chore: bump version badge to v2.0.2

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
feat: add ACME DNS-PERSIST-01 challenge support (IETF draft-ietf-acme-dns-persist)
2026-06-08 04:58:51 +00:00 · 2026-03-26 14:24:50 -04:00 · 2026-03-26 14:23:46 -04:00 · 2026-03-26 11:55:01 -04:00 · 2026-03-26 11:37:14 -04:00 · 2026-03-26 11:35:16 -04:00
13 changed files with 383 additions and 131 deletions
@@ -65,8 +65,8 @@ jobs:
            ## Docker Images

            ```bash
-            docker pull ghcr.io/shankar0123/certctl-server:${{ steps.version.outputs.VERSION }}
-            docker pull ghcr.io/shankar0123/certctl-agent:${{ steps.version.outputs.VERSION }}
+            docker pull shankar0123.docker.scarf.sh/certctl-server:${{ steps.version.outputs.VERSION }}
+            docker pull shankar0123.docker.scarf.sh/certctl-agent:${{ steps.version.outputs.VERSION }}
            ```

            ## Quick Start
@@ -7,7 +7,7 @@

 # certctl — Self-Hosted Certificate Lifecycle Platform

-90+ API endpoints. 21 database tables. 900+ tests. Full GUI. Ships with Docker Compose.
+95+ API endpoints. 21 database tables. 930+ tests. Full GUI. Ships with Docker Compose.

 ```mermaid
 timeline
@@ -26,7 +26,7 @@ certctl is a self-hosted platform that automates the entire certificate lifecycl

 [![License](https://img.shields.io/badge/license-BSL%201.1-blue.svg)](LICENSE)
 [![Go Report Card](https://goreportcard.com/badge/github.com/shankar0123/certctl)](https://goreportcard.com/report/github.com/shankar0123/certctl)
-![Version: v2.0.0](https://img.shields.io/badge/version-v2.0.0-brightgreen)
+![Version: v2.0.2](https://img.shields.io/badge/version-v2.0.2-brightgreen)

 ## Documentation

@@ -63,7 +63,7 @@ Certificate lifecycle tooling today falls into two camps: expensive enterprise p

 certctl fills that gap. It's **CA-agnostic** — the issuer connector interface means you can plug in any certificate authority: a self-signed local CA for dev, Let's Encrypt via ACME for public certs, Smallstep step-ca for your private PKI, your enterprise ADCS via sub-CA mode, or any custom CA through a shell script adapter. You're never locked to a single CA vendor, and you can run multiple issuers simultaneously for different certificate types.

-It's also **target-agnostic**. Agents deploy certificates to NGINX, Apache, and HAProxy today, with the same pluggable connector model for any server that accepts cert files. The control plane never initiates outbound connections — agents poll for work, which means certctl works behind firewalls, across network zones, and in air-gapped environments.
+It's also **target-agnostic**. Agents deploy certificates to NGINX, Apache, and HAProxy today, with Traefik and Caddy support coming next — all using the same pluggable connector model for any server that accepts cert files. The control plane never initiates outbound connections — agents poll for work, which means certctl works behind firewalls, across network zones, and in air-gapped environments.

 ## What It Does

@@ -72,7 +72,7 @@ certctl gives you a single pane of glass for every TLS certificate in your organ
 **Core capabilities:**

 - **Full lifecycle automation** — issuance, renewal, deployment, and revocation with zero human intervention. Configurable renewal policies trigger jobs automatically based on expiration thresholds.
- **CA-agnostic issuer connectors** — Local CA (self-signed + sub-CA for enterprise root chains), ACME v2 with HTTP-01 and DNS-01 challenges (Let's Encrypt, Sectigo, any ACME-compatible CA), Smallstep step-ca (native /sign API), and OpenSSL/Custom CA (delegate to any shell script). Pluggable interface — add your own CA in one file.
+- **CA-agnostic issuer connectors** — Local CA (self-signed + sub-CA for enterprise root chains), ACME v2 with HTTP-01, DNS-01, and DNS-PERSIST-01 challenges (Let's Encrypt, Sectigo, any ACME-compatible CA), Smallstep step-ca (native /sign API), and OpenSSL/Custom CA (delegate to any shell script). Pluggable interface — add your own CA in one file.
 - **Agent-side key generation** — agents generate ECDSA P-256 keys locally, store them with 0600 permissions, and submit only the CSR. Private keys never touch the control plane. This is the default mode, not an opt-in feature.
 - **Certificate discovery** — agents scan filesystems for existing PEM/DER certificates and report findings for triage. The network scanner probes TLS endpoints across CIDR ranges to find certificates you didn't know existed.
 - **Revocation infrastructure** — RFC 5280 revocation with all standard reason codes, DER-encoded X.509 CRL per issuer, embedded OCSP responder, and short-lived certificate exemption (certs under 1 hour skip CRL/OCSP).
@@ -82,50 +82,48 @@ certctl gives you a single pane of glass for every TLS certificate in your organ
 - **Observability** — JSON and Prometheus metrics endpoints, 5 stats API endpoints for dashboards, structured slog logging with request ID propagation. Compatible with Prometheus, Grafana Agent, Datadog Agent, and Victoria Metrics.
 - **Notifications** — threshold-based alerting with deduplication. Routes to email, webhooks, Slack, Microsoft Teams, PagerDuty, and OpsGenie.
 - **EST enrollment (RFC 7030)** — built-in Enrollment over Secure Transport server for device certificate enrollment. Supports WiFi/802.1X, MDM, and IoT use cases. PKCS#7 certs-only wire format, accepts PEM or base64-encoded DER CSRs, configurable issuer and profile binding.
+- **Multi-purpose certificates** — certificate profiles support arbitrary EKU (Extended Key Usage) constraints. TLS (serverAuth/clientAuth) today, with S/MIME (emailProtection) and code signing support coming in v2.0.2.
 - **AI and CLI access** — MCP server exposes all 78 API operations as tools for Claude, Cursor, and any MCP-compatible client. CLI tool with 12 subcommands for terminal workflows and scripting.

-```mermaid
-flowchart LR
-    subgraph "Control Plane"
-        API["REST API + Dashboard\n:8443"]
-        PG[("PostgreSQL")]
-    end
-
-    subgraph "Your Infrastructure"
-        A1["Agent"] --> T1["NGINX"]
-        A2["Agent"] --> T2["Apache / HAProxy"]
-        A3["Agent"] --> T3["F5 · IIS"]
-    end
-
-    API --> PG
-    A1 & A2 & A3 -->|"CSR + status\n(no private keys)"| API
-    API -->|"Signed certs"| A1 & A2 & A3
-    API -->|"Issue/Renew"| CA["Certificate Authorities\nLocal CA · ACME · step-ca · OpenSSL"]
-```
-
 ### Screenshots

-| | |
-|---|---|
-| ![Dashboard](docs/screenshots/v2/dashboard.png) | ![Certificates](docs/screenshots/v2/certificates.png) |
-| **Dashboard** — real-time stats, expiration heatmap, renewal trends, issuance rate | **Certificates** — full inventory with status filters, environment, owner, team |
-| ![Agents](docs/screenshots/v2/agents.png) | ![Fleet Overview](docs/screenshots/v2/fleet-overview.png) |
-| **Agents** — fleet health, hostname, OS/arch, IP, version tracking | **Fleet Overview** — OS distribution, status breakdown, version analysis |
-| ![Jobs](docs/screenshots/v2/jobs.png) | ![Notifications](docs/screenshots/v2/notifications.png) |
-| **Jobs** — issuance, renewal, deployment job queue with status filters | **Notifications** — expiration warnings, renewal results, unread/all toggle |
-| ![Policies](docs/screenshots/v2/policies.png) | ![Profiles](docs/screenshots/v2/profiles.png) |
-| **Policies** — enforcement rules for ownership, environments, lifetime, renewal | **Profiles** — enrollment templates with key types, max TTL, crypto constraints |
-| ![Issuers](docs/screenshots/v2/issuers.png) | ![Targets](docs/screenshots/v2/targets.png) |
-| **Issuers** — CA connectors (Local CA, Let's Encrypt, step-ca, DigiCert) | **Targets** — deployment targets (NGINX, F5 BIG-IP, IIS, HAProxy) |
-| ![Owners](docs/screenshots/v2/owners.png) | ![Teams](docs/screenshots/v2/teams.png) |
-| **Owners** — certificate ownership with email and team assignment | **Teams** — organizational grouping for notification routing |
-| ![Agent Groups](docs/screenshots/v2/agent-groups.png) | ![Audit Trail](docs/screenshots/v2/audit-trail.png) |
-| **Agent Groups** — dynamic grouping by OS, arch, CIDR, version | **Audit Trail** — immutable log with filters, CSV/JSON export |
-| ![Short-Lived](docs/screenshots/v2/short-lived.png) | |
-| **Short-Lived Credentials** — ephemeral certs with live TTL countdown | |
+<table>
+<tr>
+<td><a href="docs/screenshots/v2/dashboard.png"><img src="docs/screenshots/v2/dashboard.png" width="270" alt="Dashboard"></a><br><b>Dashboard</b><br><sub>Stats, expiration heatmap, renewal trends</sub></td>
+<td><a href="docs/screenshots/v2/certificates.png"><img src="docs/screenshots/v2/certificates.png" width="270" alt="Certificates"></a><br><b>Certificates</b><br><sub>Inventory with status, owner, team filters</sub></td>
+<td><a href="docs/screenshots/v2/agents.png"><img src="docs/screenshots/v2/agents.png" width="270" alt="Agents"></a><br><b>Agents</b><br><sub>Fleet health, OS/arch, IP, version</sub></td>
+</tr>
+<tr>
+<td><a href="docs/screenshots/v2/fleet-overview.png"><img src="docs/screenshots/v2/fleet-overview.png" width="270" alt="Fleet Overview"></a><br><b>Fleet Overview</b><br><sub>OS distribution, status breakdown</sub></td>
+<td><a href="docs/screenshots/v2/jobs.png"><img src="docs/screenshots/v2/jobs.png" width="270" alt="Jobs"></a><br><b>Jobs</b><br><sub>Issuance, renewal, deployment queue</sub></td>
+<td><a href="docs/screenshots/v2/notifications.png"><img src="docs/screenshots/v2/notifications.png" width="270" alt="Notifications"></a><br><b>Notifications</b><br><sub>Expiration warnings, renewal results</sub></td>
+</tr>
+<tr>
+<td><a href="docs/screenshots/v2/policies.png"><img src="docs/screenshots/v2/policies.png" width="270" alt="Policies"></a><br><b>Policies</b><br><sub>Ownership, lifetime, renewal rules</sub></td>
+<td><a href="docs/screenshots/v2/profiles.png"><img src="docs/screenshots/v2/profiles.png" width="270" alt="Profiles"></a><br><b>Profiles</b><br><sub>Key types, max TTL, crypto constraints</sub></td>
+<td><a href="docs/screenshots/v2/issuers.png"><img src="docs/screenshots/v2/issuers.png" width="270" alt="Issuers"></a><br><b>Issuers</b><br><sub>Local CA, ACME, step-ca connectors</sub></td>
+</tr>
+<tr>
+<td><a href="docs/screenshots/v2/targets.png"><img src="docs/screenshots/v2/targets.png" width="270" alt="Targets"></a><br><b>Targets</b><br><sub>NGINX, Apache, HAProxy deployment</sub></td>
+<td><a href="docs/screenshots/v2/owners.png"><img src="docs/screenshots/v2/owners.png" width="270" alt="Owners"></a><br><b>Owners</b><br><sub>Cert ownership with team assignment</sub></td>
+<td><a href="docs/screenshots/v2/teams.png"><img src="docs/screenshots/v2/teams.png" width="270" alt="Teams"></a><br><b>Teams</b><br><sub>Org grouping for notification routing</sub></td>
+</tr>
+<tr>
+<td><a href="docs/screenshots/v2/agent-groups.png"><img src="docs/screenshots/v2/agent-groups.png" width="270" alt="Agent Groups"></a><br><b>Agent Groups</b><br><sub>Dynamic grouping by OS, arch, CIDR</sub></td>
+<td><a href="docs/screenshots/v2/audit-trail.png"><img src="docs/screenshots/v2/audit-trail.png" width="270" alt="Audit Trail"></a><br><b>Audit Trail</b><br><sub>Immutable log, CSV/JSON export</sub></td>
+<td><a href="docs/screenshots/v2/short-lived.png"><img src="docs/screenshots/v2/short-lived.png" width="270" alt="Short-Lived"></a><br><b>Short-Lived Creds</b><br><sub>Ephemeral certs with live TTL countdown</sub></td>
+</tr>
+</table>

 ## Quick Start

+### Docker Pull
+
+```bash
+docker pull shankar0123.docker.scarf.sh/certctl-server
+docker pull shankar0123.docker.scarf.sh/certctl-agent
+```
+
 ### Docker Compose (Recommended)

 ```bash
@@ -172,30 +170,7 @@ export CERTCTL_AGENT_ID=agent-local-01

 ## Architecture

-```mermaid
-flowchart TB
-    subgraph "Control Plane (certctl-server)"
-        DASH["Web Dashboard\nReact SPA"]
-        API["REST API\nGo 1.25 net/http"]
-        SVC["Service Layer"]
-        REPO["Repository Layer\ndatabase/sql + lib/pq"]
-        SCHED["Scheduler\nRenewal · Jobs · Health · Notifications · Short-Lived Expiry · Network Scan"]
-    end
-
-    subgraph "Data Store"
-        PG[("PostgreSQL 16\n21 tables\nTEXT primary keys")]
-    end
-
-    subgraph "Agents"
-        AG["certctl-agent\nKey generation · CSR · Deployment"]
-    end
-
-    DASH --> API
-    API --> SVC --> REPO --> PG
-    SCHED --> SVC
-    AG -->|"Heartbeat + CSR"| API
-    API -->|"Cert + Chain"| AG
-```
+**Control plane** (Go 1.25 net/http) → **PostgreSQL 16** (21 tables, TEXT primary keys) → **Agents** (key generation, CSR submission, cert deployment). Background scheduler runs 6 loops: renewal checks (1h), job processing (30s), agent health (2m), notifications (1m), short-lived cert expiry (30s), network scanning (6h). See [Architecture Guide](docs/architecture.md) for full system diagrams and data flow.

 ### Key Design Decisions

@@ -247,7 +222,7 @@ All server environment variables use the `CERTCTL_` prefix:
 | `CERTCTL_KEYGEN_MODE` | `agent` | Key generation mode: `agent` (production) or `server` (demo only) |
 | `CERTCTL_ACME_DIRECTORY_URL` | — | ACME directory URL (e.g., Let's Encrypt staging) |
 | `CERTCTL_ACME_EMAIL` | — | Contact email for ACME account registration |
-| `CERTCTL_ACME_CHALLENGE_TYPE` | — | ACME challenge type: `http-01` (default) or `dns-01` |
+| `CERTCTL_ACME_CHALLENGE_TYPE` | — | ACME challenge type: `http-01` (default), `dns-01`, or `dns-persist-01` |
 | `CERTCTL_CA_CERT_PATH` | — | Path to CA certificate for sub-CA mode |
 | `CERTCTL_CA_KEY_PATH` | — | Path to CA private key for sub-CA mode |
 | `CERTCTL_CORS_ORIGINS` | — | Comma-separated allowed CORS origins (empty = same-origin, `*` = all) |
@@ -259,8 +234,9 @@ All server environment variables use the `CERTCTL_` prefix:
 | `CERTCTL_SCHEDULER_JOB_PROCESSOR_INTERVAL` | `30s` | How often the scheduler processes pending jobs |
 | `CERTCTL_SCHEDULER_AGENT_HEALTH_CHECK_INTERVAL` | `2m` | How often the scheduler checks agent health |
 | `CERTCTL_SCHEDULER_NOTIFICATION_PROCESS_INTERVAL` | `1m` | How often the scheduler processes pending notifications |
-| `CERTCTL_ACME_DNS_PRESENT_SCRIPT` | — | Script to create DNS-01 `_acme-challenge` TXT record |
-| `CERTCTL_ACME_DNS_CLEANUP_SCRIPT` | — | Script to remove DNS-01 `_acme-challenge` TXT record |
+| `CERTCTL_ACME_DNS_PRESENT_SCRIPT` | — | Script to create DNS TXT record (`_acme-challenge` for dns-01, `_validation-persist` for dns-persist-01) |
+| `CERTCTL_ACME_DNS_CLEANUP_SCRIPT` | — | Script to remove DNS-01 `_acme-challenge` TXT record (not used by dns-persist-01) |
+| `CERTCTL_ACME_DNS_PERSIST_ISSUER_DOMAIN` | — | CA issuer domain for dns-persist-01 (e.g., `letsencrypt.org`) |
 | `CERTCTL_STEPCA_URL` | — | step-ca server URL |
 | `CERTCTL_STEPCA_PROVISIONER` | — | step-ca JWK provisioner name |
 | `CERTCTL_STEPCA_KEY_PATH` | — | Path to step-ca provisioner private key (JWK JSON) |
@@ -515,13 +491,13 @@ GET    /ready                             Readiness check
 | Issuer | Status | Type |
 |--------|--------|------|
 | Local CA (self-signed + sub-CA) | Implemented | `GenericCA` |
-| ACME v2 (Let's Encrypt, Sectigo) | Implemented (HTTP-01 + DNS-01) | `ACME` |
+| ACME v2 (Let's Encrypt, Sectigo) | Implemented (HTTP-01 + DNS-01 + DNS-PERSIST-01) | `ACME` |
 | step-ca | Implemented | `StepCA` |
 | OpenSSL / Custom CA | Implemented | `OpenSSL` |
-| Vault PKI | Planned | — |
-| DigiCert | Planned | — |
+| Vault PKI | Future | — |
+| DigiCert | Future | — |

-**Note:** ADCS integration is handled via the Local CA's sub-CA mode — certctl operates as a subordinate CA with its signing certificate issued by ADCS.
+**Note:** ADCS integration is handled via the Local CA's sub-CA mode — certctl operates as a subordinate CA with its signing certificate issued by ADCS. Any CA with a shell-accessible signing interface can be integrated today via the OpenSSL/Custom CA connector.

 ### Deployment Targets
 | Target | Status | Type |
@@ -529,9 +505,10 @@ GET    /ready                             Readiness check
 | NGINX | Implemented | `NGINX` |
 | Apache httpd | Implemented | `Apache` |
 | HAProxy | Implemented | `HAProxy` |
+| Traefik | Planned (v2.1.x) | `Traefik` |
+| Caddy | Planned (v2.1.x) | `Caddy` |
 | F5 BIG-IP | Interface only | `F5` |
 | Microsoft IIS | Interface only | `IIS` |
-| Kubernetes Secrets | Planned | — |

 ### Notifiers
 | Notifier | Status | Type |
@@ -597,7 +574,7 @@ All nine development milestones (M1–M9) are complete. The backend covers the f
 ### V2: Operational Maturity
 - **M10: Agent Metadata + Targets** ✅ — agents report OS, architecture, IP, hostname, version via heartbeat; Apache httpd and HAProxy target connectors
 - **M11: Crypto Policy + Profiles + Ownership** ✅ — certificate profiles (named enrollment profiles with allowed key types, max TTL, crypto constraints), certificate ownership tracking (owners + teams + notification routing), dynamic agent groups (OS/arch/IP CIDR/version matching), interactive renewal approval (AwaitingApproval state)
- **M12: Sub-CA + DNS-01 + step-ca** ✅ — Local CA sub-CA mode (enterprise root chain with RSA/ECDSA/PKCS#8), ACME DNS-01 challenges (script-based DNS hooks for any provider, wildcard cert support), step-ca issuer connector (native /sign API with JWK provisioner auth)
+- **M12: Sub-CA + DNS-01 + step-ca** ✅ — Local CA sub-CA mode (enterprise root chain with RSA/ECDSA/PKCS#8), ACME DNS-01 challenges (script-based DNS hooks for any provider, wildcard cert support), ACME DNS-PERSIST-01 challenges (standing TXT record, no per-renewal DNS updates, auto-fallback to dns-01), step-ca issuer connector (native /sign API with JWK provisioner auth)
 - **M15a: Core Revocation** ✅ — revocation API with all RFC 5280 reason codes, JSON CRL endpoint, webhook + email revocation notifications, best-effort issuer notification, `certificate_revocations` table with idempotent recording, 48 new tests
 - **M15b: OCSP + Revocation GUI** ✅ — embedded OCSP responder (GET /api/v1/ocsp/{issuer_id}/{serial}), DER-encoded X.509 CRL (GET /api/v1/crl/{issuer_id}), short-lived cert exemption (TTL < 1h skip CRL/OCSP), revocation GUI with reason modal, ~31 new tests
 - **M13: GUI Operations** ✅ — bulk cert operations (multi-select → renew, revoke, reassign owner), deployment status timeline, inline policy/profile editor, target connector configuration wizard, audit trail export (CSV/JSON), short-lived credentials dashboard view
@@ -613,15 +590,16 @@ All nine development milestones (M1–M9) are complete. The backend covers the f
 - **M22: Prometheus Metrics** ✅ — `GET /api/v1/metrics/prometheus` returns Prometheus exposition format (`text/plain; version=0.0.4`), 11 metrics with `certctl_` prefix, compatible with Prometheus, Grafana Agent, Datadog Agent, Victoria Metrics
 - **M23: EST Server (RFC 7030)** ✅ — Enrollment over Secure Transport for device/WiFi certificate enrollment, 4 endpoints under /.well-known/est/, PKCS#7 certs-only wire format, base64-encoded DER CSR input, configurable issuer + profile binding, audit trail, 28 new tests
 - **Compliance Mapping** ✅ — SOC 2 Type II, PCI-DSS 4.0, NIST SP 800-57 capability mapping documentation
+- **M24: S/MIME Certificate Support** (Planned — v2.0.2) — wire profile EKU constraints through the issuance pipeline so certctl can issue S/MIME (emailProtection), code signing, and custom EKU certificates, not just TLS
+- **M25: Traefik + Caddy Targets** (Planned — v2.1.x) — Traefik (file provider, auto-reload on filesystem change) and Caddy (Admin API, hot-reload) deployment target connectors
+- **M26: Certificate Export** (Planned — v2.1.x) — single-certificate download in PFX/PKCS12, DER, and PEM formats with optional chain inclusion, GUI download button on certificate detail page

 ### V3: certctl Pro

 Team access controls, identity provider integration, enterprise deployment targets, compliance and risk scoring, advanced fleet operations, event-driven architecture, advanced search, real-time operational views, and premium CA integrations.

-> **Need SSO, RBAC, F5/IIS deployment, or real-time fleet operations?** [Join the certctl Pro waitlist](https://forms.gle/YOUR_FORM_ID) — early access shipping Q2 2026.
-
 ### V4+: Cloud, Scale & Passive Discovery
-Passive network discovery (TLS listener), Kubernetes integration, cloud infrastructure targets (AWS ALB/ACM, Azure Key Vault), extended CA support, and platform-scale features.
+Passive network discovery (TLS listener), Kubernetes integration (cert-manager external issuer, Secrets target), cloud infrastructure targets (AWS ALB/ACM, Azure Key Vault), extended CA support (Vault PKI, Google CAS, EJBCA), and platform-scale features (Terraform provider, multi-tenancy, HSM support).

 ## License

@@ -98,13 +98,14 @@ func main() {
 	logger.Info("initialized Local CA issuer connector")

 	// Initialize ACME issuer connector (for Let's Encrypt, Sectigo, etc.)
-	// Supports HTTP-01 (default) and DNS-01 (for wildcards) challenge types.
+	// Supports HTTP-01 (default), DNS-01 (for wildcards), and DNS-PERSIST-01 (standing record) challenge types.
 	acmeConnector := acmeissuer.New(&acmeissuer.Config{
-		DirectoryURL:       os.Getenv("CERTCTL_ACME_DIRECTORY_URL"),
-		Email:              os.Getenv("CERTCTL_ACME_EMAIL"),
-		ChallengeType:      os.Getenv("CERTCTL_ACME_CHALLENGE_TYPE"),
-		DNSPresentScript:   os.Getenv("CERTCTL_ACME_DNS_PRESENT_SCRIPT"),
-		DNSCleanUpScript:   os.Getenv("CERTCTL_ACME_DNS_CLEANUP_SCRIPT"),
+		DirectoryURL:           os.Getenv("CERTCTL_ACME_DIRECTORY_URL"),
+		Email:                  os.Getenv("CERTCTL_ACME_EMAIL"),
+		ChallengeType:          os.Getenv("CERTCTL_ACME_CHALLENGE_TYPE"),
+		DNSPresentScript:       os.Getenv("CERTCTL_ACME_DNS_PRESENT_SCRIPT"),
+		DNSCleanUpScript:       os.Getenv("CERTCTL_ACME_DNS_CLEANUP_SCRIPT"),
+		DNSPersistIssuerDomain: os.Getenv("CERTCTL_ACME_DNS_PERSIST_ISSUER_DOMAIN"),
 	}, logger)
 	logger.Info("initialized ACME issuer connector")

@@ -41,7 +41,7 @@ flowchart TB

    subgraph "Issuer Backends"
        CA1["Local CA\n(crypto/x509, sub-CA)"]
-        CA2["ACME\n(HTTP-01 + DNS-01)"]
+        CA2["ACME\n(HTTP-01 + DNS-01 + DNS-PERSIST-01)"]
        CA3["step-ca\n(/sign API)"]
        CA4["OpenSSL / Custom CA\n(script-based)"]
        CA6["Vault PKI\n(planned)"]
@@ -527,7 +527,7 @@ type Connector interface {
 }
 ```

-Built-in issuers: **Local CA** (self-signed or sub-CA mode using `crypto/x509`), **ACME v2** (HTTP-01 and DNS-01 challenges, compatible with Let's Encrypt, Sectigo, and any ACME-compliant CA), **step-ca** (Smallstep private CA via native /sign API with JWK provisioner auth), and **OpenSSL/Custom CA** (script-based signing delegating to user-provided shell scripts). The ACME connector uses `golang.org/x/crypto/acme`, generates an ECDSA P-256 account key, handles account registration with ToS acceptance, order creation, challenge solving (HTTP-01 via built-in server, DNS-01 via script-based hooks), order finalization, and DER-to-PEM chain conversion. The interface also includes `GetCACertPEM(ctx)` for CA chain distribution (used by the EST server's `/cacerts` endpoint).
+Built-in issuers: **Local CA** (self-signed or sub-CA mode using `crypto/x509`), **ACME v2** (HTTP-01, DNS-01, and DNS-PERSIST-01 challenges, compatible with Let's Encrypt, Sectigo, and any ACME-compliant CA), **step-ca** (Smallstep private CA via native /sign API with JWK provisioner auth), and **OpenSSL/Custom CA** (script-based signing delegating to user-provided shell scripts). The ACME connector uses `golang.org/x/crypto/acme`, generates an ECDSA P-256 account key, handles account registration with ToS acceptance, order creation, challenge solving (HTTP-01 via built-in server, DNS-01 via script-based hooks, DNS-PERSIST-01 via standing TXT records with auto-fallback to DNS-01), order finalization, and DER-to-PEM chain conversion. The interface also includes `GetCACertPEM(ctx)` for CA chain distribution (used by the EST server's `/cacerts` endpoint).

 ### Target Connector

@@ -869,7 +869,7 @@ certctl uses a layered testing approach aligned with the handler → service →

 **CI pipeline** (`.github/workflows/ci.yml`) — Two parallel jobs: Go (build, vet, test with coverage, coverage threshold enforcement) and Frontend (TypeScript type check, Vitest test suite, Vite production build). The Go job runs all tests with `-coverprofile`, then enforces coverage thresholds: service layer must be at least 30% (current: ~35%) and handler layer must be at least 50% (current: ~63%). These thresholds act as regression floors — they can only go up. The service layer threshold is deliberately lower because much of the service code depends on postgres repositories and external connectors that require real infrastructure to test meaningfully. Connector tests are included via `./internal/connector/issuer/...` and `./internal/connector/target/...` (covers Local CA, ACME, step-ca, NGINX, Apache, and HAProxy packages with unit tests for certificate signing logic, DNS solver, issuer validation, and deployment flows). The Frontend job runs `npx vitest run` between the TypeScript check and production build steps.

-**Connector tests** (`internal/connector/`) — 57 test functions covering issuer, target, and notifier connectors. The Local CA connector has tests for self-signed and sub-CA modes (RSA, ECDSA, config validation, non-CA cert rejection). The ACME DNS solver has 6 tests for script-based DNS-01 challenges. The step-ca connector has tests with a mock HTTP server for issuance, renewal, revocation, and error paths. The OpenSSL/Custom CA connector has 14 tests covering config validation, issuance success/failure/timeout, renewal, revocation, and CRL generation. The NGINX target connector has 13 tests covering config validation, certificate deployment (file writing, permissions, validate/reload commands), and deployment validation. Apache httpd and HAProxy connectors each have 3 tests covering config validation, deployment, and validation flows. Notifier connector tests span 20 tests across Slack (5), Teams (4), PagerDuty (6), and OpsGenie (5) — verifying channel identity, payload formatting, HTTP error handling, connection failures, auth headers, and configuration defaults.
+**Connector tests** (`internal/connector/`) — 57 test functions covering issuer, target, and notifier connectors. The Local CA connector has tests for self-signed and sub-CA modes (RSA, ECDSA, config validation, non-CA cert rejection). The ACME DNS solver has 10 tests for script-based DNS-01 and DNS-PERSIST-01 challenges (6 DNS-01 tests + 4 DNS-PERSIST-01 tests covering `PresentPersist` success, no-script error, script failure, and wildcard domain handling). The step-ca connector has tests with a mock HTTP server for issuance, renewal, revocation, and error paths. The OpenSSL/Custom CA connector has 14 tests covering config validation, issuance success/failure/timeout, renewal, revocation, and CRL generation. The NGINX target connector has 13 tests covering config validation, certificate deployment (file writing, permissions, validate/reload commands), and deployment validation. Apache httpd and HAProxy connectors each have 3 tests covering config validation, deployment, and validation flows. Notifier connector tests span 20 tests across Slack (5), Teams (4), PagerDuty (6), and OpsGenie (5) — verifying channel identity, payload formatting, HTTP error handling, connection failures, auth headers, and configuration defaults.

 **What's not tested and why:** Postgres repository implementations (`internal/repository/postgres/`) require a real database and are tested only through integration tests, not unit tests. Target connectors for F5 BIG-IP and IIS are interface stubs (implementation planned for a future release). Scheduler loops are time-dependent and tested manually during development. The ACME connector requires a real ACME server (tested manually against Let's Encrypt staging). These are all candidates for future expansion as the test infrastructure matures.

@@ -34,9 +34,9 @@ certctl includes a built-in **Local CA** that can operate in two modes: self-sig

 ### ACME Protocol

-ACME (Automatic Certificate Management Environment) is the protocol Let's Encrypt created for automated certificate issuance. Instead of filling out forms and waiting for emails, ACME lets software request, validate, and receive certificates programmatically. The server proves domain ownership by responding to challenges — placing a specific file on the web server (HTTP-01) or creating a DNS record (DNS-01).
+ACME (Automatic Certificate Management Environment) is the protocol Let's Encrypt created for automated certificate issuance. Instead of filling out forms and waiting for emails, ACME lets software request, validate, and receive certificates programmatically. The server proves domain ownership by responding to challenges — placing a specific file on the web server (HTTP-01), creating a DNS record (DNS-01), or maintaining a standing DNS record that persists across renewals (DNS-PERSIST-01).

-certctl speaks ACME natively with both HTTP-01 and DNS-01 challenges, so it can request certificates — including wildcard certificates — from Let's Encrypt or any ACME-compatible CA without manual intervention. HTTP-01 uses a built-in temporary HTTP server for domain validation; DNS-01 uses pluggable script-based hooks to create TXT records with any DNS provider (Cloudflare, Route53, Azure DNS, etc.).
+certctl speaks ACME natively with HTTP-01, DNS-01, and DNS-PERSIST-01 challenges, so it can request certificates — including wildcard certificates — from Let's Encrypt or any ACME-compatible CA without manual intervention. HTTP-01 uses a built-in temporary HTTP server for domain validation; DNS-01 uses pluggable script-based hooks to create TXT records with any DNS provider (Cloudflare, Route53, Azure DNS, etc.); DNS-PERSIST-01 creates a standing `_validation-persist` TXT record once (containing the CA domain and account URI) that the CA revalidates on every renewal — no per-renewal DNS updates needed. If the CA doesn't yet support DNS-PERSIST-01, certctl automatically falls back to DNS-01.

 ### EST Protocol (Enrollment over Secure Transport)

@@ -6,7 +6,7 @@ Connectors extend certctl to integrate with external systems for certificate iss

 Three types of connectors:

-1. **Issuer Connector** — Obtains certificates from CAs (Local CA with sub-CA support, ACME with HTTP-01 + DNS-01, step-ca, OpenSSL/Custom CA implemented; additional CA integrations planned)
+1. **Issuer Connector** — Obtains certificates from CAs (Local CA with sub-CA support, ACME with HTTP-01 + DNS-01 + DNS-PERSIST-01, step-ca, OpenSSL/Custom CA implemented; additional CA integrations planned)
 2. **Target Connector** — Deploys certificates to infrastructure (NGINX, Apache httpd, HAProxy implemented; F5 via proxy agent, IIS dual-mode interface only; additional cloud and network targets planned)
 3. **Notifier Connector** — Sends alerts about certificate events (Email, Webhooks, Slack, Microsoft Teams, PagerDuty, OpsGenie implemented)

@@ -116,12 +116,14 @@ Location: `internal/connector/issuer/local/local.go`

 ### Built-in: ACME v2 (Let's Encrypt, Sectigo, ZeroSSL)

-The ACME connector implements the full ACME v2 protocol using Go's `golang.org/x/crypto/acme` package. It supports two challenge methods:
+The ACME connector implements the full ACME v2 protocol using Go's `golang.org/x/crypto/acme` package. It supports three challenge methods:

 **HTTP-01 (default):** A built-in temporary HTTP server starts on demand during certificate issuance. The domain being validated must resolve to the machine running the connector, and the configured HTTP port must be reachable from the internet.

 **DNS-01 (for wildcards):** Creates DNS TXT records via user-provided scripts. Required for wildcard certificates (`*.example.com`) and hosts that can't serve HTTP on port 80. The connector invokes external scripts to create and clean up `_acme-challenge` TXT records, making it compatible with any DNS provider (Cloudflare, Route53, Azure DNS, etc.).

+**DNS-PERSIST-01 (standing record):** Creates a one-time persistent TXT record at `_validation-persist.<domain>` containing the CA's issuer domain and your ACME account URI. Once set, this record authorizes unlimited future certificate issuances without per-renewal DNS updates. Based on [draft-ietf-acme-dns-persist](https://datatracker.ietf.org/doc/draft-ietf-acme-dns-persist/) and CA/Browser Forum ballot SC-088v3. If the CA doesn't offer dns-persist-01 yet, the connector falls back to dns-01 automatically.
+
 HTTP-01 configuration:
 ```json
 {
@@ -143,14 +145,29 @@ DNS-01 configuration:
 }
 ```

-DNS hook scripts receive these environment variables: `CERTCTL_DNS_DOMAIN` (domain being validated), `CERTCTL_DNS_FQDN` (full record name, e.g., `_acme-challenge.example.com`), `CERTCTL_DNS_VALUE` (TXT record value), `CERTCTL_DNS_TOKEN` (ACME challenge token). The present script must create the TXT record and exit 0; the cleanup script removes it.
+DNS-PERSIST-01 configuration:
+```json
+{
+  "directory_url": "https://acme-v02.api.letsencrypt.org/directory",
+  "email": "admin@example.com",
+  "challenge_type": "dns-persist-01",
+  "dns_present_script": "/etc/certctl/dns/create-record.sh",
+  "dns_persist_issuer_domain": "letsencrypt.org",
+  "dns_propagation_wait": 30
+}
+```
+
+The present script creates a TXT record at `_validation-persist.<domain>` with the value `letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/<your-id>`. This record is permanent — no cleanup script is needed.
+
+DNS hook scripts receive these environment variables: `CERTCTL_DNS_DOMAIN` (domain being validated), `CERTCTL_DNS_FQDN` (full record name — `_acme-challenge.<domain>` for dns-01, `_validation-persist.<domain>` for dns-persist-01), `CERTCTL_DNS_VALUE` (TXT record value), `CERTCTL_DNS_TOKEN` (ACME challenge token). The present script must create the TXT record and exit 0; the cleanup script removes it (dns-01 only).

 Environment variables for the default ACME connector:
 - `CERTCTL_ACME_DIRECTORY_URL` — ACME directory URL
 - `CERTCTL_ACME_EMAIL` — Contact email for account registration
- `CERTCTL_ACME_CHALLENGE_TYPE` — `http-01` (default) or `dns-01`
- `CERTCTL_ACME_DNS_PRESENT_SCRIPT` — Path to DNS record creation script (dns-01 only)
- `CERTCTL_ACME_DNS_CLEANUP_SCRIPT` — Path to DNS record cleanup script (dns-01 only)
+- `CERTCTL_ACME_CHALLENGE_TYPE` — `http-01` (default), `dns-01`, or `dns-persist-01`
+- `CERTCTL_ACME_DNS_PRESENT_SCRIPT` — Path to DNS record creation script (dns-01 and dns-persist-01)
+- `CERTCTL_ACME_DNS_CLEANUP_SCRIPT` — Path to DNS record cleanup script (dns-01 only, not used by dns-persist-01)
+- `CERTCTL_ACME_DNS_PERSIST_ISSUER_DOMAIN` — CA issuer domain for persistent record (dns-persist-01 only, e.g., `letsencrypt.org`)

 The connector is registered in the issuer registry under `iss-acme-staging` and `iss-acme-prod`. Use `iss-acme-staging` for Let's Encrypt staging (rate-limit-friendly testing) and `iss-acme-prod` for production certificates.

@@ -227,7 +244,7 @@ Note: EST (Enrollment over Secure Transport) is not a connector — it's a proto
 The following issuer connectors are planned for future milestones:

 - **Vault PKI** — HashiCorp Vault's PKI secrets engine for organizations using Vault as their internal CA (planned for V4.0+).
- **DigiCert** — Commercial CA integration via DigiCert's REST API (planned for V3 paid release).
+- **DigiCert** — Commercial CA integration via DigiCert's REST API (planned).

 Note: ADCS (Active Directory Certificate Services) integration is handled via the **sub-CA mode** of the Local CA issuer, not as a separate connector. certctl operates as a subordinate CA with its signing certificate issued by ADCS, so all certctl-issued certs chain to the enterprise ADCS root. See the Local CA section above.

@@ -417,11 +434,11 @@ The combined PEM is built in this order: server certificate, intermediate/chain

 Location: `internal/connector/target/haproxy/haproxy.go`

-### V3 (Paid): F5 BIG-IP (Interface Only)
+### F5 BIG-IP (Interface Only)

-The F5 BIG-IP target connector interface is built with the iControl REST flow mapped out, but the actual API calls are not yet implemented. F5 appliances can't run agents directly, so this connector uses the **proxy agent pattern**: a designated agent in the same network zone picks up F5 deployment jobs and calls the iControl REST API. The server assigns the work; the proxy agent executes it. Implementation is planned for the paid V3 release.
+The F5 BIG-IP target connector interface is defined with the iControl REST flow mapped out, but the actual API calls are not yet implemented. F5 appliances can't run agents directly, so this connector uses the **proxy agent pattern**: a designated agent in the same network zone picks up F5 deployment jobs and calls the iControl REST API. The server assigns the work; the proxy agent executes it.

-The planned flow is: authenticate via `POST /mgmt/shared/authn/login`, upload cert PEM via `POST /mgmt/tm/ltm/certificate`, update the SSL profile via `PATCH /mgmt/tm/ltm/profile/client-ssl/{profile}`, and validate deployment by checking profile status. Implementation is planned for a future release.
+The planned flow is: authenticate via `POST /mgmt/shared/authn/login`, upload cert PEM via `POST /mgmt/tm/ltm/certificate`, update the SSL profile via `PATCH /mgmt/tm/ltm/profile/client-ssl/{profile}`, and validate deployment by checking profile status.

 Configuration (defined, not yet functional):
 ```json
@@ -438,9 +455,9 @@ Note: F5 credentials are stored on the proxy agent, not on the control plane ser

 Location: `internal/connector/target/f5/f5.go`

-### V3 (Paid): IIS (Interface Only, Dual-Mode)
+### IIS (Interface Only, Dual-Mode)

-The IIS target connector supports two deployment modes planned for the paid V3 release:
+The IIS target connector supports two planned deployment modes:

 **Agent-local (recommended):** A Windows agent runs directly on the IIS server and deploys certificates using PowerShell — `Import-PfxCertificate` to install into the certificate store and `Set-WebBinding` to bind to the IIS site. This is the preferred approach: no remote access needed, no credential management, same pull-based model as NGINX/Apache/HAProxy.

@@ -97,6 +97,21 @@ curl -s -X POST $API/api/v1/certificates \
  }' | jq .
 ```

+### ACME with DNS-PERSIST-01 (Zero-Touch Renewals)
+
+DNS-PERSIST-01 uses a standing `_validation-persist` TXT record that you set once. The CA revalidates it on every renewal — no per-renewal DNS updates, no cleanup scripts, no propagation waits. If the CA doesn't support DNS-PERSIST-01 yet, certctl falls back to DNS-01 automatically.
+
+```bash
+# Configure ACME DNS-PERSIST-01
+export CERTCTL_ACME_CHALLENGE_TYPE="dns-persist-01"
+export CERTCTL_ACME_DNS_PRESENT_SCRIPT="/usr/local/bin/dns-present.sh"
+export CERTCTL_ACME_DNS_PERSIST_ISSUER_DOMAIN="letsencrypt.org"
+
+# The present script creates a _validation-persist.<domain> TXT record with value:
+# "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/12345"
+# This record is set once and never touched again.
+```
+
 ### step-ca (Smallstep Private CA)

 For organizations running step-ca as their private CA:
@@ -221,7 +236,7 @@ You should see:

 The result is a structurally valid X.509 certificate — browsers won't trust it (no root CA in their trust store), but it exercises the exact same code paths that a production ACME or Vault issuer would.

-**Why pluggable issuers:** Different organizations use different CAs. Some use Let's Encrypt (ACME protocol), some use step-ca or internal PKI (Vault), some use commercial CAs (DigiCert, Entrust, GlobalSign), and some have custom OpenSSL-based workflows. For enterprises with ADCS, certctl can operate as a sub-CA — all issued certs chain to the enterprise root. The connector interface means certctl doesn't care — it calls `IssueCertificate()` and gets back a signed cert regardless of the backend. V1 ships with Local CA (self-signed or sub-CA), ACME (HTTP-01 + DNS-01 for wildcards), and step-ca (Smallstep private CA via native /sign API). V2 adds the OpenSSL/Custom CA connector (script-based signing). DigiCert, Vault PKI, Entrust, GlobalSign, Google CAS, and EJBCA are planned for V3+.
+**Why pluggable issuers:** Different organizations use different CAs. Some use Let's Encrypt (ACME protocol), some use step-ca or internal PKI (Vault), some use commercial CAs (DigiCert, Entrust, GlobalSign), and some have custom OpenSSL-based workflows. For enterprises with ADCS, certctl can operate as a sub-CA — all issued certs chain to the enterprise root. The connector interface means certctl doesn't care — it calls `IssueCertificate()` and gets back a signed cert regardless of the backend. V1 ships with Local CA (self-signed or sub-CA), ACME (HTTP-01 + DNS-01 + DNS-PERSIST-01 for wildcards), and step-ca (Smallstep private CA via native /sign API). V2 adds the OpenSSL/Custom CA connector (script-based signing). DigiCert, Vault PKI, Entrust, GlobalSign, Google CAS, and EJBCA are planned for V3+.

 ```mermaid
 flowchart TD
@@ -288,9 +288,10 @@ curl -H "$AUTH" "$SERVER/api/v1/policies/rp-standard/violations"
 - **Use Case** — Internal PKI, enterprise trust chains

 ### ACME v2
- **Challenge Types** — HTTP-01 (default) and DNS-01 (wildcard support)
+- **Challenge Types** — HTTP-01 (default), DNS-01 (wildcard support), and DNS-PERSIST-01 (standing record, no per-renewal DNS updates)
 - **DNS-01 Script Hooks** — Pluggable DNS solver for any provider (Cloudflare, Route53, Azure DNS, etc.)
- **Configuration** — `CERTCTL_ACME_DIRECTORY_URL`, `CERTCTL_ACME_EMAIL`, `CERTCTL_ACME_CHALLENGE_TYPE=dns-01`, `CERTCTL_ACME_DNS_PRESENT_SCRIPT`, `CERTCTL_ACME_DNS_CLEANUP_SCRIPT`
+- **DNS-PERSIST-01** — Standing `_validation-persist` TXT record set once, reused forever. Auto-fallback to DNS-01 if CA doesn't support it yet.
+- **Configuration** — `CERTCTL_ACME_DIRECTORY_URL`, `CERTCTL_ACME_EMAIL`, `CERTCTL_ACME_CHALLENGE_TYPE`, `CERTCTL_ACME_DNS_PRESENT_SCRIPT`, `CERTCTL_ACME_DNS_CLEANUP_SCRIPT`, `CERTCTL_ACME_DNS_PERSIST_ISSUER_DOMAIN`
 - **DNS Propagation Wait** — Configurable timeout before validation
 - **Use Case** — Public CAs (LetsEncrypt), wildcard certs

@@ -1035,8 +1036,8 @@ The web dashboard is the primary operational interface for certctl. Built with *
 - **GitHub Actions** — `.github/workflows/ci.yml`
 - **Parallel Jobs** — Go (build, vet, test+coverage, gates) and Frontend (tsc, vitest, vite build)
 - **Coverage Gates** — Service layer ≥30%, handler layer ≥50%
- **Release Workflow** — Tag push → build → publish Docker images to `ghcr.io`
- **Docker Tags** — `:latest`, `:v{version}` (ghcr.io/shankar0123/certctl)
+- **Release Workflow** — Tag push → build → publish Docker images to GitHub Container Registry
+- **Docker Tags** — `:latest`, `:v{version}` (`shankar0123.docker.scarf.sh/certctl-server`, `shankar0123.docker.scarf.sh/certctl-agent`)

 ### Test Suite
 - **Unit Tests** — 625+ test functions across service, handler, middleware, domain layers
@@ -1117,9 +1118,10 @@ The web dashboard is the primary operational interface for certctl. Built with *
 |----------|------|---------|---------|
 | `CERTCTL_ACME_DIRECTORY_URL` | string | (empty) | ACME server directory URL |
 | `CERTCTL_ACME_EMAIL` | string | (empty) | Account email for ACME registration |
-| `CERTCTL_ACME_CHALLENGE_TYPE` | string | http-01 | http-01 or dns-01 |
-| `CERTCTL_ACME_DNS_PRESENT_SCRIPT` | string | (empty) | Script path for DNS-01 present hook |
-| `CERTCTL_ACME_DNS_CLEANUP_SCRIPT` | string | (empty) | Script path for DNS-01 cleanup hook |
+| `CERTCTL_ACME_CHALLENGE_TYPE` | string | http-01 | http-01, dns-01, or dns-persist-01 |
+| `CERTCTL_ACME_DNS_PRESENT_SCRIPT` | string | (empty) | Script path for DNS present hook (dns-01 and dns-persist-01) |
+| `CERTCTL_ACME_DNS_CLEANUP_SCRIPT` | string | (empty) | Script path for DNS cleanup hook (dns-01 only) |
+| `CERTCTL_ACME_DNS_PERSIST_ISSUER_DOMAIN` | string | (empty) | CA issuer domain for dns-persist-01 (e.g., letsencrypt.org) |

 #### step-ca Issuer
 | Variable | Type | Default | Purpose |
@@ -67,11 +67,12 @@ type StepCAConfig struct {

 // ACMEConfig contains ACME issuer connector configuration.
 type ACMEConfig struct {
-	DirectoryURL     string
-	Email            string
-	ChallengeType    string // "http-01" (default) or "dns-01"
-	DNSPresentScript string
-	DNSCleanUpScript string
+	DirectoryURL           string
+	Email                  string
+	ChallengeType          string // "http-01" (default), "dns-01", or "dns-persist-01"
+	DNSPresentScript       string
+	DNSCleanUpScript       string
+	DNSPersistIssuerDomain string // Required for dns-persist-01 (e.g., "letsencrypt.org")
 }

 // OpenSSLConfig contains OpenSSL/Custom CA issuer connector configuration.
@@ -28,21 +28,28 @@ type Config struct {
 	EABHmac      string `json:"eab_hmac,omitempty"`  // External Account Binding HMAC Key
 	HTTPPort     int    `json:"http_port,omitempty"` // Port for HTTP-01 challenge server (default: 80)

-	// ChallengeType selects the ACME challenge method: "http-01" (default) or "dns-01".
+	// ChallengeType selects the ACME challenge method: "http-01" (default), "dns-01", or "dns-persist-01".
 	// DNS-01 is required for wildcard certificates (*.example.com).
+	// DNS-PERSIST-01 uses a standing TXT record (set once, reused forever) — no per-renewal DNS updates.
 	ChallengeType string `json:"challenge_type,omitempty"`

-	// DNSPresentScript is the path to a script that creates DNS TXT records (dns-01 only).
+	// DNSPresentScript is the path to a script that creates DNS TXT records (dns-01 and dns-persist-01).
 	// The script receives CERTCTL_DNS_DOMAIN, CERTCTL_DNS_FQDN, CERTCTL_DNS_VALUE, CERTCTL_DNS_TOKEN.
 	DNSPresentScript string `json:"dns_present_script,omitempty"`

 	// DNSCleanUpScript is the path to a script that removes DNS TXT records (dns-01 only).
 	// Optional — if not set, records are not cleaned up automatically.
+	// Not used by dns-persist-01 (records are permanent).
 	DNSCleanUpScript string `json:"dns_cleanup_script,omitempty"`

 	// DNSPropagationWait is how long to wait (in seconds) after creating the TXT record
 	// before telling the CA to validate. Defaults to 30 seconds.
 	DNSPropagationWait int `json:"dns_propagation_wait,omitempty"`
+
+	// DNSPersistIssuerDomain is the CA's issuer domain name for dns-persist-01 records.
+	// Used to construct the TXT record value: "<issuer-domain>; accounturi=<account-uri>".
+	// Required when ChallengeType is "dns-persist-01". For Let's Encrypt, use "letsencrypt.org".
+	DNSPersistIssuerDomain string `json:"dns_persist_issuer_domain,omitempty"`
 }

 // Connector implements the issuer.Connector interface for ACME-compatible CAs
@@ -87,10 +94,11 @@ func New(config *Config, logger *slog.Logger) *Connector {
 		challengeTokens: make(map[string]string),
 	}

-	// Initialize DNS solver if dns-01 challenge type is configured
-	if config != nil && config.ChallengeType == "dns-01" && config.DNSPresentScript != "" {
+	// Initialize DNS solver if dns-01 or dns-persist-01 challenge type is configured
+	if config != nil && (config.ChallengeType == "dns-01" || config.ChallengeType == "dns-persist-01") && config.DNSPresentScript != "" {
 		c.dnsSolver = NewScriptDNSSolver(config.DNSPresentScript, config.DNSCleanUpScript, logger)
-		logger.Info("DNS-01 challenge solver configured",
+		logger.Info("DNS challenge solver configured",
+			"challenge_type", config.ChallengeType,
 			"present_script", config.DNSPresentScript,
 			"cleanup_script", config.DNSCleanUpScript)
 	}
@@ -141,13 +149,18 @@ func (c *Connector) ValidateConfig(ctx context.Context, rawConfig json.RawMessag
 	}

 	// Validate challenge type
-	if cfg.ChallengeType != "http-01" && cfg.ChallengeType != "dns-01" {
-		return fmt.Errorf("invalid challenge_type: %s (must be http-01 or dns-01)", cfg.ChallengeType)
+	if cfg.ChallengeType != "http-01" && cfg.ChallengeType != "dns-01" && cfg.ChallengeType != "dns-persist-01" {
+		return fmt.Errorf("invalid challenge_type: %s (must be http-01, dns-01, or dns-persist-01)", cfg.ChallengeType)
 	}

-	// DNS-01 requires a present script
-	if cfg.ChallengeType == "dns-01" && cfg.DNSPresentScript == "" {
-		return fmt.Errorf("dns_present_script is required for dns-01 challenge type")
+	// DNS-01 and DNS-PERSIST-01 require a present script
+	if (cfg.ChallengeType == "dns-01" || cfg.ChallengeType == "dns-persist-01") && cfg.DNSPresentScript == "" {
+		return fmt.Errorf("dns_present_script is required for %s challenge type", cfg.ChallengeType)
+	}
+
+	// DNS-PERSIST-01 requires an issuer domain
+	if cfg.ChallengeType == "dns-persist-01" && cfg.DNSPersistIssuerDomain == "" {
+		return fmt.Errorf("dns_persist_issuer_domain is required for dns-persist-01 challenge type (e.g., \"letsencrypt.org\")")
 	}

 	if cfg.DNSPropagationWait == 0 {
@@ -156,8 +169,8 @@ func (c *Connector) ValidateConfig(ctx context.Context, rawConfig json.RawMessag

 	c.config = &cfg

-	// Re-initialize DNS solver if switching to dns-01
-	if cfg.ChallengeType == "dns-01" && cfg.DNSPresentScript != "" {
+	// Re-initialize DNS solver if switching to dns-01 or dns-persist-01
+	if (cfg.ChallengeType == "dns-01" || cfg.ChallengeType == "dns-persist-01") && cfg.DNSPresentScript != "" {
 		c.dnsSolver = NewScriptDNSSolver(cfg.DNSPresentScript, cfg.DNSCleanUpScript, c.logger)
 	}

@@ -335,12 +348,16 @@ func (c *Connector) GetOrderStatus(ctx context.Context, orderID string) (*issuer
 }

 // solveAuthorizations processes all authorization URLs and solves their challenges.
-// Supports both HTTP-01 and DNS-01 challenge types based on configuration.
+// Supports HTTP-01, DNS-01, and DNS-PERSIST-01 challenge types based on configuration.
 func (c *Connector) solveAuthorizations(ctx context.Context, authzURLs []string) error {
-	if c.config.ChallengeType == "dns-01" {
+	switch c.config.ChallengeType {
+	case "dns-01":
 		return c.solveAuthorizationsDNS01(ctx, authzURLs)
+	case "dns-persist-01":
+		return c.solveAuthorizationsDNSPersist01(ctx, authzURLs)
+	default:
+		return c.solveAuthorizationsHTTP01(ctx, authzURLs)
 	}
-	return c.solveAuthorizationsHTTP01(ctx, authzURLs)
 }

 // solveAuthorizationsHTTP01 solves challenges using the HTTP-01 method.
@@ -497,6 +514,126 @@ func (c *Connector) solveAuthorizationsDNS01(ctx context.Context, authzURLs []st
 	return nil
 }

+// solveAuthorizationsDNSPersist01 solves challenges using the DNS-PERSIST-01 method.
+// DNS-PERSIST-01 uses a standing TXT record at _validation-persist.<domain> that persists
+// across renewals. The record contains the CA's issuer domain and the ACME account URI,
+// authorizing unlimited future issuances without per-renewal DNS updates.
+//
+// Flow:
+// 1. For each authorization, check if it's already valid (standing record exists)
+// 2. If pending, find the dns-persist-01 challenge
+// 3. Build the TXT record value: "<issuer-domain>; accounturi=<account-uri>"
+// 4. Create the _validation-persist TXT record via the present script (one-time)
+// 5. Wait for propagation, then accept the challenge
+// 6. No cleanup — the record is permanent by design
+//
+// See: draft-ietf-acme-dns-persist (IETF), CA/Browser Forum ballot SC-088v3
+func (c *Connector) solveAuthorizationsDNSPersist01(ctx context.Context, authzURLs []string) error {
+	if c.dnsSolver == nil {
+		return fmt.Errorf("dns-persist-01 challenge type configured but no DNS solver available")
+	}
+
+	// Get the account URI for the TXT record value
+	if err := c.ensureClient(ctx); err != nil {
+		return fmt.Errorf("ACME client init for dns-persist-01: %w", err)
+	}
+	acct, err := c.client.GetReg(ctx, "")
+	if err != nil {
+		return fmt.Errorf("failed to get ACME account URI for dns-persist-01: %w", err)
+	}
+
+	for _, authzURL := range authzURLs {
+		authz, err := c.client.GetAuthorization(ctx, authzURL)
+		if err != nil {
+			return fmt.Errorf("failed to get authorization %s: %w", authzURL, err)
+		}
+
+		// If already valid (standing record recognized), skip
+		if authz.Status == acme.StatusValid {
+			c.logger.Info("dns-persist-01 authorization already valid (standing record recognized)",
+				"domain", authz.Identifier.Value)
+			continue
+		}
+
+		// Find the dns-persist-01 challenge
+		var persistChallenge *acme.Challenge
+		for _, ch := range authz.Challenges {
+			if ch.Type == "dns-persist-01" {
+				persistChallenge = ch
+				break
+			}
+		}
+
+		// Fallback: if the CA doesn't offer dns-persist-01 yet, try dns-01
+		if persistChallenge == nil {
+			c.logger.Warn("dns-persist-01 challenge not offered by CA, falling back to dns-01",
+				"domain", authz.Identifier.Value)
+			return c.solveAuthorizationsDNS01(ctx, authzURLs)
+		}
+
+		domain := authz.Identifier.Value
+
+		// Build the persistent TXT record value per draft-ietf-acme-dns-persist:
+		// "<issuer-domain>; accounturi=<account-uri>"
+		recordValue := fmt.Sprintf("%s; accounturi=%s", c.config.DNSPersistIssuerDomain, acct.URI)
+
+		c.logger.Info("creating persistent DNS validation record",
+			"domain", domain,
+			"fqdn", "_validation-persist."+domain,
+			"issuer_domain", c.config.DNSPersistIssuerDomain,
+			"account_uri", acct.URI)
+
+		// Create the standing TXT record via the present script.
+		// The script receives CERTCTL_DNS_FQDN="_validation-persist.<domain>"
+		// and CERTCTL_DNS_VALUE="<issuer-domain>; accounturi=<account-uri>".
+		if err := c.presentPersistRecord(ctx, domain, persistChallenge.Token, recordValue); err != nil {
+			return fmt.Errorf("failed to create persistent DNS record for %s: %w", domain, err)
+		}
+
+		// Wait for DNS propagation
+		propagationWait := time.Duration(c.config.DNSPropagationWait) * time.Second
+		c.logger.Info("waiting for DNS propagation",
+			"domain", domain,
+			"wait_seconds", c.config.DNSPropagationWait)
+		time.Sleep(propagationWait)
+
+		// Tell the CA we're ready
+		if _, err := c.client.Accept(ctx, persistChallenge); err != nil {
+			return fmt.Errorf("failed to accept dns-persist-01 challenge: %w", err)
+		}
+
+		// Wait for authorization to be valid
+		if _, err := c.client.WaitAuthorization(ctx, authzURL); err != nil {
+			return fmt.Errorf("dns-persist-01 authorization failed for %s: %w", domain, err)
+		}
+
+		c.logger.Info("dns-persist-01 authorization validated (record is now permanent)",
+			"domain", domain)
+
+		// No cleanup — the record is permanent by design.
+		// Future renewals will skip challenge solving entirely (authz.Status == StatusValid).
+	}
+
+	return nil
+}
+
+// presentPersistRecord creates a _validation-persist TXT record using the DNS solver.
+// Unlike dns-01 which uses _acme-challenge, dns-persist-01 uses _validation-persist.
+func (c *Connector) presentPersistRecord(ctx context.Context, domain, token, recordValue string) error {
+	if c.dnsSolver == nil {
+		return fmt.Errorf("DNS solver not configured")
+	}
+
+	// Use PresentPersist if available (ScriptDNSSolver) — targets _validation-persist prefix.
+	if solver, ok := c.dnsSolver.(*ScriptDNSSolver); ok {
+		return solver.PresentPersist(ctx, domain, token, recordValue)
+	}
+
+	// For other DNSSolver implementations, fall back to Present.
+	// Custom implementations should read CERTCTL_DNS_FQDN to determine the record name.
+	return c.dnsSolver.Present(ctx, domain, token, recordValue)
+}
+
 // startChallengeServer starts an HTTP server that responds to ACME HTTP-01 challenges.
 // It listens on the configured HTTP port and serves challenge tokens at
 // /.well-known/acme-challenge/{token}.
@@ -82,6 +82,24 @@ func (s *ScriptDNSSolver) CleanUp(ctx context.Context, domain, token, keyAuth st
 	return s.runScript(ctx, s.CleanUpScript, domain, fqdn, token, keyAuth)
 }

+// PresentPersist creates a persistent DNS TXT record at _validation-persist.<domain>.
+// Used by dns-persist-01 (draft-ietf-acme-dns-persist). Unlike Present (which targets
+// _acme-challenge), this targets _validation-persist and the record is intended to be permanent.
+func (s *ScriptDNSSolver) PresentPersist(ctx context.Context, domain, token, recordValue string) error {
+	if s.PresentScript == "" {
+		return fmt.Errorf("DNS present script not configured")
+	}
+
+	fqdn := "_validation-persist." + domain
+
+	s.Logger.Info("creating persistent DNS TXT record via script",
+		"domain", domain,
+		"fqdn", fqdn,
+		"script", s.PresentScript)
+
+	return s.runScript(ctx, s.PresentScript, domain, fqdn, token, recordValue)
+}
+
 // runScript executes a DNS hook script with the appropriate environment variables.
 func (s *ScriptDNSSolver) runScript(ctx context.Context, script, domain, fqdn, token, keyAuth string) error {
 	timeout := s.Timeout
@@ -110,3 +110,86 @@ echo "cleaned $CERTCTL_DNS_FQDN" > ` + outputFile + `
 		}
 	})
 }
+
+func TestScriptDNSSolver_PresentPersist(t *testing.T) {
+	logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelDebug}))
+	ctx := context.Background()
+
+	t.Run("PresentPersist_Success", func(t *testing.T) {
+		tmpDir := t.TempDir()
+		outputFile := filepath.Join(tmpDir, "persist-record.txt")
+
+		scriptPath := filepath.Join(tmpDir, "present.sh")
+		script := `#!/bin/sh
+echo "DOMAIN=$CERTCTL_DNS_DOMAIN FQDN=$CERTCTL_DNS_FQDN VALUE=$CERTCTL_DNS_VALUE TOKEN=$CERTCTL_DNS_TOKEN" > ` + outputFile + `
+`
+		if err := os.WriteFile(scriptPath, []byte(script), 0755); err != nil {
+			t.Fatalf("Failed to create script: %v", err)
+		}
+
+		solver := acmeissuer.NewScriptDNSSolver(scriptPath, "", logger)
+		err := solver.PresentPersist(ctx, "example.com", "test-token", "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/123")
+		if err != nil {
+			t.Fatalf("PresentPersist failed: %v", err)
+		}
+
+		output, err := os.ReadFile(outputFile)
+		if err != nil {
+			t.Fatalf("Failed to read output file: %v", err)
+		}
+
+		// Verify _validation-persist prefix (not _acme-challenge)
+		expected := "DOMAIN=example.com FQDN=_validation-persist.example.com VALUE=letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/123 TOKEN=test-token\n"
+		if string(output) != expected {
+			t.Errorf("Script output mismatch:\ngot:  %q\nwant: %q", string(output), expected)
+		}
+	})
+
+	t.Run("PresentPersist_NoScript", func(t *testing.T) {
+		solver := acmeissuer.NewScriptDNSSolver("", "", logger)
+		err := solver.PresentPersist(ctx, "example.com", "token", "letsencrypt.org; accounturi=https://example.com/acct/1")
+		if err == nil {
+			t.Fatal("Expected error when no script is configured")
+		}
+	})
+
+	t.Run("PresentPersist_ScriptFailure", func(t *testing.T) {
+		tmpDir := t.TempDir()
+		scriptPath := filepath.Join(tmpDir, "fail.sh")
+		script := `#!/bin/sh
+echo "error: DNS API failure" >&2
+exit 1
+`
+		os.WriteFile(scriptPath, []byte(script), 0755)
+
+		solver := acmeissuer.NewScriptDNSSolver(scriptPath, "", logger)
+		err := solver.PresentPersist(ctx, "example.com", "token", "letsencrypt.org; accounturi=https://example.com/acct/1")
+		if err == nil {
+			t.Fatal("Expected error from failing script")
+		}
+	})
+
+	t.Run("PresentPersist_WildcardDomain", func(t *testing.T) {
+		tmpDir := t.TempDir()
+		outputFile := filepath.Join(tmpDir, "persist-wildcard.txt")
+
+		scriptPath := filepath.Join(tmpDir, "present.sh")
+		script := `#!/bin/sh
+echo "FQDN=$CERTCTL_DNS_FQDN" > ` + outputFile + `
+`
+		os.WriteFile(scriptPath, []byte(script), 0755)
+
+		solver := acmeissuer.NewScriptDNSSolver(scriptPath, "", logger)
+		// For *.example.com, the persist record should be at _validation-persist.example.com
+		err := solver.PresentPersist(ctx, "example.com", "token", "letsencrypt.org; accounturi=https://example.com/acct/1")
+		if err != nil {
+			t.Fatalf("PresentPersist failed for wildcard base domain: %v", err)
+		}
+
+		output, _ := os.ReadFile(outputFile)
+		expected := "FQDN=_validation-persist.example.com\n"
+		if string(output) != expected {
+			t.Errorf("FQDN mismatch: got %q, want %q", string(output), expected)
+		}
+	})
+}
@@ -43,7 +43,7 @@ func TestDiscoveredCertificate_IsExpired(t *testing.T) {
 		{"expired certificate", &pastTime, true},
 		{"valid certificate", &futureTime, false},
 		{"nil NotAfter", nil, false},
-		{"expires at current time (edge case)", &now, false}, // Before() = false when at same time
+		{"expires at current time (edge case)", func() *time.Time { t := now.Add(1 * time.Second); return &t }(), false}, // 1s in future — Before() returns false
 	}

 	for _, tt := range tests {
Author	SHA1	Message	Date
shankar0123	6d8ab54f46	chore: bump version badge to v2.0.2 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-26 14:24:50 -04:00
shankar0123	e19c240a79	feat: add ACME DNS-PERSIST-01 challenge support (IETF draft-ietf-acme-dns-persist) Standing TXT record at _validation-persist.<domain> eliminates per-renewal DNS updates. Auto-fallback to dns-01 if CA doesn't offer dns-persist-01. ScriptDNSSolver extended with PresentPersist method. Configurable via CERTCTL_ACME_CHALLENGE_TYPE=dns-persist-01 and CERTCTL_ACME_DNS_PERSIST_ISSUER_DOMAIN env vars. Also fixes IsExpired edge-case test in discovery_test.go that always failed due to time.Now() drift between test setup and method invocation. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-26 14:23:46 -04:00
shankar0123	5c38bc3bfe	docs: clean up connector guide language Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-26 11:55:01 -04:00
shankar0123	b5687aece8	docs: add brief descriptions to screenshot thumbnails Uses <sub> tags for small text under each screenshot label. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-26 11:37:14 -04:00
shankar0123	cdb6ebdb6a	docs: compact screenshots to 3-per-row grid layout Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-26 11:35:16 -04:00
shankar0123	bb85f1a56e	docs: shrink README screenshots to thumbnails with click-to-expand Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-26 11:33:41 -04:00
shankar0123	44c4d89011	docs: move architecture mermaid diagrams out of README Remove both mermaid flowcharts from README to reduce visual noise. Architecture doc already has a more detailed version. Replace with a one-line text summary linking to docs/architecture.md. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-26 11:02:38 -04:00
shankar0123	eaccbcdcf1	docs: remove placeholder Pro waitlist CTA from README Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-25 23:30:14 -04:00
shankar0123	4e3cff0729	docs: update README with planned V2 milestones and integration coverage Add Traefik/Caddy to deployment targets table and architecture diagram, S/MIME to core capabilities, M24/M25/M26 to V2 roadmap section, version badge to v2.0.1, stats to 95+ endpoints and 930+ tests. Clarify Vault PKI and DigiCert as future. Expand V4 description. Add OpenSSL/Custom CA note for ADCS integrations. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-25 23:28:50 -04:00
shankar0123	09c819d424	docs: add Scarf Docker pull URLs across README, release workflow, and features Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-25 21:33:41 -04:00