v1.0.1 — 2026-04-21¶

Safety-net release before the v1.1 cert-lifecycle push. Makes the ACME directory URL configurable so development and debugging can target Let's Encrypt staging without burning production rate limits (50 certs per registered domain per week; a botched issuance loop can burn it in minutes).

No breaking changes. Pure additive release.

What changed¶

Every tls_mode=auto host has always asked Caddy to issue against Let's Encrypt production. v1.0.1 keeps that default but makes it configurable at three levels:

• Global: acme.ca_url setting, edited via Settings → ACME CA. Presets: production / staging / custom URL.
• Per-host: tls_acme_ca_url column on the host, set via host form → Advanced → ACME CA URL override. Empty inherits the global.
• Env var: ARGOS_ACME_CA_URL on the panel container. Hard override that survives DB restores and Caddy restarts.

Precedence: env > per-host > global > "" (LE production default).

Validation rejects anything that is not a well-formed https:// URL with a host. Empty strings mean "inherit", not "error".

Typical use cases¶

• Developer panel: flip Settings → ACME CA to staging while iterating. Browsers warn because the cert chains to an untrusted root, but issuance rate limits are ~30× higher.
• One-host debug: leave the global on production, override one host via the Advanced field to isolate an issuance failure without impacting the rest.
• Emergency ops: set ARGOS_ACME_CA_URL in compose and restart the panel to force every auto-host onto a specific CA, bypassing DB state.

Upgrade¶

git pull origin main
docker compose pull
docker compose up -d

Migration 021 adds hosts.tls_acme_ca_url with default ''. Every existing host keeps its current behaviour (LE production via Cloudflare DNS-01). No action required.

New DB surface¶

• hosts.tls_acme_ca_url TEXT NOT NULL DEFAULT ''
• settings("acme.ca_url") (no default row; empty = production)

Documentation¶

• Reverse proxy → ACME CA options
• Tuning → ACME CA for development
• env vars → ARGOS_ACME_CA_URL

Known limitations¶

• Staging certs are untrusted. Browsers show a warning on every visit. The Settings UI amber-warns you while staging is selected; it is not meant for user-facing panels.
• No auto-renewal UI yet. That lands in v1.1 (Feature 4 of the ACME roadmap) alongside HTTP-01 support and certificate import.
• No DNS-01 provider beyond Cloudflare. Compiled into the Caddy image via xcaddy; adding more is an xcaddy rebuild plus a config-level provider selector. Also scheduled for a later release.

Related¶

• CHANGELOG
• ACME v1.1 roadmap (planning doc; not yet published)