v1.2.0 — 2026-04-21¶

Docs-only minor release. Closes the remaining DNS-01 manual gap with an external workflow rather than native panel code.

What landed¶

New page: Manual DNS workflow¶

docs/tls/manual-dns-workflow.md is the full operator guide for issuing Let's Encrypt certificates against a DNS provider that argos-edge does not integrate with natively. The flow is:

1. Run acme.sh --issue --dns -d <host> on any machine you trust.
2. Add the printed TXT records at your DNS provider, verify with dig against a public recursive resolver.
3. Run acme.sh --renew -d <host> to complete the order.
4. Import the resulting .cer + .key via Certificates → Imported → Import certificate.

Renewal is the same four steps every ~60 days. The manual-cert expiry notifications (30 / 14 / 7 / 1 days, shipped in v1.1) serve as the renewal reminder.

Cross-references added¶

• Reverse proxy → TLS challenges gains an "Alternative: DNS-01 manual with acme.sh" callout and a row in the "Choosing" table.
• Manual certificates gains an admonition at the top steering operators without a DNS API to the new workflow page.

Navigation¶

mkdocs.yml gains a new top-level TLS section. The workflow page lives there; future TLS-focused documentation will collect under the same heading.

Why a docs release and not a feature release¶

A native panel-driven DNS-01 manual flow — Feature 1 of the TLS roadmap originally scoped for v1.1 — was re-analysed against the now-shipped infrastructure (manual cert import, encrypted-at-rest key storage, boot reconciler, manual_cert_expiring_soon event).

The conclusion was to defer again:

• The acme.sh + Import workflow covers the same operator need end to end with zero additional code.
• A native flow would add ~3-5 focused weeks of work: a persistent ACME-order state machine (required to survive panel restarts during the multi-day user-verify window), a second ACME client in the stack, a new acme_orders table, authoritative-NS DNS propagation checks, UI for pending orders, a renewal cron, and a Pebble-backed integration test harness.
• The analysis also found that lego is not the right library for the native flow (its manual provider is stdin-only and its synchronous Obtain() cannot survive panel restart); the correct pick would be acmez.

The full analysis, including library comparison, state-machine design, rate-limit risks, and alternative recommendations, is checked in at docs/internals/dns01-manual-analysis.md in the repository. It is not published in the portal — kept in git as the decision record for when the feature is revisited.

The gate for revisiting Feature 1 is concrete operator feedback showing the external workflow is painful enough to justify the cost. Until then, docs close the gap.

Upgrade¶

cd argos-edge
git pull

That's it. Nothing runtime changes — no code, no schema, no compose, no volumes.

Related¶

• Manual DNS workflow — the new page.
• Manual certificates — the feature the workflow imports into.
• Import your own certificate — step-by-step UI walkthrough the workflow references for step 6.
• Reverse proxy → TLS challenges — the decision matrix the workflow sits alongside.