chore(deps): update lab-vps-01/ultimate-ca-manager - ghcr.io/neyslim/ultimate-ca-manager docker tag to v2.128.1

[renovate]

This PR contains the following updates:

Package	Update	Change
ghcr.io/neyslim/ultimate-ca-manager	minor	2.0.7 → 2.128.1

---

Release Notes

NeySlim/ultimate-ca-manager (ghcr.io/neyslim/ultimate-ca-manager)

v2.128.1

Fixed

• Service fails to start after upgrading to v2.128 on SQLite installs — the new v2.128 database migrations did not apply on upgrade and the service stayed in a failed state. Fresh installs were not affected.

v2.1.6

Versioning cleanup release — no code changes.

---

v2.1.5

Fixed

• SAN parsing — parse SAN string into typed arrays (DNS, IP, Email, URI) for proper display and editing

---

v2.1.4

Fixed

• Encrypted key password — password field now shown in SmartImport for encrypted private keys
• Mobile navigation i18n — use short translation keys for nav items on mobile
• Missing mobile icons — added Gavel, Stamp, ChartBar icons to AppShell mobile nav

---

v2.1.3

Fixed

• ECDSA key sizes — correct key size options (256, 384, 521) and backend mapping (fixes #​22)

---

v2.1.2

Fixed

• Sub CA creation — fixed parent CA being ignored + DN fields lost + error detail leak + import crash

Security

• Flask 3.1.2 → 3.1.3 — CVE-2026-27205

---

v2.1.1

Fixed

• DB version sync — app.version in database now synced from VERSION file on startup
• OPNsense import — fixed double JSON.stringify on API client POST, added type validation for nested JSON fields
• DNS provider status — fixed status kwarg in DNS provider endpoints
• Screenshots — replaced with correct dark theme 1920×1080 screenshots

Changed

• Consolidated changelog — merged all 2.1.0 pre-release entries into single entry
• CI: exclude rc tags from Docker latest tag
• CI: auto-push DOCKERHUB_README.md to Docker Hub on release

---

v2.1.0

Added

• SSO authentication — LDAP/Active Directory, OAuth2 (Google, GitHub, Azure AD), SAML 2.0 with group-to-role mapping
• Governance module — certificate policies, approval workflows, scheduled reports
• Auditor role — new system role with read-only access to all operational data except settings and user management
• 4-role RBAC — Administrator, Operator, Auditor, Viewer with granular permissions + custom roles
• ACME DNS providers — 48 providers with card grid selector and official SVG logos
• Floating detail windows — click any table row to open draggable, resizable detail panel with actions (export, renew, revoke, delete)
• Email template editor — split-pane HTML source + live preview with 6 template variables
• Certificate expiry alerts — configurable thresholds, recipients, check-now button
• SoftHSM integration — automatic SoftHSM2 setup across DEB, RPM, and Docker with PKCS#11 key generation
• AKI/SKI chain matching — cryptographic chain relationships instead of fragile DN-based matching
• Chain repair scheduler — hourly background task to backfill SKI/AKI, re-chain orphans, deduplicate CAs
• Backup v2.0 — complete backup/restore of all database tables (was only 5, now covers groups, RBAC, templates, trust store, SSO, HSM, API keys, SMTP, policies, etc.)
• File regeneration — startup service regenerates missing certificate/key files from database
• Human-readable filenames — {cn-slug}-{refid}.ext instead of UUID-only
• Dashboard charts — day selector, expired series, optimized queries, donut chart with gradients
• SSO settings UI — collapsible sections, LDAP test connection/mapping, OAuth2 provider presets, SAML metadata auto-fetch
• Login page SSO buttons — SSO authentication buttons before local auth form
• Login method persistence — remembers username + auth method across sessions
• ESLint + Ruff linters — catches stale closures, undefined variables, hook violations, import errors
• SAML SP certificate selector — choose which certificate to include in SP metadata
• LDAP directory presets — OpenLDAP, Active Directory, Custom templates
• Template duplication — clone endpoint: POST /templates/{id}/duplicate
• Unified export actions — reusable ExportActions component with inline P12 password field
• Trust store chain validation — visual chain status with export bundle
• Service reconnection — 30s countdown with health + WebSocket readiness check
• Settings about — version, system info, uptime, memory, links to docs
• Webhooks — management tab in Settings for webhook CRUD, test, and event filtering
• Searchable Select component
• Complete i18n — 2273+ keys across all 9 languages (EN, FR, DE, ES, IT, PT, UK, ZH, JA)

Changed

• Renamed RBAC system role "User" → "Viewer" with restricted permissions
• Simplified themes to 3 families: Gray, Purple Night, Orange Sunset (× Light/Dark)
• Consolidated API routes — removed features/ module; all routes under api/v2/
• No more Pro/Community distinction — all features are core
• SSO service layer extracted to sso.service.js
• Tables use proportional column sizing, actions moved to detail windows
• Mobile navbar with user dropdown, compact 5-column nav grid
• WebSocket/CORS auto-detect short hostname and dynamic port
• Default password is always changeme123 (not random)
• Removed unnecessary gcc/build-essential from DEB/RPM dependencies

Fixed

• LDAP group filter malformed when user DN contains special characters (escape_filter_chars)
• 17 bugs found by linters — undefined variables, missing imports, conditional hooks across 6 files
• CSRF token not stored on multi-method login — caused 403 on POST/PUT/DELETE
• Select dropdown hidden behind modals — Radix portal z-index fix
• SAML SP metadata schema-invalid — now uses python3-saml builder
• CORS origin rejection breaking WebSocket on Docker and fresh installs
• Dashboard charts — width/height(-1) errors, gradient IDs, react-grid-layout API
• 6 broken API endpoints — schema mismatches between models and database
• z-index conflicts between confirm dialogs, toasts, and floating windows
• CSR download — endpoint mismatch (/download → /export)
• PFX/P12 export — missing password prompt in floating detail windows
• Auto-update DEB postinst — updater systemd units were never enabled
• Fixed force_password_change not set on fresh admin creation
• Fixed infinite loop in reports from canWrite in useCallback deps
• Removed 23 console.error statements from production code

Security

• JWT removal — session cookies + API keys only (reduces attack surface)
• cryptography upgraded from 46.0.3 to 46.0.5 (CVE-2026-26007)
• SSO rate limiting on LDAP login attempts with account lockout
• CSRF token validation on all SSO endpoints
• RBAC permission enforcement across all frontend pages and floating windows
• SQL injection fixes and debug leak prevention
• Referrer-Policy security header added
• Role validation against allowed roles list
• Internal error details no longer leaked to API clients
• 28 new SSO security tests

---

---

Configuration

📅 Schedule: (in timezone Europe/Amsterdam)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.