Skip to content

Releases: NeySlim/ultimate-ca-manager

v2.126

19 Apr 20:37
@github-actions github-actions
v2.126
3a310cf

Choose a tag to compare

View all tags
v2.126 Latest
Latest

What's Changed

Fixed

  • Local ACME refused HTTP-01 / TLS-ALPN-01 for internal domains (CRITICAL for on-prem use) — The Phase 2 SSRF hardening unconditionally rejected RFC1918 / loopback / link-local / reserved targets in HTTP-01 and TLS-ALPN-01 validators. UCM's local ACME exists precisely to issue certificates for internal infrastructure (.lan, .local, .corp), which by definition resolves to private addresses. The check is now gated by a new acme.allow_private_ips setting (default true). Operators issuing only for public domains can flip it to false.
  • OPNsense import refused LAN hostsimport_opnsense.py rejected any RFC1918 OPNsense host. OPNsense is a LAN firewall by design. Replaced the broad SSRF check with the narrow guard (validate_url_not_cloud_metadata) that only blocks cloud metadata services and loopback.
  • Webhooks refused internal targets — Creating or testing a webhook pointing at an internal Slack-compatible / Mattermost / Teams self-hosted / Jenkins / Gitea / Home Assistant / n8n endpoint was rejected. UCM is on-prem; internal automation is the primary use case. Both api/v2/webhooks.py and the legacy api/v2/settings.py webhook routes now use the narrow guard.
  • Discovery scans could not include 127.0.0.1 — Loopback was unconditionally blocked, preventing operators from discovering certificates of services bound to localhost on the UCM host itself. Loopback is now allowed; only link-local / multicast / reserved remain blocked.

Security

  • The narrow SSRF guard (validate_url_not_cloud_metadata) still blocks the highest-impact targets in the on-prem context: cloud instance metadata services (AWS 169.254.169.254, GCP metadata.google.internal, Azure, Alibaba) and loopback. These remain rejected for webhook/OPNsense/SSO/ACME-proxy outbound traffic.

Installation

Docker (Recommended)

# From Docker Hub
docker pull neyslim/ultimate-ca-manager:2.126

# Or from GitHub Container Registry
docker pull ghcr.io/neyslim/ultimate-ca-manager:2.126

# Run
docker run -d -p 8443:8443 \
  -e SECRET_KEY=$(openssl rand -hex 32) \
  --name ucm neyslim/ultimate-ca-manager:2.126

Debian/Ubuntu

wget https://github.com/NeySlim/ultimate-ca-manager/releases/download/v2.126/ucm_2.126_all.deb
sudo dpkg -i ucm_2.126_all.deb
sudo apt-get install -f

Fedora/RHEL

wget https://github.com/NeySlim/ultimate-ca-manager/releases/download/v2.126/ucm-2.126-1.fc43.noarch.rpm
sudo dnf install ./ucm-2.126-1.fc43.noarch.rpm

Silent/Automated Install

# Skip firewall prompts for CI/automation
sudo UCM_PORT=8443 UCM_FIREWALL=no dpkg -i ucm_2.126_all.deb

Default Credentials

  • Username: admin
  • Password: Check /etc/ucm/ucm.env after install, or shown during install

Change the password immediately after first login!

Documentation

Assets 5
Loading

v2.125

17 Apr 12:17
@github-actions github-actions
v2.125
20e3273

Choose a tag to compare

View all tags
v2.125

What's Changed

Security

  • Backup format v2 (encrypted container, magic header, Argon2id KDF) — The backup system now emits a versioned binary container with UCMB magic bytes, explicit format version byte, feature flags (gzip on by default), and KDF identifier. Key derivation uses Argon2id (time_cost=3, memory_cost=64 MiB, parallelism=4, 32‑byte output) instead of PBKDF2‑HMAC‑SHA256 at 100k iterations, providing memory‑hard resistance against GPU/ASIC brute force. Ciphertext is AES‑256‑GCM with a 12‑byte random nonce, and the magic prefix is bound as additional authenticated data so a tampered header fails decryption. If Argon2id is unavailable at runtime, v2 falls back to PBKDF2‑HMAC‑SHA256 at 600 000 iterations (6× previous). v1 backups remain fully restorable for backward compatibility; restore auto‑detects the format.
  • Backup passwords must be ≥ 12 characters — Enforced server‑side via _validate_password.

Fixed

  • Backup silently dropped certificate revocation state (CRITICAL) — The previous _export_certificates did not include revoked, revoked_at, revoke_reason, or archived. Restoring from a backup silently resurrected revoked certificates as valid, a significant security issue for any CA that had issued revocations. These fields are now exported and restored.
  • Backup excluded 15+ model types — Previously only 20 categories were exported; SSH CAs, SSH certificates, Microsoft ADCS connections and requests, scan profiles / runs / discovered certificates, certificate approval requests, HSM keys, ACME client orders (including proxy state), SCEP requests, and audit logs were all missing. All are now exported in v2 backups. Restore is implemented for SSH CAs (with private‑key re‑encryption), SSH certificates, Microsoft CAs, scan profiles, HSM keys, approval requests, and ACME client orders.
  • Backup .ucmbkp extension rejected by upload validatorBACKUP_EXTENSIONS only allowed .zip / .enc, breaking restore via the UI for the format the system itself produced. .ucmbkp is now accepted.

Changed

  • Every export call is now wrapped in a _safe() helper — Missing tables (e.g. optional feature models on a minimal install) or transient failures log a warning and return [] instead of aborting the entire backup.
  • SSH CA private keys are re‑encrypted with the master key on export and decrypted + re‑encrypted on restore, matching the pattern used for certificate private keys.
  • Backups are gzip‑compressed before encryption, reducing container size ~5× on typical installs.

Testing

  • Round‑trip restore verified end‑to‑end via /api/v2/system/backup/restore: 60 certs, 9 CAs, 5 policies, 3 SSO providers, 7 custom roles, 6 API keys, 52 trusted CAs restored from live v2 backup (329 KB container, magic UCMB\x02\x01\x02).
  • Backend: 1483 pass.

Fixed (ACME)

  • ACME proxy badNonce retry (#70) — The proxy did not implement RFC 8555 §6.5 nonce retry. Lenient upstream CAs (Let's Encrypt staging/production) accepted stale nonces silently, but strict implementations (Pebble, HARICA, and any CA with strict anti-replay) rejected them with urn:ietf:params:acme:error:badNonce, leaving orders stuck pending while authz fetches returned 400. The proxy now detects badNonce, extracts the fresh nonce from the error response's Replay-Nonce header, and retries the signed request once. Verified end-to-end with Pebble + EAB (custom upstream mode).

Changed (ACME)

  • ACME domain auto_approve is now functional (#69) — Previously the toggle on ACME Domains and Local Domains was stored in the database and exposed in the UI but never consulted by the ACME service, so every order still required full challenge validation. When auto_approve=True is now set on a matching domain entry (exact match or any parent domain, wildcard prefixes stripped), UCM skips HTTP-01/DNS-01/TLS-ALPN-01 validation: authorizations are created directly in the valid state, orders move straight to ready, and an acme_auto_approve audit event is logged. This applies to both order-driven authorizations and RFC 8555 pre-authorizations (newAuthz). Only affects local UCM issuance, not the ACME proxy.

Security / Migration

  • auto_approve defaults flipped to False — Historically the column defaulted to True, which had no effect because the flag was unused. Now that the flag is honored, existing rows with auto_approve=True would silently start skipping challenge validation on upgrade. Migration 019_acme_auto_approve_safe_default resets every existing AcmeDomain and AcmeLocalDomain row to False. Model defaults and API create defaults are also False. Administrators must explicitly opt in per domain after upgrading. A UI warning banner is shown when the toggle is enabled.

Roadmap

  • PostgreSQL support — Abstract the data layer so deployments can back UCM with PostgreSQL instead of SQLite, for multi-instance HA and larger certificate inventories
  • Environment Variables — Sync Docker env vars (SMTP, HSM, etc.) to database at startup; track managed_by source; mark UI fields as read-only when sourced from environment
  • Policy Enforcement on Protocols — Apply certificate policies to ACME, SCEP, and EST protocol handlers (currently only enforced on REST API); add CA issuance restriction flags to prevent direct issuance from root/intermediate CAs

Installation

Docker (Recommended)

# From Docker Hub
docker pull neyslim/ultimate-ca-manager:2.125

# Or from GitHub Container Registry
docker pull ghcr.io/neyslim/ultimate-ca-manager:2.125

# Run
docker run -d -p 8443:8443 \
  -e SECRET_KEY=$(openssl rand -hex 32) \
  --name ucm neyslim/ultimate-ca-manager:2.125

Debian/Ubuntu

wget https://github.com/NeySlim/ultimate-ca-manager/releases/download/v2.125/ucm_2.125_all.deb
sudo dpkg -i ucm_2.125_all.deb
sudo apt-get install -f

Fedora/RHEL

wget https://github.com/NeySlim/ultimate-ca-manager/releases/download/v2.125/ucm-2.125-1.fc43.noarch.rpm
sudo dnf install ./ucm-2.125-1.fc43.noarch.rpm

Silent/Automated Install

# Skip firewall prompts for CI/automation
sudo UCM_PORT=8443 UCM_FIREWALL=no dpkg -i ucm_2.125_all.deb

Default Credentials

  • Username: admin
  • Password: Check /etc/ucm/ucm.env after install, or shown during install

Change the password immediately after first login!

Documentation

Loading

v2.124

17 Apr 09:03
@github-actions github-actions
v2.124
a2990cd

Choose a tag to compare

View all tags
v2.124

What's Changed

Fixed

  • ACME proxy — Let's Encrypt "contact email has invalid domain" (#68) — The proxy registered its upstream LE account with a synthesized admin@<FQDN> address, ignoring the email configured by the admin via POST /api/v2/acme/client/proxy/register. On typical installs the FQDN resolves to a private TLD (.lan, .local, .internal), which LE rejects against its Public Suffix List, breaking every proxied order (win-acme, certbot, etc.). The proxy now reads acme.proxy_email as the contact address and no longer synthesizes internal addresses.
  • register_proxy_account was a no-op — The endpoint only stored the email in config; actual upstream registration happened lazily on the first client order, using the wrong address. It now validates the email format, rejects non-public TLDs (.local, .lan, .home, .internal, .corp, .test, .invalid, .localhost) server-side, clears any stale acme.proxy.account_url, and triggers real registration against the upstream CA so EAB-required / unreachable-CA / forbidden-domain errors surface immediately. The response now includes the upstream account URL.
  • unregister_proxy_account left zombie credentials — Removed acme.proxy_email but not the cached acme.proxy.account_url, so the next registration attempt reused a deactivated account. Unregister now cleans all proxy account state.
  • ACME proxy nonce / JWS hangs_get_nonce() and _post_jws() issued requests with no timeout and could hang indefinitely if the upstream was unresponsive. Explicit timeouts added (15 s / 30 s).
  • Wildcard domain lookup used lstrip('*.')lstrip strips characters, not a prefix, so *abc.example.com would incorrectly become example.com. Replaced with a proper startswith('*.') + slice.
  • Upstream response body leaked to clientsRuntimeError(f"...: {resp.text}") in the proxy surfaced raw upstream bodies to end clients. Errors are now logged server-side with a truncated body; clients see only the upstream detail field or a generic message.

Testing

  • 5 new unit tests covering PSL validation (accept public, reject private TLDs), email format validation, and mocked upstream registration flow.
  • Backend: 1476 pass (+5). Frontend: 450 pass.
  • Functional verification on netsuit against LE staging: valid public email registers successfully, private-TLD emails rejected with HTTP 400, unregister fully cleans credentials.

Installation

Docker (Recommended)

# From Docker Hub
docker pull neyslim/ultimate-ca-manager:2.124

# Or from GitHub Container Registry
docker pull ghcr.io/neyslim/ultimate-ca-manager:2.124

# Run
docker run -d -p 8443:8443 \
  -e SECRET_KEY=$(openssl rand -hex 32) \
  --name ucm neyslim/ultimate-ca-manager:2.124

Debian/Ubuntu

wget https://github.com/NeySlim/ultimate-ca-manager/releases/download/v2.124/ucm_2.124_all.deb
sudo dpkg -i ucm_2.124_all.deb
sudo apt-get install -f

Fedora/RHEL

wget https://github.com/NeySlim/ultimate-ca-manager/releases/download/v2.124/ucm-2.124-1.fc43.noarch.rpm
sudo dnf install ./ucm-2.124-1.fc43.noarch.rpm

Silent/Automated Install

# Skip firewall prompts for CI/automation
sudo UCM_PORT=8443 UCM_FIREWALL=no dpkg -i ucm_2.124_all.deb

Default Credentials

  • Username: admin
  • Password: Check /etc/ucm/ucm.env after install, or shown during install

Change the password immediately after first login!

Documentation

Loading

v2.123

17 Apr 07:09
@github-actions github-actions
v2.123
fd04c02

Choose a tag to compare

View all tags
v2.123

What's Changed

Security (Phase 2 — unified SSRF + error hygiene)

  • ACME directory URL SSRFPATCH /api/v2/acme/client/settings now validates directory_url and proxy_upstream_url against cloud-metadata endpoints (AWS 169.254.169.254, GCP metadata.google.internal, Alibaba 100.100.100.200) and loopback addresses. RFC1918 private ranges remain allowed so internal ACME CAs keep working.
  • OAuth2 discovery SSRF_test_oauth2_connection() now guards the well-known endpoint URL before issuing the HEAD request, with the same narrow cloud-metadata + loopback policy.
  • SAML metadata SSRF consistencyfetch_idp_metadata() replaced the literal-IP-only filter (trivially bypassed via hostnames) with a unified resolver-aware check. Internal IdPs on private networks remain fetchable; only cloud metadata + loopback are blocked.
  • Error message hygiene — removed str(e) / stack-trace leaks in MSCA CSR submission, SSH CA KRL generation, webhook URL validation, and ACME DNS access testing. Exceptions are now logged server-side and clients receive generic messages.

Fixed

  • Policy approval self-check bypassed (HIGH)approve_request() read request.current_user (which is always None; Flask's request has no such attribute), so the "creator cannot approve own request" guard never triggered. Now uses g.current_user.
  • Policy audit trail wrong actorreject_request() always logged 'system' as the rejector for the same reason; now logs the real username.
  • Policy created_by always nullcreate_policy() set created_by = request.current_user (always None). Now reads from g.current_user.

Installation

Docker (Recommended)

# From Docker Hub
docker pull neyslim/ultimate-ca-manager:2.123

# Or from GitHub Container Registry
docker pull ghcr.io/neyslim/ultimate-ca-manager:2.123

# Run
docker run -d -p 8443:8443 \
  -e SECRET_KEY=$(openssl rand -hex 32) \
  --name ucm neyslim/ultimate-ca-manager:2.123

Debian/Ubuntu

wget https://github.com/NeySlim/ultimate-ca-manager/releases/download/v2.123/ucm_2.123_all.deb
sudo dpkg -i ucm_2.123_all.deb
sudo apt-get install -f

Fedora/RHEL

wget https://github.com/NeySlim/ultimate-ca-manager/releases/download/v2.123/ucm-2.123-1.fc43.noarch.rpm
sudo dnf install ./ucm-2.123-1.fc43.noarch.rpm

Silent/Automated Install

# Skip firewall prompts for CI/automation
sudo UCM_PORT=8443 UCM_FIREWALL=no dpkg -i ucm_2.123_all.deb

Default Credentials

  • Username: admin
  • Password: Check /etc/ucm/ucm.env after install, or shown during install

Change the password immediately after first login!

Documentation

Loading

v2.122

17 Apr 06:24
@github-actions github-actions
v2.122
9666820

Choose a tag to compare

View all tags
v2.122

What's Changed

Security (Phase 1 — critical hotfixes)

  • SAML authentication bypass (CRITICAL) — removed unsigned-XML fallback parser in /api/v2/sso/saml/callback. Any process_response() exception or validation error now hard-rejects with saml_validation_failed instead of trusting attributes from un-verified XML.
  • Webhook SSRF (CRITICAL)POST /api/v2/settings/webhooks and POST /api/v2/settings/webhooks/:id/test now validate destination URL via validate_url_not_private(), rejecting private/loopback/link-local/metadata IPs (the parallel /api/v2/webhooks endpoints were already protected; the legacy duplicate is now on par).
  • P12 password leak via URL (HIGH)GET /api/v2/certificates/:id/export and GET /api/v2/user_certificates/:id/export refuse password= query params and PKCS12/PFX/JKS formats. Password-bearing exports must use POST with a JSON body (matches what the UI already does) to keep secrets out of reverse-proxy / web-server access logs.
  • Brute-force protection activated (HIGH)init_rate_limiter(app) is now wired up in create_app(). Auth/login endpoints are rate-limited (default 30 rpm, configurable via RATE_LIMIT_AUTH_RPM). Previously the rate-limit module was fully implemented but never registered as middleware.
  • Rate limiter — added /.well-known/est/ to the protocol whitelist bucket (EST endpoints get the same permissive limits as ACME/SCEP instead of falling through to the default).

Fixed

  • Auto-renewal crash (CRITICAL)services/auto_renewal_service.py referenced columns that do not exist on the Certificate model (not_before, not_after, ca_id, status, superseded_by). The 12-hour scheduler pass silently crashed on every run, so nothing was ever auto-renewed. Rewrote the query + renewal logic against the real schema (caref, valid_from, valid_to, revoked, archived, source), and old certificates are now marked archived = true when a successful renewal is issued.

Installation

Docker (Recommended)

# From Docker Hub
docker pull neyslim/ultimate-ca-manager:2.122

# Or from GitHub Container Registry
docker pull ghcr.io/neyslim/ultimate-ca-manager:2.122

# Run
docker run -d -p 8443:8443 \
  -e SECRET_KEY=$(openssl rand -hex 32) \
  --name ucm neyslim/ultimate-ca-manager:2.122

Debian/Ubuntu

wget https://github.com/NeySlim/ultimate-ca-manager/releases/download/v2.122/ucm_2.122_all.deb
sudo dpkg -i ucm_2.122_all.deb
sudo apt-get install -f

Fedora/RHEL

wget https://github.com/NeySlim/ultimate-ca-manager/releases/download/v2.122/ucm-2.122-1.fc43.noarch.rpm
sudo dnf install ./ucm-2.122-1.fc43.noarch.rpm

Silent/Automated Install

# Skip firewall prompts for CI/automation
sudo UCM_PORT=8443 UCM_FIREWALL=no dpkg -i ucm_2.122_all.deb

Default Credentials

  • Username: admin
  • Password: Check /etc/ucm/ucm.env after install, or shown during install

Change the password immediately after first login!

Documentation

Loading

v2.121

16 Apr 22:18
@github-actions github-actions
v2.121
20c33fc

Choose a tag to compare

View all tags
v2.121

What's Changed

Fixed (ACME code review — 7 bugs)

  • EAB validation — fixed SystemConfig.set() call on non-existent method (EAB validation was always failing, blocking external account bindings)
  • Manual renewal endpointrenew_certificate() now returns (bool, str) tuple as caller expects (manual renewal via API no longer crashes)
  • ACME server base URL — service instantiated per-request instead of cached globally, fixing stale base URLs behind reverse proxies or multi-hostname setups
  • key-change endpoint (RFC 8555 §7.3.5) — properly decode and verify inner JWS signed with the new key (was unconditionally failing)
  • HTTP-01 / TLS-ALPN-01 SSRF protection — reject challenge validations against domains resolving to private/loopback/link-local IPs
  • DNS-01 exact match — TXT record validation uses exact equality over rdata.strings instead of substring match (prevents false positives)
  • Order/Authorization POST-as-GET — enforce account ownership per RFC 8555 §7.4/§7.5 (reject cross-account reads with 403)

Installation

Docker (Recommended)

# From Docker Hub
docker pull neyslim/ultimate-ca-manager:2.121

# Or from GitHub Container Registry
docker pull ghcr.io/neyslim/ultimate-ca-manager:2.121

# Run
docker run -d -p 8443:8443 \
  -e SECRET_KEY=$(openssl rand -hex 32) \
  --name ucm neyslim/ultimate-ca-manager:2.121

Debian/Ubuntu

wget https://github.com/NeySlim/ultimate-ca-manager/releases/download/v2.121/ucm_2.121_all.deb
sudo dpkg -i ucm_2.121_all.deb
sudo apt-get install -f

Fedora/RHEL

wget https://github.com/NeySlim/ultimate-ca-manager/releases/download/v2.121/ucm-2.121-1.fc43.noarch.rpm
sudo dnf install ./ucm-2.121-1.fc43.noarch.rpm

Silent/Automated Install

# Skip firewall prompts for CI/automation
sudo UCM_PORT=8443 UCM_FIREWALL=no dpkg -i ucm_2.121_all.deb

Default Credentials

  • Username: admin
  • Password: Check /etc/ucm/ucm.env after install, or shown during install

Change the password immediately after first login!

Documentation

Loading

v2.120

16 Apr 16:22
@github-actions github-actions
v2.120
f66cfcd

Choose a tag to compare

View all tags
v2.120

What's Changed

Fixed

  • ACME proxy directory resilience — Proxy /directory endpoint no longer fails with 500 when the upstream ACME server is unreachable; account registration is now lazy (only when placing orders), with proper timeouts and detailed error messages (#66)
  • ACME auto-renewal crash — Fixed create_order() missing 1 required positional argument: 'email' error in the renewal service; rewrote renewal to use current AcmeClientService API with proper email sourcing, challenge verification, and order finalization (#66)

Installation

Docker (Recommended)

# From Docker Hub
docker pull neyslim/ultimate-ca-manager:2.120

# Or from GitHub Container Registry
docker pull ghcr.io/neyslim/ultimate-ca-manager:2.120

# Run
docker run -d -p 8443:8443 \
  -e SECRET_KEY=$(openssl rand -hex 32) \
  --name ucm neyslim/ultimate-ca-manager:2.120

Debian/Ubuntu

wget https://github.com/NeySlim/ultimate-ca-manager/releases/download/v2.120/ucm_2.120_all.deb
sudo dpkg -i ucm_2.120_all.deb
sudo apt-get install -f

Fedora/RHEL

wget https://github.com/NeySlim/ultimate-ca-manager/releases/download/v2.120/ucm-2.120-1.fc43.noarch.rpm
sudo dnf install ./ucm-2.120-1.fc43.noarch.rpm

Silent/Automated Install

# Skip firewall prompts for CI/automation
sudo UCM_PORT=8443 UCM_FIREWALL=no dpkg -i ucm_2.120_all.deb

Default Credentials

  • Username: admin
  • Password: Check /etc/ucm/ucm.env after install, or shown during install

Change the password immediately after first login!

Documentation

Loading

v2.119

16 Apr 12:14
@github-actions github-actions
v2.119
6a30693

Choose a tag to compare

View all tags
v2.119

What's Changed

Fixed

  • CSR excluded from certificates list — Signed CSRs no longer appear in the certificates list, stats, or compliance endpoints; only records with an issued certificate are shown
  • SAN auto-generation from CN — When signing a CSR that has no SAN extension, UCM now auto-adds the CN as a DNS SAN (and subject emailAddress as RFC822Name SAN), ensuring modern browser/TLS compatibility
  • MSCA UPN auto-fill improvement — EOBO enrollee UPN now also tries the CSR subject emailAddress when SAN email is empty; UPN field is required when EOBO is enabled

Installation

Docker (Recommended)

# From Docker Hub
docker pull neyslim/ultimate-ca-manager:2.119

# Or from GitHub Container Registry
docker pull ghcr.io/neyslim/ultimate-ca-manager:2.119

# Run
docker run -d -p 8443:8443 \
  -e SECRET_KEY=$(openssl rand -hex 32) \
  --name ucm neyslim/ultimate-ca-manager:2.119

Debian/Ubuntu

wget https://github.com/NeySlim/ultimate-ca-manager/releases/download/v2.119/ucm_2.119_all.deb
sudo dpkg -i ucm_2.119_all.deb
sudo apt-get install -f

Fedora/RHEL

wget https://github.com/NeySlim/ultimate-ca-manager/releases/download/v2.119/ucm-2.119-1.fc43.noarch.rpm
sudo dnf install ./ucm-2.119-1.fc43.noarch.rpm

Silent/Automated Install

# Skip firewall prompts for CI/automation
sudo UCM_PORT=8443 UCM_FIREWALL=no dpkg -i ucm_2.119_all.deb

Default Credentials

  • Username: admin
  • Password: Check /etc/ucm/ucm.env after install, or shown during install

Change the password immediately after first login!

Documentation

Loading

v2.118

16 Apr 08:16
@github-actions github-actions
v2.118
90f56d1

Choose a tag to compare

View all tags
v2.118

What's Changed

Added

  • ACME proxy settings UX overhaul — Unified mode selector (Let's Encrypt Staging / Production / Custom), inline account status indicator, connection test, and CA/account mismatch detection (#64)
  • Collapsible ACME sections — Custom ACME Directory and Proxy EAB Credentials sections with chevron indicators and bordered containers for better discoverability (#64)

Fixed

  • ACME proxy stale account recovery — Auto-re-registers upstream account when CA returns "Account is not valid" (e.g., LE staging cleanup); applied to all 8 proxy operations (#65)
  • ACME proxy empty URL fallback — Proxy now falls back to default upstream URL when stored URL is empty, preventing crashes after custom mode reset (#65)
  • ACME proxy custom mode credential clearing — Switching to custom mode now properly clears stale upstream URL and credentials (#64)
  • ACME challenge initiation — Moved challenge initiation to authorization phase for correct RFC 8555 flow (#63)

Documentation

  • Added OpenBao HSM and ACME proxy documentation

Installation

Docker (Recommended)

# From Docker Hub
docker pull neyslim/ultimate-ca-manager:2.118

# Or from GitHub Container Registry
docker pull ghcr.io/neyslim/ultimate-ca-manager:2.118

# Run
docker run -d -p 8443:8443 \
  -e SECRET_KEY=$(openssl rand -hex 32) \
  --name ucm neyslim/ultimate-ca-manager:2.118

Debian/Ubuntu

wget https://github.com/NeySlim/ultimate-ca-manager/releases/download/v2.118/ucm_2.118_all.deb
sudo dpkg -i ucm_2.118_all.deb
sudo apt-get install -f

Fedora/RHEL

wget https://github.com/NeySlim/ultimate-ca-manager/releases/download/v2.118/ucm-2.118-1.fc43.noarch.rpm
sudo dnf install ./ucm-2.118-1.fc43.noarch.rpm

Silent/Automated Install

# Skip firewall prompts for CI/automation
sudo UCM_PORT=8443 UCM_FIREWALL=no dpkg -i ucm_2.118_all.deb

Default Credentials

  • Username: admin
  • Password: Check /etc/ucm/ucm.env after install, or shown during install

Change the password immediately after first login!

Documentation

Loading

v2.117

15 Apr 14:49
@github-actions github-actions
v2.117
38c8c34

Choose a tag to compare

View all tags
v2.117

What's Changed

Added

  • OpenBao HSM provider — Native Transit Secrets Engine integration for OpenBao/HashiCorp Vault; supports RSA, ECDSA, AES key types with full key lifecycle management (#60)
  • ACME proxy EAB support — External Account Binding fields for upstream ACME proxy connections (#61)

Fixed

  • ACME proxy authorization URL rewritingget_order and finalize_order now correctly proxy authorization URLs, preventing stateless clients from bypassing the proxy (#62)

Installation

Docker (Recommended)

# From Docker Hub
docker pull neyslim/ultimate-ca-manager:2.117

# Or from GitHub Container Registry
docker pull ghcr.io/neyslim/ultimate-ca-manager:2.117

# Run
docker run -d -p 8443:8443 \
  -e SECRET_KEY=$(openssl rand -hex 32) \
  --name ucm neyslim/ultimate-ca-manager:2.117

Debian/Ubuntu

wget https://github.com/NeySlim/ultimate-ca-manager/releases/download/v2.117/ucm_2.117_all.deb
sudo dpkg -i ucm_2.117_all.deb
sudo apt-get install -f

Fedora/RHEL

wget https://github.com/NeySlim/ultimate-ca-manager/releases/download/v2.117/ucm-2.117-1.fc43.noarch.rpm
sudo dnf install ./ucm-2.117-1.fc43.noarch.rpm

Silent/Automated Install

# Skip firewall prompts for CI/automation
sudo UCM_PORT=8443 UCM_FIREWALL=no dpkg -i ucm_2.117_all.deb

Default Credentials

  • Username: admin
  • Password: Check /etc/ucm/ucm.env after install, or shown during install

Change the password immediately after first login!

Documentation

Loading