Changed

• certbot now requires version 1.7+ of the library distro and certbot-dns-cloudflare requires 4.0+ of the Cloudflare Python library. (#10587)

Fixed

• The certbot-dns-ovh snap and docker image now properly delete any created TXT records after the challenge is completed by requiring dns-lexicon 3.25.1 which contains the fix. (#10492)
• Our Docker images have been updated to use Python 3.14 and Alpine Linux 3.23. (#10619)

Changed

• Moved nearly all code for the certbot-nginx and certbot-apache plugins into private modules in the certbot package which now offers "apache" and "nginx" extras. Users should notice no major changes. certbot-apache and certbot-nginx will continue to exist as simple packages that depend on certbot and also help register the plugin with certbot so it knows the functionality is available. Unit tests for these plugins are now also part of the certbot package. (#10484)
• The certbot.ocsp module has been deprecated and will be removed in the next major release. This is not a change to Certbot's OCSP functionality. The code is just being removed from Certbot's public API. (#10584)

Added

• The webroot plugin now supports IP address issuance. (#10543)

Changed

• certbot-nginx now requires pyparsing>=3.0.0. (#10560)

Fixed

• We rebuilt our snaps to include updated versions our dependencies. (#10569)

Added

• A new command line flag, --ip-address, has been added. This requests certificates with IP address SANs when using the standalone or manual plugin. Note that for Let's Encrypt's implementation of IP address certificates, you'll also need to pass --preferred-profile shortlived. (#10465)

Changed

• Deploy directory hooks are now also run when using certbot certonly or certbot run to get a new cert. This change was made for pre and post directory hooks in our 3.2.0 release so this change unifies Certbot's behavior here. (#9978)
• A few largely unused functions/types have been deprecated in our effort to remove our pyOpenSSL dependency:
  * Deprecated: certbot.crypto_util.get_sans_from_cert
  * Deprecated: certbot.crypto_util.get_names_from_cert
  * Deprecated: certbot.crypto_util.get_names_from_req
  * Deprecated: certbot.crypto_util.import_csr_file (and replaced by certbot.crypto_util.read_csr_file)
  * Deprecated: acme.crypto_util.Format (#10433)
• achallenges.KeyAuthorizationAnnotatedChallenge, achallenges.DNS, and achallenges.Other have a new field identifier, of type acme.messages.Identifier. This should be used in place of the domain field, which is now deprecated both as an attribute and during object creation. (#10491)
• Authenticator.get_chall_pref's argument has been renamed from domain to identifier, and can now receive string-formatted IP addresses in addition to domain names. (#10495)
• san.DNSName now calls util.enforce_domain_sanity to reduce code duplication (#10519)

Fixed

• Removed the outdated email address from our Python packages' metadata. (#10533)
• The HTTP01.uri method will now properly enclose IPv6 addresses in square brackets. (#10548)

Fixed

• Fixed a regression that caused certbot to crash if multiple --webroot-path
  values were set on the command line.
  (#10509)

Added

• Support for Python 3.14 was added.
  (#10477)

Changed

• While nothing significant should have changed from the user's perspective,
  we've been doing a lot of internal refactoring in preparation for soon adding
  support for IP address certificates to Certbot.
  (#10468,
  #10478)

Fixed

• Removed vhost_combined and vhost_common log formats from included Apache
  configuration file. (#9769)
• Due to a mistake on our end playing with GitHub's new immutable
  releases
  feature that prevented our CI from uploading additional release assets,
  Certbot 5.2.0 was not and will not be uploaded to most platforms. Instead,
  that version number will be skipped and we'll go straight to 5.2.1.
  (#10501)

Changed

• certbot-nginx no longer creates and uses self-signed certificates as an
  intermediate step when installing certificates. The certificates the user
  requested Certbot install are now always used instead.
  (#10465)
• The function acme.crypto_util.make_self_signed_cert was deprecated and will
  be removed in a future release.
  (#10466)

Fixed

• Fixed a bug in certbot-nginx that'd leave nginx configured with self-signed
  certificates if a user ran certbot enhance and they didn't have matching
  SSL server blocks. certbot enhance now requires the user to have a matching
  SSL server block to enable HSTS or OCSP stapling enhancements.
  (#10455)

Added

• Certbot now stores the Retry-After value given by ACME Renewal Info (ARI) so
  the value can be respected across multiple Certbot runs.
  (#10377)
• Added uv as a test dependency, and switched most pip invocations to uv pip for faster installs.
  (#10428)

Changed

• Removed final instances of pyopenssl x509 and PKey objects

  • Removed acme.crypto_util.SSLSocket
  • Removed acme.crypto_util.probe_sni

  (#10079,
  #10381)

• Removed a number of deprecated classes/interfaces

  • Removed acme.challenges.TLSALPN01Response
  • Removed acme.challenges.TLSALPN01
  • Removed acme.standalone.TLSServer
  • Removed acme.standalone.TLSALPN01Server

  (#10274)

• certbot.ocsp.RevocationChecker.init no longer accepts the parameter
  enforce_openssl_binary_usage and always uses the cryptography Python
  library for OCSP checking.
  (#10291)

• Python 3.9 support was removed.
  (#10389)

• Migrated most functionality from certbot/setup.py to
  certbot/pyproject.toml
  (#10402)

• Migrated most functionality from setup.py to pyproject.toml for acme,
  certbot-apache, and certbot-nginx.
  (#10417)

• Migrated most functionality from setup.py to pyproject.toml for certbot
  dns plugins. (#10425)

• Updated apache TLS configuration options based on changes to Mozilla's
  intermediate configuration recommendations.

  • Added DHE-RSA-CHACHA20-POLY1305 to SSLCipherSuite list for better
    compliance
  • Configured curves using SSLOpenSSLConfCmd so FFDH won't be used with
    OpenSSL 3.0

  (#10443)

Fixed

• certbot-apache no longer prints a warning claiming the version of OpenSSL
  used by Apache is too old when we were unable determine the OpenSSL version.
  (#10444)
• certbot-nginx no longer uses socket.gethostname when generating self-signed
  certificates for use as a temporary step of installing certificates as it
  would sometimes result in strings that are too long to be used in the common
  name of a certificate. The static domain "temp-certbot-nginx.invalid" is now
  used instead. (#10447)

Added

• Added --eab-hmac-alg parameter to support custom HMAC algorithm for
  External Account Binding.
  (#10281)

Changed

• Catches and ignores errors during the directory fetch for ARI checking so
  that these errors do not hinder the actual certificate issuance.
  (#10342)
• Removed the dependency on pytz.
  (#10350)
• Deprecated acme.crypto_util.probe_sni
  (#10386)
• Support for Python 3.9 was deprecated and will be removed in our next planned
  release. (#10390)

Fixed

• The Certbot snap no longer sets the environment variable PYTHONPATH stopping
  it from picking up Python files in the current directory and polluting the
  environment for Certbot hooks written in Python.
  (#10176,
  #10257)
• Previously, we claimed to set FAILED_DOMAINS and RENEWED_DOMAINS env
  variables for use by post-hooks when certificate renewals fail, but we were
  not actually setting them. Now, we are.
  (#10259)
• Certbot now always uses the server value from the renewal configuration file
  for ARI checks instead of the server value from the current invocation of
  Certbot. This helps prevent ARI requests from going to the wrong server if
  the user changes CAs.
  (#10339)