (#622) (Thanks @Tim81)
• Added -IgnoreContact switch to Set-PAServer (#619)
  • ALL USERS of LET'S ENCRYPT, this switch works around a bug that causes a new account to be created for every renewal after LE shut down their automated email warning service.
  • This option causes the module to ignore any -Contact parameters in functions that support it when using the associated server.
  • It will be enabled by default on new installs that use Let's Encrypt. But existing users will need to manually enable it OR simply stop using the -Contact parameter in your scripts when using Let's Encrypt ACME endpoints.
• Added AZAccessTokenSecure param for Azure plugin (#618)
• Added WinSkipCACheck switch to Windows plugin (#613)
• Added WinNoCimSession switch to Windows plugin (#600) (Thanks @rhochmayr)
• Fix: Changing an order's PfxPass no longer shows the new value in Verbose output (#604)
• Fix: New-PACertificate no longer shows plaintext PfxPass in debug log (#604)
• Fixed a bug in New-PACertificate that would unnecessarily create a new order when an existing unfinished order could have been continued
• Fixed a couple minor bugs related to switching profiles when creating new orders that match existing orders.
• Fix: Added a workaround for non-compliant order response from GoDaddy's ACME implementation (#611)
• Fixed PowerDNS plugin when using limited API key that doesn't have access to all hosted zones (#617) (Thanks @joachimcarrein)
• Removed the Warning message when creating a new ACME account with no -Contact parameter.

• New efficient iP SOLIDserver DDI plugin. Thanks @jamiekowalczik for the initial PR and @alexissavin for providing a test platform and API guidance.
• Experimental support for the new ACME Profiles extension. This is still a very early draft standard and subject to change, but Let's Encrypt is already rolling out support this year as part of their short-lived certificates initiative. More info here.
• Fixed Route53 plugin when used with accounts that have many hosted zones. (#593)
• Fixed a bug with DeSEC plugin that was caused by the previous fix for #584. (#598)
• Added better debug logging for DeSEC plugin.
• Azure cert thumbprint auth now works on Linux for certs in the "CurrentUser" store. (Thanks @Eric2XU)
• Fixed a bug with Azure cert thumbprint auth on Windows that could throw errors when using certificates with non-exportable private keys.
• Added better debug logging for Azure plugin.
• AcmeException objects thrown by the module now include the lower level HTTP response exception as an InnerException.