Bor v0.6.0 is out. The two headline features are automatic TLS certificate provisioning via ACME and self-service password management for users.
ACME / Let’s Encrypt support
The server can now automatically obtain and renew TLS certificates from Let’s Encrypt or any RFC 8555-compatible CA. This removes the need to manage certificates manually or run a separate reverse proxy just for TLS termination.
To enable it, set three environment variables before starting the server:
BOR_ACME_ENABLED=true
BOR_ACME_DOMAINS=bor.example.com
BOR_ACME_EMAIL=admin@example.com
ACME mode is mutually exclusive with supplying your own cert/key files — use one or the other. When ACME is active, the server handles the HTTP-01 challenge and stores the issued certificate automatically.
Self-service password management
Users can now change their own password directly from the Account Security section in the UI, without involving an administrator. Administrators retain the ability to reset any user’s password from the Users tab.
Bug fixes
WebAuthn origin fallback — WebAuthn no longer silently fails to initialize when BOR_WEBAUTHN_ORIGINS is not set. The server now derives a sensible default origin of https://<RPID>, so standard deployments on port 443 only need BOR_WEBAUTHN_RPID configured.
Agent module consistency — indirect dependencies in agent/go.mod (x/net, x/sys, x/text) are now in sync with the golang.org/x/crypto bump, resolving go mod tidy build failures.
Download
Packages for Debian/Ubuntu, RHEL/Fedora/SUSE, Alpine Linux, and Arch Linux across x86_64, aarch64, and ppc64le are available on the Download page.