What's Changed

• sa: NewOrderAndAuthzs checks that nonzero authzs were provided by @jsha in #8464
• Add visibility into nonce redemption failure causes by @aarongable in #8448
• Use json tags to suppress Account fields in API responses by @aarongable in #8455
• Deprecate NoPendingAuthzReuse flag by @jsha in #8458
• build(deps): bump the aws group with 3 updates by @dependabot[bot] in #8467
• iana: Remove hardcoded multicast prefixes by @jprenken in #8456
• Remove Python tests for TLS-ALPN-01 by @jsha in #8457
• wfe/ra: Periodically load rate limit overrides from the database by @jprenken in #8407
• sfe: Create Salesforce Case at override request form submission time by @beautifulentropy in #8438
• Clean up dangling OCSP configs by @jenhagg in #8461

New Contributors

• @jenhagg made their first contribution in #8461

Full Changelog: v0.20251027.0...v0.20251103.0

What's Changed

• Add an extra timeout waiting for RVAs by @mcpherrinm in #8434
• Use a newer version of proxysql, consul, and redis by @pgporada in #8450
• Bind issuers to only issue for specified profiles by @aarongable in #8409
• build(deps): bump golang.org/x/sync from 0.16.0 to 0.17.0 by @dependabot[bot] in #8449
• Remove requirement for IncludeCRLDistributionPoints config by @aarongable in #8462
• Update README to reference t.sh and tn.sh by @aarongable in #8463
• bdns: remove logDNSError by @jsha in #8445
• Remove deprecated Temporary() usage in DNS retry logic by @sheurich in #8441
• Make release workflow compatible with immutable releases by @aarongable in #8454

Full Changelog: v0.20251021.0...v0.20251027.0

What's Changed

• Reduce nonce redemption flake by giving WFE time to mark SubConns READY by @aarongable in #8442
• Simplify IssueCertificate into straight-line code by @aarongable in #8424
• Delete sa.GetMaxExpiration and sa.GetRevokedCerts by @aarongable in #8401
• Ceremony: add checks for too-large validity period by @aarongable in #8446
• build(deps): bump the aws group with 3 updates by @dependabot[bot] in #8444
• Remove support for the old log line checksum format by @mcpherrinm in #8416

Full Changelog: v0.20251014.0...v0.20251021.0

What's Changed

• build(deps): bump the otel group with 6 updates by @dependabot[bot] in #8437
• sfe: Add configurable automatic approvals for first-tier limits by @beautifulentropy in #8381
• Switch to new log checksum format by @mcpherrinm in #8415
• Reland "SA: Stop supporting OCSP status NotReady" by @aarongable in #8430

Full Changelog: v0.20251007.0...v0.20251014.0

What's Changed

• Revert "SA: Stop supporting OCSP status NotReady" by @aarongable in #8429
• Introduce nonfunctional IssuerConfig.Profiles config field by @aarongable in #8423
• Refactor CA unittests to focus on top-level IssueCertificate by @aarongable in #8422
• Add logging of nonce prefix at nonce-service startup by @jsha in #8433
• publisher: Do not log failures to submit to audit logs by @beautifulentropy in #8435
• Update CI to go1.25.2 by @aarongable in #8436

Full Changelog: v0.20251003.0...v0.20251007.0

What's Changed

• CA: Stop using OCSP status NotReady by @aarongable in #8394
• Remove support for temporally-sharded CRLs by @aarongable in #8400
• wfe: Permit Transfer-Encoding: chunked HTTP request bodies by @benburkert in #8403
• build(deps): bump the aws group with 4 updates by @dependabot[bot] in #8392
• Use GetRevocationStatus instead of GetCertificateStatus by @aarongable in #8402
• Start accepting a new log checksum format by @mcpherrinm in #8413

New Contributors

• @benburkert made their first contribution in #8403

Full Changelog: v0.20250922.0...v0.20250929.0

What's Changed

• Remove '-tags "integration"' from build by @jsha in #8383
• feat: Support for dns-account-01 Challenge by @sheurich in #8149
• test: Work around integration failures & flake by @jprenken in #8393
• Delete akamai-purger by @aarongable in #8352
• Upload releases to GHCR by @jprenken in #8386
• Move //revocation/reasons.go into the post-OCSP world by @aarongable in #8355
• Remove "ocsp-response" Ceremony type by @aarongable in #8396
• Ceremony: remove support for AIA OCSP URIs by @aarongable in #8397
• issuance: Remove last vestiges of OCSP support by @aarongable in #8398
• Recognize, but do not process, issuevmc CAA tags by @BartG95 in #8374
• Fix location of release.md by @pgporada in #8404

New Contributors

• @BartG95 made their first contribution in #8374

Full Changelog: v0.20250908.0...v0.20250922.0

What's Changed

• Upgrade to latest publicsuffix-go by @mcpherrinm in #8376
• sfe: Export emails to mailing list at submission time by @beautifulentropy in #8378
• sfe: Periodically import approved rate limit override tickets by @beautifulentropy in #8372
• build(deps): bump docker/login-action from 3.4.0 to 3.5.0 by @dependabot[bot] in #8375

Full Changelog: v0.20250902.0...v0.20250908.0

What's Changed

• test: Enable optional coverage reporting by @akshithg in #8306
• sfe: Add rate limit override request portal Web UI and endpoints by @beautifulentropy in #8365
• Run go's modernize tool by @mcpherrinm in #8371
• sfe: Add per IP rate limits to the overrides request form submissions by @beautifulentropy in #8366

New Contributors

• @akshithg made their first contribution in #8306

Full Changelog: v0.20250825.0...v0.20250902.0

What's Changed

• test: rewrite CAA integration test in Go by @jsha in #8340
• test: Remove go1.24.x by @beautifulentropy in #8364
• RA: remove dependency on akamai-purger by @aarongable in #8353
• CA: delete GenerateOCSP method by @aarongable in #8351
• Ceremony: allow CRL ceremonies to skip certain lints by @aarongable in #8368
• sfe/zendesk: Add support for status to Zendesk client by @beautifulentropy in #8367

Full Changelog: v0.20250819.0...v0.20250825.0