2024-12-14-r1

What's Changed

• ACME_SERVER and ACME_MUST_STAPLE values will now also apply when renewing existing certs
• update alpine to 3.21
• update crs to 4.9.0
• use alpine curl instead of my own curl-quic build
• other small dep updates
• upstream merges (fix NginxProxyManager#4168, implement NginxProxyManager#4163)
• 404 page is now called dead page and should return 404
• readd DNS propagation delay
• default mime type is now application/octet-stream (means download)

How to update

• NOTE: watchtwoer does NOT update NPMplus
• Read the changes above
• Pull the zoeyvid/npmplus:latest image
• apply possible changes that maybe effect you from above to your compose.yaml/NPMplus
• redeploy the compose stack
• report any issues you find

Full Changelog: 2024-11-25-r1...2024-12-14-r1

Important information about Certificates/CAs/OCSP Must-Staple

Note: This is not a new release but an important information

Let's Encrypt has made an announcement today which has a huge impact on NPMplus, you can read it here: https://letsencrypt.org/2024/12/05/ending-ocsp

If you have any question/ideas etc. on this topic, please write a comment

What is OCSP/CRLs?

• first: OCSP, OCSP Stapling and OCSP Must-Staple are different things.

OCSP:

• With OCSP the client (Browser), asks the CA (Let's Encrypt) if the Certificate used by the web server was revoked
• This is a check done between CA and Client, NPMplus has no influence on this
• Revocation will be detected by the client if the client (re)checks for it (recheck because of cache which could exist)
• privacy problems since the CA knows things which it should not (can be disabled in Firefox/thunderbird settings, not sure about other clients, chrome doesn't even support this)
  => useful, but with a privacy problem, maybe takes some time to be detected because of cache
• https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol

OCSP Stapling without Must-Staple:

• your 30 days cert is valid on its own, but it is additionally verified by a “second certificate”
• always enabled for all certbot certs of NPMplus (also for migrated instances and also if you disable must-staple)
• the “second certificate” is valid only for 7 days
• the “second certificate” is requested by the web server from the CA (since nginx implementation is not the best, NPMplus uses certbot-ocsp-fetcher for this)
• no privacy problem since browser only talks to the web sever and not to the CA
• BUT: if the cert is compromised, the cert can still be used WITHOUT OCSP Stapling and through that revocation is not be detected by the client (if the client doesn't detect trough other ways client-CA OSCP/CRLs)
  => useless without must staple, see below
• https://en.wikipedia.org/wiki/OCSP_stapling

OCSP Stapling with Must-Staple:

• same as above, but your 30 days cert is NOT valid on its own, it needs a “second certificate” to be valid
• this requirement is part of the cert itself (so not removable) and added while creating the cert (must-staple requirement is enabled by default with NPMplus for all certbot certs, but can be disabled via ENV)
• Revocation will be detected as soon as the “second certificate” expires and if the client support must-staple
  => useful, if supported by the client, maybe takes some time to be detected because of validity of “second certificate”
• https://en.wikipedia.org/wiki/OCSP_stapling

CRLs

• the older technology to detect revocation
• CAs publish huge lists containing information about all revoked (and by date still valid) certificates and chrome/Firefox/thunderbird download collections of these lists
• Problem: because of size, lists may not contain all revoked certs
  => depends: if the revocation information of your cert is not included, then it is useless, otherwise it is ok
• https://en.wikipedia.org/wiki/Certificate_revocation_list

My opinion on this (I mostly talk about Must-Staple)

• first I understand that they remove OCSP because of the costs they have through it and because of the privacy concern
• BUT I don't understand that they remove Must-Staple support, it is better then CRL
• They argue that most web servers have no good implementation for this, which is not fully true, like caddy which has good support for this or NPMplus itself through the certbot-ocsp-fetcher script ((free)nginx own implementation is not the best) ⇒ I don't think that this argument is big enough to revert to CRLs
• The argument with the client is sadly true, since chrome (and it forks) doesn't support must-staple, so the only big clients remaining are Firefox/thunderbird (not sure about WebKit/safari and other big mail clients like outlook)

What now?

• I must say, there is no good solution:
  • Moving to ZeroSSL would be an option, but they have no CRLs support, which is important for chromium (and forks)
  • Staying with Let's Encrypt would mean to lose Must Staple functionality
• But since a decision needs to be made and chrome is very important, I will stay with Let's Encrypt by default and instead change the default value of ACME_MUST_STAPLE, maybe stapling needs to be fully removed even if your custom CA supports it, but I will try to find a way to prevent this
• If ZeroSSL or any other public ACME supporting CA will have support for OCSP Stapling/Must-Staple and CRLs, then this will become the new default CA

When will the change happen?

• Before January 30, 2025 (the day Must-Staple will stop working for new instances)
• I have no date exactly, but I will try to have some releases until this change:
  • at least on release mentioning this change in its changelog, in a few days
  • in between (or maybe with the next release), I will sync the value of ACME_MUST_STAPLE with all renewal configs of certbot cert to make sure that certs which get renewed will have the same setting as the env (maybe I will also sync the ACME_SERVER env)
  • and at some point ACME_MUST_STAPLE will be changed to false by default (and stapling may be removed) - maybe still in December
• ENVs set by you will not be overridden

2024-11-25-r1

Note: NPMplus has its own place at Reddit since a few months: https://www.reddit.com/r/NPMplus (very empty there), but I still prefer reporting anything over GitHub to have anything at one place

What's Changed

• NOTE: Breaking changes in release 2024-10-21-r1, please read the last changelog here: https://github.com/ZoeyVid/NPMplus/releases/tag/2024-10-21-r1
• dep updates
• readme changes
• ACME_MUST_STAPLE and ACME_SERVER_TLS_VERIFY options (see compose.yaml)
• Stop GoAccess errors by @Sproglet in #1245
• close #965 by merging NginxProxyManager#4187
• merge upstream (only this PR was merged: NginxProxyManager#4179)
• fix updating streams (untested, but should work, if not please open an issue)
• Note: if you want NPMplus in your language, please see the readme on how to contribute a translation
  
  
• Note: 2 hours after this release I made a hotfix for the certbot command and merged upstream changes (forbid port 80, 81 and 443 as stream output ports)

How to update

• NOTE: watchtwoer does NOT update NPMplus
• Read the changes above
• Pull the zoeyvid/npmplus:latest image
• apply possible changes that maybe effect you from above to your compose.yaml/NPMplus
• redeploy the compose stack
• report any issues you find

Full Changelog: 2024-11-02-r1...2024-11-25-r1

2024-11-02-r1

What's Changed

• NOTE: Breaking changes in release 2024-10-21-r1, please read the last changelog here: https://github.com/ZoeyVid/NPMplus/releases/tag/2024-10-21-r1
• fix #1185 (comment) (workarround mentioned in thread not needed anymore)
• dep updates
• add multi language support through @lateautumn233, if you want to add a language, see this commit as an example: a026b42
• add lang de
• upstream merges (leaseweb dns support and revert proxy_pass in a location block to use static values instead of static vars)
• improve goaccess start and behaiviuor while rotating logs
• include goaccess and fcgi package in the image (like logrotate), so they don't need to be downloaded each container recreation (so only php-fpm/php packages need to be downloaded if needed)
• fix GeoLite2-City being ignored by goaccess
• fix goaccess ip binding after container restart
• remove unsed acme.sh script (will be added back if NPMplus maybe switches to it)

How to update

• NOTE: watchtwoer does NOT update NPMplus
• Read the changes above
• Pull the zoeyvid/npmplus:latest image
• apply possible changes that maybe effect you from above to your compose.yaml/NPMplus
• redeploy the compose stack
• report any issues you find

Full Changelog: 2024-10-24-r1...2024-11-02-r1

2024-10-24-r1

Breaking changes in last release, please read the last changelog here: https://github.com/ZoeyVid/NPMplus/releases/tag/2024-10-21-r1

What's Changed

• fix #1185 (comment)

How to update

• Read the changes above
• Pull the zoeyvid/npmplus:latest image
• apply possible changes that maybe effect you from above to your compose.yaml/NPMplus
• redeploy the compose stack
• report any issues you find

Full Changelog: 2024-10-23-r1...2024-10-24-r1

2024-10-23-r1

Breaking changes in last release, please read the last changelog here: https://github.com/ZoeyVid/NPMplus/releases/tag/2024-10-21-r1

What's Changed

• doc updates
• dep updates
• merge #1182 by @Sproglet (keep goaccess data after rotating logs)
• run ocsp script before testing nginx config
• fix updates from older versions
• remove useless headers
• move some files
• change chipper order

How to update

• Read the changes above
• Pull the zoeyvid/npmplus:latest image
• apply possible changes that maybe effect you from above to your compose.yaml/NPMplus
• redeploy the compose stack
• report any issues you find

Full Changelog: 2024-10-22-r1...2024-10-23-r1

2024-10-22-r1

Breaking changes in last release, please read the last changelog here: https://github.com/ZoeyVid/NPMplus/releases/tag/2024-10-21-r1

What's Changed

• fix launch of nginx if certbot-ocsp-fetcher.sh fails
• merge upstream (no real changes, formatting of certbot-dns-plugins.json and add some upstreams envs to compose.yaml)
• dep updates

How to update

• Read the changes above
• Pull the zoeyvid/npmplus:latest image
• apply possible changes that maybe effect you from above to your compose.yaml/NPMplus
• redeploy the compose stack
• report any issues you find

Full Changelog: 2024-10-21-r1...2024-10-22-r1

2024-10-21-r1

Breaking changes in host names and custom acme servers, fixed upstreams CVEs, please report any issues you find

What's Changed

• merge upstream (including CVE fixes - shell/command injection while creating certificates - permission to create certs was required to exploit)
  • Note: upstream fixed this by adding regex checks in API endpoint (is included), this may break new hosts/your hosts if you update them, and you are using regex inside your host names
  • Note: I added a second fix by switching from ('child_process').exec to require('child_process').execFile, this should prevent this kind of injection completely, so the regex change from upstream should be safe to revert if needed
  • I also fixed some small upstream bugs which I already noticed while testing, so there are probably more through new regex checks
• dep updates
• generate nginx access lists using node module instead of apache2-utils
• for new instances, fix appsec file upload: increase appsec timeouts, I recommend that you create a backup of your /opt/npm/etc/crowdsec/crowdsec.conf config file, delete it, then restart NPMplus (so the file gets recreated) and you then configure it again, so you have the new timeouts
• reload nginx after certbot-ocsp-fetcher.sh finished
• custom certbot.ini support REMOVED, if you want to use a custom acme server please do this using the new envs you can find in the compose.yaml
• fix disabling ipv6
• nginx/custom is now nginx_custom (from sub folder to new folder)
• you no longer need to enter your email while creating certs (please do this in compose.yaml)
• DNS propagation delay support removed
• fixed duplicating '#' in nginx.conf in rootless mode
• allow backend to compress
• improve default ssl_ecdh_curve (enable X25519MLKEM768)
• also disable proxy_request_buffering if you disable proxy buffering using env
• limit mine types to compress (text/images/auido) - if you have ideas if something is missing or should not be compressed please open a discussion (currently: text/html text/css text/javascript text/xml application/atom+xml application/rss+xml text/markdown text/mathml text/plain text/vnd.sun.j2me.app-descriptor text/vnd.wap.wml text/x-component application/json application/xhtml+xml application/xspf+xml font/woff font/woff2 image/avif image/bmp image/png image/svg+xml image/tiff image/vnd.wap.wbmp image/webp image/x-icon image/x-jng audio/midi audio/mpeg audio/ogg audio/x-m4a audio/x-realaudio)

How to update

• Read the changes above
• Pull the zoeyvid/npmplus:latest image
• apply possible changes that maybe effect you from above to your compose.yaml/NPMplus
• redeploy the compose stack
• report any issues you find

Full Changelog: 2024-10-05-r1...2024-10-21-r1

2024-10-05-r1

What's Changed

• if you didn't upgraded yeet to last release 2024-10-02-r1 (2.11.3+bb09562), please first read the changelogs of that release
• hide a warning until certbot/certbot#9967 is closed
• I forget to mention the following in the last release: migration of tls certificates from NPM to NPMplus is finally fixed

How to update

• Read the changes above
• Pull the zoeyvid/npmplus:latest image
• apply possible changes that maybe effect you from above to your compose.yaml/NPMplus
• redeploy the compose stack

Full Changelog: 2024-10-02-r1...2024-10-05-r1

2024-10-02-r1

See How to update below, additional recommended step for this release, if you don't do it, it should be no problem, but I recommend it to use ocsp the securest way

Changes

• dep updates
• remove useless built-in exploit protection
• Re-enable must-stable and implement certbot-ocsp-fetcher, ocsp should now work much better (NOTE: lets encrypt wants to remove ocsp support, because of this NPMplus may change its default CA to zerossl in the future)
• default username now uses "example.org" instead of "example.com"
• remove requirement of chain.pem
• revoke certs before force renewing them
• move ip ranges file to /tmp (inside the container), instead of /data/nginx
• improve file deletion
• improve error debugging (show nginx -t error in docker logs and keep conf.err file to see not working config file)
• switch from mysql to mysql2 (still no support from me)
• remove warnings shown in log when using dummycerts
• add liboqs/oqs-provider
• increase server_names_hash_bucket_size
• more fixes and improvements

How to update

• Read the changes above
• Pull the zoeyvid/npmplus:latest image
• apply possible changes that maybe effect you from above to your compose.yaml/NPMplus
• redeploy the compose stack
• RECOMMENDED: manually (sorry) regenerate all your hosts (edit (change nothing) ⇾ save). Why? To configure ocsp the securest way.

Full Changelog: 2024-08-15-r1...2024-10-02-r1