Bump github.com/go-acme/lego/v4 from 4.33.0 to 4.34.0 in the go-deps group (#59)

Bumps the go-deps group with 1 update: github.com/go-acme/lego/v4.

Updates github.com/go-acme/lego/v4 from 4.33.0 to 4.34.0

Release notes

Sourced from github.com/go-acme/lego/v4's releases.

v4.34.0

lego is an independent, free, and open-source project, if you value it, consider supporting it! ❤️

Everybody thinks that the others will donate, but in the end, nobody does.

So if you think that lego is worth it, please consider donating.

For key updates, see the changelog.

Changelog

b682f8494cca7fd9859adc8814b253e6855b7faa Add DNS provider for 1cloud.ru (#2921)

79b83fe1e38e6b93443077014fb51d3ba3bfed7b Add DNS provider for Netnod (#2919)

ca178943d0a6394ae44d94ed37306d66b14ee2c2 Add DNS provider for UCloud (#2972)

61bd6bf0b9bc49c740528316dc8054871127d706 Add DNS provider for online.net (#2964)

4f6a481bc4298383b1d2514f3dab0dbd0120b544 bluecatv2: fix documentation

aa6fcebccb73828e933c33363dccc0a93a101988 fix: check base64url token

1274ec8741d7ac0b4232775e358bc95db44d961c oraclecloud: support profile session token (#2965)

cff2cd750413febbec64cb5fb3eedfc5a2e31a49 rfc2136: add RFC3645 (TSIG-GSS) support (#2946)

33754b3b216169b18d580bddf1837e713bff7c30 rfc2136: add dnsupdate as alias (#2957)

79796e155e4460967458c0df8fe58ea390cfe08f yandex360: update API docs links (#2922)

Changelog

Sourced from github.com/go-acme/lego/v4's changelog.

v4.34.0

Release date: 2026-04-15

Tag: v4.34.0

Added

[dnsprovider] Add DNS provider for UCloud

[dnsprovider] Add DNS provider for online.net

[dnsprovider] Add DNS provider for 1cloud.ru

[dnsprovider] Add DNS provider for Netnod

[dnsprovider] oraclecloud: support profile session token

[dnsprovider] rfc2136: add RFC3645 (TSIG-GSS) support

Changed

[dnsprovider] rfc2136: add dnsupdate as alias

Fixed

[httpprovider] Check base64url token

Commits

f3c686a Prepare release v4.34.0
aa6fceb fix: check base64url token
2c87024 chore: update dependencies (#2978)
152e454 chore: update github.com/modern-go/reflect2 (#2977)
29fd2d9 chore: improve issue templates
ca17894 Add DNS provider for UCloud (#2972)
c4ab057 chore: improve issue templates
61bd6bf Add DNS provider for online.net (#2964)
1274ec8 oraclecloud: support profile session token (#2965)
4f6a481 bluecatv2: fix documentation
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don’t alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency’s major version (unless you unignore this specific dependency’s major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency’s minor version (unless you unignore this specific dependency’s minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Signed-off-by: dependabot[bot] support@github.com Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

test-certs-site

Introduction

This is a purpose-built webserver for hosting the test pages required by the CA/Browser forum Baseline Requirements. They contain the following requirement:

The CA SHALL host test Web pages that allow Application Software Suppliers to test their software with Subscriber Certificates that chain up to each publicly trusted Root Certificate. At a minimum, the CA SHALL host separate Web pages using Subscriber Certificates that are valid, revoked, and expired.

It uses the ACME protocol to obtain certificates. It serves a simple website with some information explaining what the test site is for.

From the CA/Browser Forum TLS Baseline Requirements:

While this was built for Let’s Encrypt, it should be usable by other ACME CAs.

Running test-certs-site

This is a standalone Go program.

go run main.go -config [path/to/config.json]

See config/config.go for the configuration schema and config/testdata/test.json for an example of a valid configuration. The integration test config is generated at runtime by integration/configgen.

Testing locally

We provide a docker-compose.yml file for local testing. It will automatically deploy Pebble, a test CA. Execute:

docker compose up --build

Then, access one of the test sites.

They are available on:

These URLs may work immediately, but if they don’t resolve on your system, you can get curl to resolve them:

curl -k --resolve revoked.localhost:5001:127.0.0.1 'https://revoked.localhost:5001/'

If you want to access the sites from your browser, edit your /etc/hosts file to include the test certs addresses.

127.0.0.1 valid.localhost revoked.localhost expired.localhost

Avoiding Incidents

This software was inspired by several incidents we observed from other CAs, as well as the complexity of our existing solution using off-the-shelf tools.

Some categories of incidents we’ve observed include:

Allowing certificates to expire incorrectly, for the valid and revoked sites.
Serving unrevoked certificates on the revoked demonstration sites.

A server with ACME integration is the most reliable way to ensure certificates are kept up-to-date, but the unusual requirements of serving revoked and expired certificates is not a typical feature of other systems. Monitoring systems also don’t typically support ensuring that certificates are revoked or expired.

ACME challenges

Currently, test-certs-site only supports the TLS-ALPN-01 validation method. To fulfil this challenge, and to serve the test sites, this program listens on a configurable port, which should be exposed as the TLS port, :443.

Note that in the test configuration listens on :5001 by default, which matches Pebble’s default validation port.

Key and Certificate Storage

Currently, test-certs-site stores all key material as paths on disk. To ease running cert-test-program in cloud or ephemeral environments, we will want to support some mechanism for persisting keys to secrets management.

Other than the key and certificate storage, this program is stateless.

Observability

There is a configurable debug listener which exposes /debug/pprof and /metrics. Logs are printed in JSON to stderr.