Release 5.1.0 (#10473)

acme/setup.py

@@ -1,6 +1,6 @@
 from setuptools import setup
 
-version = '5.1.0.dev0'
+version = '5.2.0.dev0'
 
 setup(
     version=version,

certbot-apache/setup.py

@@ -1,6 +1,6 @@
 from setuptools import setup
 
-version = '5.1.0.dev0'
+version = '5.2.0.dev0'
 
 install_requires = [
     # We specify the minimum acme and certbot version as the current plugin

certbot-ci/setup.py

@@ -1,6 +1,6 @@
 from setuptools import setup
 
-version = '5.1.0.dev0'
+version = '5.2.0.dev0'
 
 setup(
     version=version,

certbot-compatibility-test/setup.py

@@ -1,6 +1,6 @@
 from setuptools import setup
 
-version = '5.1.0.dev0'
+version = '5.2.0.dev0'
 
 setup(
     version=version,

certbot-dns-cloudflare/setup.py

@@ -2,7 +2,7 @@ import os
 
 from setuptools import setup
 
-version = '5.1.0.dev0'
+version = '5.2.0.dev0'
 
 install_requires = [
     # for now, do not upgrade to cloudflare>=2.20 to avoid deprecation warnings and the breaking

certbot-dns-digitalocean/setup.py

@@ -2,7 +2,7 @@ import os
 
 from setuptools import setup
 
-version = '5.1.0.dev0'
+version = '5.2.0.dev0'
 
 install_requires = [
     'python-digitalocean>=1.15.0', # 1.15.0 or newer is recommended for TTL support

certbot-dns-dnsimple/setup.py

@@ -2,7 +2,7 @@ import os
 
 from setuptools import setup
 
-version = '5.1.0.dev0'
+version = '5.2.0.dev0'
 
 install_requires = [
     # This version of lexicon is required to address the problem described in

certbot-dns-dnsmadeeasy/setup.py

@@ -2,7 +2,7 @@ import os
 
 from setuptools import setup
 
-version = '5.1.0.dev0'
+version = '5.2.0.dev0'
 
 install_requires = [
     'dns-lexicon>=3.14.1',

certbot-dns-gehirn/setup.py

@@ -2,7 +2,7 @@ import os
 
 from setuptools import setup
 
-version = '5.1.0.dev0'
+version = '5.2.0.dev0'
 
 install_requires = [
     'dns-lexicon>=3.14.1',

certbot-dns-google/setup.py

@@ -2,7 +2,7 @@ import os
 
 from setuptools import setup
 
-version = '5.1.0.dev0'
+version = '5.2.0.dev0'
 
 install_requires = [
     'google-api-python-client>=1.6.5',

certbot-dns-linode/setup.py

@@ -2,7 +2,7 @@ import os
 
 from setuptools import setup
 
-version = '5.1.0.dev0'
+version = '5.2.0.dev0'
 
 install_requires = [
     'dns-lexicon>=3.14.1',

certbot-dns-luadns/setup.py

@@ -2,7 +2,7 @@ import os
 
 from setuptools import setup
 
-version = '5.1.0.dev0'
+version = '5.2.0.dev0'
 
 install_requires = [
     'dns-lexicon>=3.14.1',

certbot-dns-nsone/setup.py

@@ -2,7 +2,7 @@ import os
 
 from setuptools import setup
 
-version = '5.1.0.dev0'
+version = '5.2.0.dev0'
 
 install_requires = [
     'dns-lexicon>=3.14.1',

certbot-dns-ovh/setup.py

@@ -2,7 +2,7 @@ import os
 
 from setuptools import setup
 
-version = '5.1.0.dev0'
+version = '5.2.0.dev0'
 
 install_requires = [
     'dns-lexicon>=3.15.1',

certbot-dns-rfc2136/setup.py

@@ -2,7 +2,7 @@ import os
 
 from setuptools import setup
 
-version = '5.1.0.dev0'
+version = '5.2.0.dev0'
 
 install_requires = [
     # This version was chosen because it is the version packaged in RHEL 9 and Debian unstable. It

certbot-dns-route53/setup.py

@@ -2,7 +2,7 @@ import os
 
 from setuptools import setup
 
-version = '5.1.0.dev0'
+version = '5.2.0.dev0'
 
 install_requires = [
     'boto3>=1.20.34',

certbot-dns-sakuracloud/setup.py

@@ -2,7 +2,7 @@ import os
 
 from setuptools import setup
 
-version = '5.1.0.dev0'
+version = '5.2.0.dev0'
 
 install_requires = [
     'dns-lexicon>=3.14.1',

certbot-nginx/setup.py

@@ -1,6 +1,6 @@
 from setuptools import setup
 
-version = '5.1.0.dev0'
+version = '5.2.0.dev0'
 
 install_requires = [
     # We specify the minimum acme and certbot version as the current plugin

certbot/CHANGELOG.md

@@ -4,6 +4,27 @@ Certbot adheres to [Semantic Versioning](https://semver.org/).
 
 <!-- towncrier release notes start -->
 
+## 5.1.0 - 2025-10-07
+
+### Changed
+
+- certbot-nginx no longer creates and uses self-signed certificates as an
+  intermediate step when installing certificates. The certificates the user
+  requested Certbot install are now always used instead.
+  ([#10465](https://github.com/certbot/certbot/issues/10465))
+- The function `acme.crypto_util.make_self_signed_cert` was deprecated and will
+  be removed in a future release.
+  ([#10466](https://github.com/certbot/certbot/issues/10466))
+
+### Fixed
+
+- Fixed a bug in certbot-nginx that'd leave nginx configured with self-signed
+  certificates if a user ran `certbot enhance` and they didn't have matching
+  SSL server blocks. `certbot enhance` now requires the user to have a matching
+  SSL server block to enable HSTS or OCSP stapling enhancements.
+  ([#10455](https://github.com/certbot/certbot/issues/10455))
+
+
 ## 5.0.0 - 2025-09-02
 
 ### Added

certbot/docs/cli-help.txt

@@ -142,7 +142,7 @@ options:
                         case, and to know when to deprecate support for past
                         Python versions and flags. If you wish to hide this
                         information from the Let's Encrypt server, set this to
-                        "". (default: CertbotACMEClient/5.0.0 (certbot;
+                        "". (default: CertbotACMEClient/5.1.0 (certbot;
                         OS_NAME OS_VERSION) Authenticator/XXX Installer/YYY
                         (SUBCOMMAND; flags: FLAGS) Py/major.minor.patchlevel).
                         The flags encoded in the user agent are: --duplicate,
@@ -324,6 +324,20 @@ run:
 certonly:
   Options for modifying how a certificate is obtained
 
+  --deploy-hook DEPLOY_HOOK
+                        Command to be run in a shell once for each
+                        successfully issued certificate, including on
+                        subsequent renewals. Unless --disable-hook-validation
+                        is used, the command’s first word must be the absolute
+                        pathname of an executable or one found via the PATH
+                        environment variable. For this command, the shell
+                        variable $RENEWED_LINEAGE will point to the config
+                        live subdirectory (for example,
+                        "/etc/letsencrypt/live/example.com") containing the
+                        new certificates and keys; the shell variable
+                        $RENEWED_DOMAINS will contain a space-delimited list
+                        of renewed certificate domains (for example,
+                        "example.com www.example.com") (default: None)
   --csr CSR             Path to a Certificate Signing Request (CSR) in DER or
                         PEM format. Currently --csr only works with the
                         'certonly' subcommand. (default: None)
@@ -360,19 +374,6 @@ renew:
                         an attempt was made to obtain/renew a certificate. If
                         multiple renewed certificates have identical post-
                         hooks, only one will be run. (default: None)
-  --deploy-hook DEPLOY_HOOK
-                        Command to be run in a shell once for each
-                        successfully issued certificate. Unless --disable-
-                        hook-validation is used, the command’s first word must
-                        be the absolute pathname of an executable or one found
-                        via the PATH environment variable. For this command,
-                        the shell variable $RENEWED_LINEAGE will point to the
-                        config live subdirectory (for example,
-                        "/etc/letsencrypt/live/example.com") containing the
-                        new certificates and keys; the shell variable
-                        $RENEWED_DOMAINS will contain a space-delimited list
-                        of renewed certificate domains (for example,
-                        "example.com www.example.com") (default: None)
   --disable-hook-validation
                         Ordinarily the commands specified for --pre-
                         hook/--post-hook/--deploy-hook will be checked for

certbot/src/certbot/__init__.py

@@ -1,4 +1,4 @@
 """Certbot client."""
 
 # version number like 1.2.3a0, must have at least 2 parts, like 1.2
-__version__ = '5.1.0.dev0'
+__version__ = '5.2.0.dev0'

letstest/setup.py

@@ -1,6 +1,6 @@
 from setuptools import setup
 
-version = '5.1.0.dev0'
+version = '5.2.0.dev0'
 
 setup(
     version=version,

newsfragments/10455.fixed

@@ -1 +0,0 @@
-Fixed a bug in certbot-nginx that'd leave nginx configured with self-signed certificates if a user ran `certbot enhance` and they didn't have matching SSL server blocks. `certbot enhance` now requires the user to have a matching SSL server block to enable HSTS or OCSP stapling enhancements.

newsfragments/10465.changed

@@ -1 +0,0 @@
-certbot-nginx no longer creates and uses self-signed certificates as an intermediate step when installing certificates. The certificates the user requested Certbot install are now always used instead.

newsfragments/10466.changed

@@ -1 +0,0 @@
-The function `acme.crypto_util.make_self_signed_cert` was deprecated and will be removed in a future release.