- Clarified new default settings. KEY_ALGO=secp384r1. Please consult

README.maintainer for details and how to return to RSA-based certificate
  issuance. (jsc#ECO-3435, jsc#SLE-15909)
- Added a note about ACMEv1 deprecation
- Added a note on new ACME providers and the new non-URL provider syntax
  See README.maintainer for details.

OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=69

README.maintainer

@@ -162,6 +162,64 @@ Limitations & Ceveats
 Upgrade Notes
 =============
 
+v0.7.0
+------
+
+Key Algorithm
+~~~~~~~~~~~~~
+
+If you are upgrading from dehydrated <= 0.6.5, the new default for
+new installations changes from
+
+    KEY_ALGO=rsa
+
+to
+
+    KEY_ALGO=secp384r1
+
+This switches the algorithm for newly issued certificates from RSA
+to the elliptic curve (EC) based secp384r1 algorithm. While both are
+considered sufficiently compatible to current software in public
+environments, some software may not yet be compatible with EC algorithms.
+In these environments, the KEY_ALGO setting needs to be set to "rsa"
+manually. If you are receiving errors about an invalid key length,
+comment out the KEYSIZE option.
+
+Extended use of the CA variable / New ACME providers
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Starting with 0.7.0, dehydrated supports additional, commercial certificate
+providers that use the ACME protocol to automatically issue certificates.
+
+The CA config variable, which so far expected a URL to a ACME API endpoint can
+now contain the following shorthand service strings instead, which are
+internally converted to the API URLs and hence are equivalent:
+
+* LetsEncrypt: "letsencrypt" (staging environment: "letsencrypt-test")
+* BuyPass: "buypass" (test environment: "buypass-test")
+* ZeroSSL: "zerossl"
+
+LetsEncrypt remains the default provider. If you prefer to use the URL instead,
+you can continue to do so.
+
+Note: ZeroSSL requires additional the options EAB_KID and EAB_HMAC_KEY to be
+set. Please consult the ZeroSSL documentation fore more information.
+
+ACME v1 deprecation
+~~~~~~~~~~~~~~~~~~~
+
+The upstream project has deprecated ACME v1 in favor of the IETF-
+blessed [1] ACME v2 protocol. While dehydrated still supports v1-based
+verification flows, future versions might no longer do. If you are using a
+custom ACME endpoint URL, you can check compliance with the ACME v2 protocol by
+consulting your ACME service provider's documentation. Verify by setting API=2
+in the config file and then running "dehydrated --cron".
+
+[1] https://tools.ietf.org/html/rfc8555
+
+v0.3.1
+------
+
 If you are upgrading from letsencrypt.sh, note that you need to move
 /etc/letsencrypt.sh to /etc/dehydrated and chown it to the "dehydrated"
 user.

dehydrated.changes

@@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Wed Mar  3 15:42:18 UTC 2021 - Daniel Molkentin <daniel.molkentin@suse.com>
+
+- Clarified new default settings. KEY_ALGO=secp384r1. Please consult
+  README.maintainer for details and how to return to RSA-based certificate
+  issuance. (jsc#ECO-3435, jsc#SLE-15909)
+- Added a note about ACMEv1 deprecation
+- Added a note on new ACME providers and the new non-URL provider syntax
+
+  See README.maintainer for details.
+
 -------------------------------------------------------------------
 Thu Dec 10 16:01:01 UTC 2020 - Daniel Molkentin <daniel.molkentin@suse.com>
 

dehydrated.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package dehydrated
 #
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2021 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed