New Features
6- Multi-OS expansion: AlmaLinux 9 + Rocky 9 (RHEL 9 family) fully supported alongside Ubuntu 22.04+ and Debian 12+. install.sh now auto-detects rhel/debian family, switches between dnf/apt, enables EPEL/CRB on RHEL, skips AppArmor where unavailable, and coexists with firewalld.
- Mail SSL Auto-Issue: new card on Email Settings > SSL — one click detects the best certificate strategy (Cloudflare Origin / ACME DNS-01 / ACME HTTP-01) and installs it. Mirrors the existing domain SSL flow.
- Mail SSL Cloudflare Origin Certificate: new endpoint and UI card for minting long-lived (15-year) Cloudflare Origin Certificates for the mail hostname. Trusted between Cloudflare edge and the origin server, no automatic renewal needed.
- Generate DKIM auto-publish: the TXT record is automatically published to Cloudflare (when a credential covers the zone) and to the bundled Local BIND (when a zone exists for the domain). Per-provider status (Created / Updated / Unchanged / Failed) is reported in the modal; manual copy-paste only when no managed DNS provider is found.
- DNS record CloudFlare auto-sync: creating, updating, or deleting a DNS record from the panel now mirrors the operation to CloudFlare when the zone is covered by a credential. Skipped silently when no CloudFlare credential matches. Best-effort: a CloudFlare API failure is logged but does not roll back the local BIND change, so DNS keeps working in either direction. Delete is finally implemented (previously the panel only removed the record from BIND, leaving stale entries on CloudFlare).
- Email Authentication page now includes Generate SPF and Generate DMARC buttons alongside Generate DKIM. SPF defaults to v=spf1 a mx ip4:<server_ip> ~all (soft-fail, safest start). DMARC defaults to v=DMARC1; p=quarantine; rua=mailto:postmaster@<domain>; pct=100; adkim=r; aspf=r. Policy and report email are operator-configurable in each modal.
Improvements
7- Forum bug #173 (DB root CLI access denied): standard db root login via CLI now works out of the box. Wrapper scripts for db, dump, admin, check, import, show, binlog utilities are auto-created and /root/.my.cnf (mode 0600) carries the socket and root credential (cPanel/Plesk-style). install.sh creates these on fresh installs; a backend startup self-heal adds them to existing customer servers without re-installing.
- 20 new translation keys added across 31 languages (emailAuthentication and emailEmailSettings.ssl namespaces). Context-aware translation pass: issue is treated as certificate issuance rather than problem in target languages.
- Forum bug #173 clarifications: items 2 and 4 (DB root password and root login) were misdiagnoses. The DB root credential is stored in /opt/panelica/panelica.conf under [database.mysql].password — the [panel].root_password placeholder users saw is the panel UI admin password (set during Setup Wizard, unrelated to the database). With the new CLI wrappers above, the standard db root login workflow now works as expected.
- Compatibility: all previous mail SSL endpoints (ACME HTTP-01, ACME via Cloudflare DNS-01, custom certificate upload) and existing certificates are unchanged. Generate DKIM auto-publish is additive — manual copy-paste flow still works. No data migration required; updates are idempotent.
- Forum bug report #173: thanks to Drakon (https://forum.panelica.com/members/drakon.15/) for reporting these issues at https://forum.panelica.com/threads/bug-mysql-root-password-never-stored-after-setup-databases-show-unknown-cli-import-fails-phpmyadmin-import-limited-to-512mb.173/. Items 5 (phpMyAdmin upload limit) is fixed in this release; items 2 and 4 (MySQL root password/login) were misdiagnoses clarified in this changelog; items 1, 3, and 6 are pending reproduction.
- All Generate operations (DKIM, SPF, DMARC) now run through a shared atomic publisher with snapshot-and-rollback semantics. If Local BIND succeeds but Cloudflare fails (or vice versa), the successful provider is rolled back to its pre-publish state so the system never enters a split-brain. The modal reports a Rolled back status per provider with the failure reason.
- i18n parity safeguard: backend now logs [I18N-DRIFT] WARN <lang> coverage X/Y when a language translation count drops below 99% of English. Operators see drift in journalctl before customers notice missing strings in the panel. Build-time gate (scripts/i18n/verify_parity.py) prevents new drift from shipping in future panel-i18n packages.
Bug Fixes
8- Forum bug #173 (phpMyAdmin import limited to 512 MB): phpMyAdmin SQL import limit is now configurable from the panel (Databases > Tuner > Configuration), range 32-10240 MB. Setting survives subsequent updates via a 3-layer applier (nginx panel proxy + all installed PHP-FPM pools + persisted in DB).
- DKIM TXT records now carry an explicit TTL of 3600s (previously null, rendering an empty TTL in the panel).
- Duplicate _domainkey TXT records caused by trailing-dot FQDN naming are no longer created. The handler normalizes the selector and removes stale variants before writing one clean record.
- BIND zone reload no longer fails with rndc reload failed: sysCmd.FindCommand now scans /opt/panelica/services/bind/sbin alongside bin (rndc lives there), and rndc is invoked with an explicit -c /opt/panelica/etc/bind/rndc.conf flag so the default search-path mismatch no longer matters.
- SSL certificate days remaining badge on Email Settings now renders the actual number instead of showing the literal {{days}} placeholder.
- BIND rndc command channel was not configured in named.conf, causing rndc: connection to remote host closed even when rndc.conf and rndc.key were correct. Backend startup now self-heals by appending the missing controls{} block + include of rndc.key, with a backup of the original named.conf saved alongside. Existing customer servers gain a working rndc channel on the next backend restart; install.sh on fresh installations writes the same block upfront.
- Generate DKIM modal now shows Cloudflare status (Skipped / Created / Updated / Unchanged / Failed) instead of silently omitting Cloudflare when the logged-in user credential did not cover the domain. The handler now uses ResolveCFCredentialForDomain (the same lookup used by ordinary DNS record CRUD) so the credential of the domain owner is consulted — even when an admin operates on behalf of a customer.
- panel-i18n package install path: previous packages (1.0.16-1.0.19) extracted into /opt/panelica/var/i18n/locales/locales/ (double locales directory) due to recipe install_prefix mismatch with Central stored service_path. Backend importer reads /opt/panelica/var/i18n/locales/*.json (single locales) and missed the new files, causing translations to fall back to English in the panel modal. Recipe now uses install_prefix=/opt/panelica/var/i18n/locales with a flat tarball layout (no locales/ wrapper). Customers who applied 1.0.19 may have stale files at locales/locales/ — backend startup self-heal (next backend restart) and the new flat package fix this transparently.