mod_md v2.4.16

• The MDCertificateAuthority directive can take more than one URL/name of
  an ACME CA. This gives a failover for renewals when several consecutive attempts
  to get a certificate failed. See REAME for details.
• New directive MDRetryDelay to set the delay of retries. See README
  for details.
• New directive MDRetryFailover to set the number of errored attempts
  before an alternate CA is selected for certificate renewals. See README
  for details.

mod_md v2.4.15

• Fixed a bug leading to failed transfers for OCSP stapling information
  when more than 6 certificates needed updates in the same run.

mod_md v2.4.14

• Added support for tailscale (https://tailscale.com) certificates to have
  trusted access to your internal domain names. See README.md for more
  information on how to set this up.
• Fix for a memory leak in handling of JSON arrays. This leak was mainly
  triggered by the additions to the server-status handler and lead to
  increased process sizes with each request of a status page.

mod_md v2.4.13

• A possible NULL pointer deref was fixed in the JSON code for
  persisting time periods (start+end). Fixes #282.
  Thanks to @marcstern for finding this.

mod_md v2.4.12

• Implement full auto status ("key: value" type status output).
  Especially not only status summary counts for certificates and
  OCSP stapling but also lists. Auto status format is similar to
  what was used for mod_proxy_balancer.
  [Rainer Jung]

mod_md v2.4.11

• Do not interfere with requests to /.well-known/acme-challenge/ resources
  if challenge type 'http-01' is not configured for a domain. Fixes #279.
• The status description in MDomain's JSON, exposed in the
  md-status handler (if configured) did sometimes not carry the correct
  message when certificates needed renew.

v2.4.10

• Fix memory leak in case of failures to load the private key.
  Apache PR 65620 [ Filipe Casal filipe.casal@trailofbits.com ]

mod_md v2.4.9

• MDExternalAccountBinding can be configured with a file that contains the
  'kid' and 'hmac' values in JSON format. Since httpd config files are often
  readable to non-admins, this allows to keep those values in a more protected
  file.
• OpenSSL 3.0 compatibility: fixed generation of Elliptic Curve private
  keys to work with openssl 3.0.0.
• Docker testing arrived. Run make docker-test in your mod_md directory
  to build and test the current sources in a Debian sid image.
• The directive 'MDCertificateAuthority' now checks if its parameter is a http/https
  url or one of a set of known names. Those are 'LetsEncrypt', 'LetsEncrypt-Test',
  'Buypass' and 'Buypass-Test' for now and they are not case-sensitive.
  The default of LetsEncrypt is unchanged.
• Fixed a bug that reset the error counter of a certificate renewal and
  prevented the increasing delays in further attempts. Test case 741 added
  to verify the correct behaviour.

mod_md v2.4.8

• MDContactEmail can now be specified inside a <MDomain dnsname> section.
• Treating 401 HTTP status codes for orders like 403, since Sectigo
  seems to prefer that for accessing oders from other accounts.
• When retrieving certificate chains, try to read the response even
  if the HTTP Content-Type is unrecognized.
• Fixed the renewal process giving up every time on an already existing order
  with some invalid domains. Now, if such are seen in a previous order, a new
  order is created for a clean start over again. See #268.
• Fixed a mixup in md-status handler when static certificate files and
  renewal was configured at the same time.
• New: experimental support for ACME External Account Binding (EAB).
  Use the new directive MDExternalAccountBinding to provide the
  server with the value for key identifier and hmac as provided by
  your CA.
  While working on some servers, EAB handling is not uniform across CAs.
  First tests with a Sectigo Certificate Manager in demo mode are
  successful. But ZeroSSL, for example, seems to regard EAB values as
  a one-time-use-only thing, which makes them fail if you create a
  seconde account or retry the creation of the first account with
  the same EAB.

mod_md v2.4.7

• When MDMessageCmd for a 'challenge-setup::' fails (!= 0 exit),
  the renewal process is aborted and an error is reported for the MDomain.
  As discussed in #237, this provides scripts that distribute information
  in a cluster to abort early with bothering an ACME server to validate
  a dns name that will not work. The common retry logic will make another
  attempt in the future, as with other failures.
• Fixed a bug when adding private key specs to an already working MDomain, see #260.
• fix time-of-use vs time-of-check when ACME server returned an empty response.
  [kokke spam@rowdy.dk]