v1.1.0 — 2026-04-21¶

Minor feature release focused on certificate lifecycle. Three ACME challenge types, enriched renewal visibility, and full import support for operator-owned certificates with disaster-recovery materialisation on boot.

No breaking changes. Standard upgrade path; all migrations (021 / 022 / 023) are additive.

Highlights¶

ACME challenges — all three supported¶

tls_mode=auto hosts now pick one of three ACME challenges:

• DNS-01 (Cloudflare) — default, unchanged from v1.0. Works behind CGNAT, supports wildcards. Requires CLOUDFLARE_API_TOKEN on the caddy container.
• HTTP-01 — port 80 reachable from the internet. No DNS API token needed. No wildcards.
• TLS-ALPN-01 — port 443 reachable from the internet. Useful when port 80 is blocked. No wildcards.

The host form surfaces a radio with inline reachability warnings. Full matrix in Reverse proxy → TLS challenges.

Cert renewal visibility¶

/certs is now /certificates with two tabs.

Active tab replaces the old flat certs list with:

• Status badges (ok / warning / critical / expired / unknown) keyed to the 30-day / 7-day thresholds.
• Days-left column.
• Last Caddy-error event per domain with a green/red dot and a deep-link to /logs?source=caddy_error&q=<domain>.
• Next renewal estimate (cert.not_after minus 30d).
• Renew now button that re-pushes the Caddy config so certmagic re-evaluates the cert. Honest: a cert comfortably outside the renewal window is still a no-op, which is the correct behaviour (LE rate limits are tight).

Import your own certificates (Feature 5)¶

Imported tab under Certificates hosts the new Import certificate modal. Upload cert.pem + key.pem + optional chain; argos validates, encrypts the key, writes files to a new caddy_manual_certs volume, and flips the host to tls_mode=manual in a single SQL transaction.

Use cases:

• Private / internal CAs (Step-CA, Smallstep, Vault PKI).
• Self-signed certs for LAN hosts.
• Commercial certs from a non-ACME CA.
• DNS-01 issued out of band via certbot --manual (the v1.2 replacement for DNS-01 manual is tracked; until then, imported certbot certs work today via this flow).

Full walkthrough: Import own cert.

Manual cert disaster recovery¶

When you restore argos.db onto fresh infrastructure (wiped or never-existed caddy_manual_certs volume), the plaintext cert + key files do not come back automatically — Caddy's load_files entries would point at non-existent paths.

v1.1.0 ships a boot reconciler: after migrations, for every host_manual_certs row whose files are missing, the panel decrypts the key from the DB and writes both files to the shared volume. Idempotent (already-present files are skipped). The argos backup tarball plus .env (for ARGOS_MASTER_KEY) is now a self-contained DR unit — no separate out-of-band replication of caddy_manual_certs is required.

See Manual certificates → Disaster recovery.

ACME CA toggle (from v1.0.1, included)¶

Global acme.ca_url setting + per-host tls_acme_ca_url override + ARGOS_ACME_CA_URL env var. Switch the panel or a single host to LE staging for development without burning production rate limits.

Documentation polish¶

• Installation Volumes table rewritten: all 8 volumes listed with backup-scope + "lose it and what happens" columns.
• ARGOS_MASTER_KEY is-part-of-your-backup callout in install, upgrade, and restore docs.
• docker compose down -v danger callout in upgrade and restore workflows.
• New operations page: Cert troubleshooting.
• New feature pages: Security overview, Logs browser, Settings, Manual certificates.

Upgrade¶

cd argos-edge
git fetch --tags
git pull
docker compose pull
docker compose up -d

Migrations 021 / 022 / 023 apply automatically. Existing tls_mode=auto hosts default to tls_challenge='dns' — no behavioural change from v1.0.

New DB surface¶

• hosts.tls_acme_ca_url TEXT NOT NULL DEFAULT ''
• hosts.tls_challenge TEXT NOT NULL DEFAULT 'dns' CHECK (...)
• hosts.tls_mode CHECK extended to ('auto', 'none', 'manual')
• Table host_manual_certs (host_id + cert_pem + key_pem_encrypted + chain_pem + not_after + not_before + sans + fingerprint + uploaded_by + uploaded_at)

New volume¶

• caddy_manual_certs (host-side: argos_caddy_manual_certs). RW in argos-panel at /data/manual-certs, RO in argos-caddy at /etc/caddy/manual-certs.

Known limitations / roadmap¶

• DNS-01 manual (Feature 1 of the original ACME roadmap) is deferred to v1.2. Until then, use certbot --manual out of band plus this release's Import flow as the replacement.
• DNS providers beyond Cloudflare are not yet wired through xcaddy — roadmap item, not targeted for v1.2.
• Renew now for comfortably-valid certs triggers a Caddy re-check but does not force a fresh ACME order. This is intentional to avoid wasting LE quota.

Acknowledgments¶

This release was driven start-to-finish by the solo maintainer running incremental audits and dogfooding on a demo deploy. Every feature landed with its own docs page + tests; every regression discovered during dogfooding resulted in a fix in the same session (notable: the nested-forms bug that blocked manual cert upload on first release — reshaped into the current Import modal UX — and the tls_mode validator that rejected manual on round-trip saves). Appreciation to the mkdocs-material, Caddy, certmagic, Coraza, and CrowdSec projects, all of which this panel is a thin wrapper over.

Related¶

• CHANGELOG
• Manual certificates
• Import own cert
• Cert troubleshooting