Upgrade Guide

SPORK CA is designed for safe, zero-downtime upgrades. Every upgrade method creates an automatic backup before making changes, so you can always roll back.

1. Pre-Upgrade Checklist

Before upgrading, verify the following:

Check your current version:
```
$ spork-acme --version
spork-acme 0.5.1
```

Create a manual backup (in addition to the automatic one):

$ sudo tar czf /root/spork-backup-$(date +%Y%m%d).tar.gz /opt/spork-acme/

Note any custom configuration: Record changes to /etc/spork/config.toml, systemd overrides, or environment files. Upgrades preserve configuration but it is good practice to have a record.
Review the changelog for the target version (see Version History below) for any breaking changes or migration steps.

2. Upgrade via Installer

The self-extracting installer automatically detects an existing SPORK CA installation and offers an upgrade path:

$ sudo ./spork-acme-installer-0.5.2-x86_64-linux

Verifying installer integrity... SHA3-256 OK
Extracting...

Existing SPORK CA installation detected (v0.5.1).
  Data directory: /opt/spork-acme/
  Binary: /opt/spork-acme/bin/spork-acme

Select an option:
  1. Upgrade to v0.5.2
  2. Fresh install (will back up existing data)
  3. Cancel
Selection: 1

Creating backup... /opt/spork-acme/backups/pre-upgrade-20260310-120000.tar.gz
Upgrading binary... done.
Restarting service... done.

Upgrade complete: v0.5.1 -> v0.5.2
Backup saved to: /opt/spork-acme/backups/pre-upgrade-20260310-120000.tar.gz

Info: The installer verifies its own integrity via embedded SHA3-256 checksums before extracting. If verification fails, the upgrade is aborted.

3. Upgrade via Auto-Detect Menu

If you already have spork-acme installed, simply run it with no arguments. The auto-detect logic finds the existing installation and presents the management menu:

$ sudo spork-acme

Existing SPORK CA installation detected (v0.5.1).

  1. Configure
  2. Backup
  3. Security
  4. Upgrade
  5. Status
  6. Uninstall
Selection: 4

Checking for updates...
New version available: v0.5.2

Upgrade will:
  - Create a full backup of /opt/spork-acme/
  - Replace /opt/spork-acme/bin/spork-acme with v0.5.2
  - Restart the spork-acme service

Proceed? [y/N]: y

Creating backup... /opt/spork-acme/backups/pre-upgrade-20260310-130000.tar.gz
Replacing binary... done.
Restarting spork-acme.service... done.

Upgrade complete: v0.5.1 -> v0.5.2

Note: This method requires the new version binary to be available. If upgrading from a downloaded binary, place it at a known path and run the auto-detect from that binary, or use the manual upgrade method below.

4. Manual Upgrade

For full control over the upgrade process, follow these steps:

Step 1: Stop the service

$ sudo systemctl stop spork-acme

Step 2: Back up the data directory

$ sudo cp -a /opt/spork-acme/ /opt/spork-acme.bak/

Step 3: Back up the current binary

$ sudo cp /usr/local/bin/spork-acme /usr/local/bin/spork-acme.bak

Step 4: Install the new binary

$ sudo cp ./spork-acme /usr/local/bin/spork-acme
$ sudo chmod 755 /usr/local/bin/spork-acme

Step 5: Verify the new version

$ spork-acme --version
spork-acme 0.5.2

Step 6: Start the service

$ sudo systemctl start spork-acme
$ sudo systemctl status spork-acme

Warning: Ensure the new binary is a static (musl) build if your system differs from the build environment. SPORK CA distributes static binaries that work on any Linux distribution.

5. Rollback

If the upgrade causes issues, roll back to the previous version:

Rollback from automatic backup

# Stop the service
$ sudo systemctl stop spork-acme

# Restore the previous binary
$ sudo cp /usr/local/bin/spork-acme.bak /usr/local/bin/spork-acme

# If data migration occurred, restore the data backup
$ sudo tar xzf /opt/spork-acme/backups/pre-upgrade-20260209-120000.tar.gz -C /

# Start the service
$ sudo systemctl start spork-acme

# Verify
$ spork-acme --version

Rollback from manual backup

# Stop the service
$ sudo systemctl stop spork-acme

# Restore binary
$ sudo cp /usr/local/bin/spork-acme.bak /usr/local/bin/spork-acme

# Restore data directory
$ sudo rm -rf /opt/spork-acme/
$ sudo cp -a /opt/spork-acme.bak/ /opt/spork-acme/

# Start the service
$ sudo systemctl start spork-acme

Info: SPORK CA uses SQLite with WAL mode. Database schema migrations are forward-compatible within the same minor version series (0.2.x). Rolling back across minor versions may require restoring the database from backup.

6. Version History

Critical: ProtectSystem=strict issue (#106) — If your systemd service file uses ProtectSystem=strict, editing and reloading the service file can wipe your state directory. Change to ProtectSystem=full immediately. This is fixed in v0.5.2+ generated service files.

v0.5.2 (2026-03-10)

EST/SCEP domain policy enforcement — Domain policy now applies to EST and SCEP protocols, not just ACME
Rate limiting — Per-IP (600/min) and per-account (300/min) rate limits with --no-rate-limit flag to disable
Constant-time EST auth — EST authentication uses constant-time comparison to prevent timing attacks
/health endpoint split — JSON health endpoint with CA status, signer health, CRL age, and uptime
/metrics auth — Prometheus metrics endpoint now requires authentication
Security headers — X-Content-Type-Options, X-Frame-Options, Content-Security-Policy on all responses
ProtectSystem=full — Systemd service files now use ProtectSystem=full instead of strict to prevent state directory wipes (#106)

v0.5.1 (2026-03-10)

Domain policy file — domain-policy.toml with glob patterns and deny-by-default mode
Wizard auto-generates policy — Setup wizard creates domain-policy.toml from allowed domain prompts
Guided DN input — Improved Distinguished Name builder in setup wizard
Policy source logging — Server logs show which policy file and patterns are active
Terms URL fix — Terms of service URL correctly displayed in ACME directory

v0.5.0 (2026-03-10)

Three protocols — ACME (RFC 8555) + EST (RFC 7030) + SCEP (RFC 8894) in a single binary
Three signers — Micro-CA, WinRM bridge to Windows CA, NDES bridge for SCEP
FIPS 140-3 default — aws-lc-rs backend, FIPS-approved algorithms by default
SCEP frontend — Full SCEP protocol support with CMS/PKCS#7 handling
EST enrollment — EST simple enrollment with mTLS client authentication
NDES backend — Bridge to Microsoft NDES for enterprise SCEP
WinRM bridge — Direct certificate signing via Windows CA over WinRM
REST API v1 — Full certificate management API with mTLS authentication
Prometheus metrics — Certificate, order, challenge, and account counters at /metrics
JSON health endpoint — CA status, signer health, CRL age at /health

v0.4.x (2026-03-05 to 2026-03-09)

SCEP CMS — SCEP CMS/PKCS#7 message parsing and generation
NDES bridge — Microsoft NDES backend integration
Cert-based WinRM — Certificate-based authentication for WinRM bridge
JWS URL validation — ACME JWS URL header validation per RFC 8555

v0.3.x (beta)

Beta releases with installer system and 5-package model
DEPRECATED — Superseded by v0.5.0 single-binary architecture

v0.2.6 (2026-02-11)

CAA validation (RFC 8659) — ACME server checks DNS CAA records before issuance with domain tree walk, wildcard support, and fail-closed policy
Deploy retarget — CI/CD now deploys to SporkDemo (Rocky 9, SELinux) via SSH instead of local filesystem
Multi-runner fix — Release pipeline deploys via SSH to web server regardless of which runner executes
Dynamic version — Deploy workflow derives version from release tag (no more hardcoded version)

v0.2.5 (2026-02-10)

EC curve detection fix — Fixed OID-based EC curve identification (was using debug string matching)
Trust-aware grading — Certificate grades now consider trust chain status
CSP fix — Admin dashboard allows inline styles/scripts; ACME API keeps strict CSP
PostgreSQL admin routes — ACME admin API wired to database persistence

v0.2.4 (2026-02-10)

Setup Wizard

Full LDAP DN prompts — Setup wizard now collects complete CA subject: Organization (O), Country (C), State/Province (ST), Locality (L), Organizational Unit (OU)
pathLenConstraint enforcement — 2-tier Root CA: pathLen=0 (no sub-CAs); 3-tier Root: pathLen=1, Issuing: pathLen=0
CA-style naming — DN preview on review screen (e.g., CN=Ogjos Root CA, O=Ogjos LLC, C=US)
Auto-launch wizard — Installer runs setup wizard immediately after extraction

Installer Improvements

ANSI color output fixed for /bin/sh, dash, and other POSIX shells
--verify flag works without root privileges
--uninstall checks root before prompting for confirmation
Removed broken server-side SHA256SUMS verification (installer already verifies via SHA3-256 + Ed25519)

Documentation & CI

Online documentation site: Install, Quick Start, ACME, Configuration, Upgrade guides
CI runner resilience: auto-restart, memory limits, CodeQL Rust disabled (OOM prevention)
Release signing key moved to GitHub Secrets
BSL-1.1 Change Date updated to 2130-01-01

v0.2.1 (2026-01-22)

Interactive Setup Wizard — Guided setup for first-time deployment
Built-in CA initialization (root + issuing) with spork-core
TLS server certificate auto-generation with SAN support
Systemd service installation with CRL timer
Smart auto-detect: no args runs wizard or shows management menu
Upgrade, uninstall, and status commands

v0.1.0 (2025-12-22)

Initial release
ACME server with RFC 8555 compliance (HTTP-01, DNS-01)
EST and SCEP protocol servers
Post-quantum cryptography: ML-DSA-44/65/87, SLH-DSA, composite signatures
Pure Rust — no OpenSSL, no C dependencies
OCSP responder, CRL generation, certificate lifecycle management
Three-tier licensing: Community, Standard, Enterprise