2.7.0

New features

• Added support for external account binding when registering with an
  ACME server. Setting ACME_EXTERNAL_KID and ACME_EXTERNAL_HMAC will
  enable. See docs/setup.md for more details.
• Added ACME_PROPAGATION_DELAY setting to control how long the ACME
  client waits for DNS propagation if ACME_DISABLE_PROPAGATION_CHECK is
  enabled.
• Added ACME_OVERALL_REQUEST_LIMIT to limit the number of requests
  sent to the ACME server per second. This was previously always set to
  18, but that is too high for some providers.
• Added ACME_RESOLVERS to explicitly set DNS resolvers for use in
  DNS challenges.
• Added subject directive to allow routes to specify the exact
  certificate subject they want requested.
• Added ACME_OVERALL_TIMEOUT to limit the maximum time spent on
  ACME operations. This helps with providers that send an obnoxiously
  large Retry-After header.
• Added ACME_OBTAIN_INTERVAL to limit the rate at which new certificates
  are issued.

Behaviour changes

• Centauri will now ensure that newly issued certificates are only
  used for routes with the same provider. Existing certificates will
  continue to be used until they are naturally replaced. This addresses
  an issue in niche cases where multiple routes use the same name due
  to the WILDCARD_DOMAINS setting, but have different configured providers.
  Previously, the first route to generate a certificate would "win",
  and all matching routes would use that certificate until renewal,
  even if they were configured to use a different provider.
• Disabling propagation checks will now avoid querying DNS at all,
  and show an appropriate log message.
• Updated TLS configuration to latest Mozilla intermediate recommendation

2.6.1

• Fix crash if the ACME server returns an ARI update window with

start >= end

2.6.0

• Centauri now accepts empty configs from the network config source
• If Centauri doesn't have any routes to serve it will log a warning

2.5.0

• Dependency updates
• Fix a data race when updating routes. This should not have actually had

any effect, but was undefined behaviour per the go memory model.

v2.4.0

New features

• Support for network-based configuration. When -config-source / CONFIG_SOURCE
  is set to network, Centauri will attempt to connect out to the address
  specified in -config-network-address / CONFIG_NETWORK_ADDRESS. The initial
  config must be provided within 10 seconds of connection, and then any future
  updates can be pushed as needed. The protocol is documented in
  docs/network-config.md.

v2.3.0

New features

• Support for the ACME Renewal Information (ARI) standard. Centauri will now
  automatically poll ARI to decide when a certificate should be renewed. If
  the ACME server doesn't support ARI then the existing behaviour is preserved
  (renewing 30 days before expiry). This helps to recover if a certificate is
  revoked, and makes it easier to deal with shorter-lived certificates.
• Support for passing a profile when requesting a certificate. This can be used
  to opt in to different certificate configurations offered by the ACME service
  (e.g. adopting shorter-lived certificates before it's mandatory). Set using
  the -acme-profile flag or ACME_PROFILE env var.

v2.2.0

New features

• Routes with multiple domains can now have a redirect-to-primary directive,
  which will redirect all requests to the primary (first listed) domain.
  (issue #205)

v2.1.1

New features

• Added -trusted-downstreams flag (TRUSTED_DOWNSTREAMS env var) for trusting
  X-Forwarded-* headers from certain clients (useful when Centauri is behind
  another proxy).

Other changes

• Reverted changes to write and idle timeouts from 2.0.1. These were
  interfering with upstream services that expect clients to stay connected
  for a long time (e.g. long polling).

v2.1.0

New features

• Added -validate flag (or VALIDATE env var) that simply validates
  the config file and then exits.

Other changes

• Tailscale log messages intended for the user (such as authentication links)
  will now be shown as INFO level log messages, instead of DEBUG.
• Dependency updates.

v2.0.1

Bug fixes

• Fixed a rare issue when Centauri reloads its config several times in quick
  succession while also renewing certificates. In these circumstances, Centauri
  could stop answering requests until the certificate finished being renewed.

Other changes

• Centauri now enforces read, write and idle timeouts on incoming HTTP
  connections. This reduces the potential effect of badly configured or
  deliberately malicious clients.
• Centauri now logs when it finishes obtaining a certificate or OCSP
  staple. Previously it just logged when starting the process.
• If Centauri is sent a SIGHUP signal while it is in the process of (re)loading
  its config, it will queue up another reload instead of executing them
  concurrently. Any further HUPs will be ignored until the queued reload
  executes. This may cause a slight delay in how quickly route changes are
  applied (if, for example, the first config reload requires new certificates
  to be obtained), but drastically increases stability.