sewer

Sewer 0.8.4 Release Notes

What’s New

• ECDSA keys supported (account and/or certificate keys)

• optional client argument to route53 driver for special use cases

What’s Changed in the sewer Command

Basically nothing for many users, other than the change in default for sewer-generated RSA key size to follow current security guidance. You will have to use the new *_key_type options if you have a hard requirement for 2048 bit RSA keys (most likely for the certificate key only).

• --acct_key & --cert_key should be used to designate the file that holds the keys to be used (rather than having new ones generated). --account_key & --certificate_key are still accepted as synonyms but will be phased out later.

• add --acct_key_type & --cert_key_type to allow choice of RSA or EC keys and key sizes when sewer is generating them for you.

• changed default for generated keys to 3072 bit RSA (had been 2048 bit)

• add --is_new_key to allow for first-time registration of your own account key (using --acct_key) generated outside of sewer.

--is-new-key allows an externally generated account key (specified with --acct_key) to be registered with ACME when first used. Since there’s been basically no way to do this from the CLI, I doubt the addition will affect anyone who isn’t interested in the new capability.

Internal changes for library clients:

• Client class methods cert() and renew() are deprecated; just call get_certificate() directly instead.

• Client class no longer generates keys. (see below)

• crytographic refactoring

  • AcmeKey, AcmeAccount & AcmeCsr in crypto.py; uses only cryptography library

  • This is what enables ECDSA keys and provides selection by name

• Client.init interface changes due to crypto refactoring

  • dropped account_key and certificate_key optional arguments to Client

  • added acct_key and cert_key REQUIRED arguments to Client taking AcmeAccount and AcmeKey objects, respectively.

  • add is_new_acct argument to force registration of the supplied account key

  • dropped bits argument because Client no longer generates keys!

  • dropped digest argument since there are currently no alternate digest methods for the different key types. (was this ever used?)

Breakage

None that I know of (aside from hard changes in Client() interface listed above), so let me know if you find any!

Deprecated

• --action {run,renew} option has never actually had any effect and is no longer required (since 0.8.2?). LOGS A WARNING IN 0.8.3. Will be removed in 0.8.5.

• As mentioned above, CLI *_key argument names are changing. Expect they will issue a warning in 0.8.5 and go away in 0.8.6.

This site is open source. Improve this page.