diff --git a/CHANGELOG.md b/CHANGELOG.md
index cc1ad82ed..2325019bf 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,15 +1,24 @@
-# 0.12.0
-## 03/02/2017
+# Certbot change log
+
+Certbot adheres to [Semantic Versioning](http://semver.org/).
+
+## 0.12.0 - 2017-02-03
+
+### Added
 
 * Allow non-camelcase Apache VirtualHost names
 * Allow more log messages to be silenced
+
+### Fixed
+
 * Fix a regression around using `--cert-name` when getting new certificates
 
 More information about these changes can be found on our GitHub repo:
 https://github.com/certbot/certbot/issues?q=is%3Aissue%20milestone%3A0.12.0
 
-# 0.11.1
-## 02/01/2017
+## 0.11.1 - 2017-02-01
+
+### Fixed
 
 * Resolve a problem where Certbot would crash while parsing command line
 arguments in some cases.
@@ -18,10 +27,10 @@ arguments in some cases.
 More details about these changes can be found on our GitHub repo:
 https://github.com/certbot/certbot/pulls?q=is%3Apr%20milestone%3A0.11.1%20is%3Aclosed
 
-# 0.11.0
-## 02/01/2017
+## 0.11.0 - 2017-02-01
+
+### Added
 
-* Providing `--quiet` to `certbot-auto` now silences package manager output.
 * The UI has been improved in the standalone plugin. When using the
 plugin while running Certbot interactively and a required port is bound
 by another process, Certbot will give you the option to retry to grab
@@ -31,6 +40,13 @@ server using the `unregister` subcommand.
 * When revoking a certificate using the `revoke` subcommand, you now
 have the option to provide the reason the certificate is being revoked
 to Let's Encrypt with `--reason`.
+
+### Changed
+
+* Providing `--quiet` to `certbot-auto` now silences package manager output.
+
+### Removed
+
 * Removal of the optional `dnspython` dependency in our `acme` package.
 Now the library does not support client side verification of the DNS
 challenge.
@@ -38,23 +54,28 @@ challenge.
 More details about these changes can be found on our GitHub repo:
 https://github.com/certbot/certbot/issues?q=is%3Aissue+milestone%3A0.11.0+is%3Aclosed
 
-# 0.10.2
-## 01/25/2017
+## 0.10.2 - 2017-01-25
+
+### Added
 
-* We now save `--preferred-challenges` values for renewal. Previously
-these values were discarded causing a different challenge type to be
-used when renewing certs in some cases.
 * If Certbot receives a request with a `badNonce` error, we
 automatically retry the request. Since nonces from Let's Encrypt expire,
 this helps people performing the DNS challenge with the `manual` plugin
 who may have to wait an extended period of time for their DNS changes to
 propagate.
 
+### Fixed
+
+* We now save `--preferred-challenges` values for renewal. Previously
+these values were discarded causing a different challenge type to be
+used when renewing certs in some cases.
+
 More details about these changes can be found on our GitHub repo:
 https://github.com/certbot/certbot/issues?q=is%3Aissue+milestone%3A0.10.2+is%3Aclosed
 
-# 0.10.1
-## 01/13/2017
+## 0.10.1 - 2017-01-13
+
+### Fixed
 
 * Resolve problems where when asking Certbot to update a certificate at
 an existing path to include different domain names, the old names would
@@ -64,10 +85,11 @@ continue to be used.
 More details about these changes can be found on our GitHub repo:
 https://github.com/certbot/certbot/issues?q=is%3Aissue+milestone%3A0.10.1+is%3Aclosed
 
-# 0.10.0
-## 01/11/2017
+## 0.10.0 - 2017-01-11
 
-* The ability to customize and automatically complete DNS and HTTP
+## Added
+
+* Added the ability to customize and automatically complete DNS and HTTP
 domain validation challenges with the manual plugin. The flags
 `--manual-auth-hook` and `--manual-cleanup-hook` can now be provided
 when using the manual plugin to execute commands provided by the user to
@@ -75,23 +97,18 @@ perform and clean up challenges provided by the CA. This is best used in
 complicated setups where the DNS challenge must be used or Certbot's
 existing plugins cannot be used to perform HTTP challenges. For more
 information on how this works, see `certbot --help manual`.
-* A `--cert-name` flag for specifying the name to use for the
+* Added a `--cert-name` flag for specifying the name to use for the
 certificate in Certbot's configuration directory. Using this flag in
 combination with `-d/--domains`, a user can easily request a new
 certificate with different domains and save it with the name provided by
 `--cert-name`. Additionally, `--cert-name` can be used to select a
 certificate with the `certonly` and `run` subcommands so a full list of
 domains in the certificate does not have to be provided.
-* The subcommand `certificates` for listing the certificates managed by
+* Added subcommand `certificates` for listing the certificates managed by
 Certbot and their properties.
-* A `delete` subcommand for removing certificates managed by Certbot
+* Added `delete` subcommand for removing certificates managed by Certbot
 from the configuration directory.
-* Support for requesting internationalized domain names (IDNs).
-* Removal of the ncurses interface. This change solves problems people
-were having on many systems, reduces the number of Certbot dependencies,
-and simplifies our code. Certbot's only interface now is the text
-interface which was available by providing `-t/--text` to earlier
-versions of Certbot.
+* Support requesting internationalized domain names (IDNs).
 * Hooks provided to Certbot are now saved to be reused during renewal.
 If you run Certbot with `--pre-hook`, `--renew-hook`, or `--post-hook`
 flags when obtaining a certificate, the provided commands will
@@ -101,56 +118,80 @@ command either on the command line or in a [configuration
 file](https://certbot.eff.org/docs/using.html#configuration-file) to run
 an additional command before/after any certificate is renewed. Hooks
 will only be run if a certificate is renewed.
+* Support Busybox in certbot-auto.
+
+### Changed
+
 * Recategorized `-h/--help` output to improve documentation and
 discoverability.
-* Busybox support in certbot-auto.
+
+### Removed
+
+* Removed the ncurses interface. This change solves problems people
+were having on many systems, reduces the number of Certbot
+dependencies, and simplifies our code. Certbot's only interface now is
+the text interface which was available by providing `-t/--text` to
+earlier versions of Certbot.
+
+### Fixed
+
 * Many small bug fixes.
 
 More details about these changes can be found on our GitHub repo:
 https://github.com/certbot/certbot/issues?q=is%3Aissue+milestone%3A0.10.0is%3Aclosed
 
-# 0.9.3
-## 10/13/2016
+## 0.9.3 - 2016-10-13
+
+### Added
 
-* Adopt more conservative behavior about reporting a needed port as
-unavailable when using the standalone plugin.
 * The Apache plugin uses information about your OS to help determine the
 layout of your Apache configuration directory. We added a patch to
 ensure this code behaves the same way when testing on different systems
 as the tests were failing in some cases.
 
+### Changed
+
+* Adopt more conservative behavior about reporting a needed port as
+unavailable when using the standalone plugin.
+
 More details about these changes can be found on our GitHub repo:
 https://github.com/certbot/certbot/milestone/27?closed=1
 
-# 0.9.2
-## 10/12/2016
+## 0.9.2 - 2016-10-12
+
+### Added
 
-* Ensuring we properly copy `ssl on;` directives as necessary when
-performing domain validation in the Nginx plugin.
-* Verifying that our optional dependencies version matches what is
-required by Certbot.
-* A fix for problems where symlinks were becoming files when they were
-packaged, causing errors during testing and OS packaging.
 * Stop requiring that all possibly required ports are available when
 using the standalone plugin. Only verify the ports are available when
 you know they are necessary.
 
+### Fixed
+
+* Verify that our optional dependencies version matches what is
+required by Certbot.
+* Ensure we properly copy `ssl on;` directives as necessary when
+performing domain validation in the Nginx plugin.
+* Fix problems where symlinks were becoming files when they were
+packaged, causing errors during testing and OS packaging.
+
 More details about these changes can be found on our GitHub repo:
 https://github.com/certbot/certbot/milestone/26?closed=1
 
-# 0.9.1
-## 10/06/2016
+## 0.9.1 - 2016-10-06
 
-* This version of Certbot simply fixes a bug that was introduced in version
-0.9.0 where the command line flag -q/--quiet wasn't respected in some cases.
+### Fixed
+
+* Fix a bug that was introduced in version 0.9.0 where the command
+line flag -q/--quiet wasn't respected in some cases.
 
 More details about these changes can be found on our GitHub repo:
 https://github.com/certbot/certbot/milestone/25?closed=1
 
-# 0.9.0
-## 10/05/2016
+## 0.9.0 - 2016-10-05
 
-* An alpha version of the Nginx plugin. This plugin fully automates the
+### Added
+
+* Add an alpha version of the Nginx plugin. This plugin fully automates the
 process of obtaining and installing certificates with Nginx.
 Additionally, it is able to automatically configure security
 enhancements such as an HTTP to HTTPS redirect and OCSP stapling. To use
@@ -159,11 +200,11 @@ is installed automatically when using `certbot-auto`) and provide
 `--nginx` on the command line. This plugin is still in its early stages
 so we recommend you use it with some caution and make sure you have a
 backup of your Nginx configuration.
-* Support for the `DNS` challenge in the `acme` library as well as `DNS`
-support in Certbot's `manual` plugin. This allows you to create DNS
-records to prove to Let's Encrypt you control the requested the domain
-name. To use this feature, include `--manual --preferred-challenges dns`
-on the command line.
+* Support the `DNS` challenge in the `acme` library and `DNS` in
+Certbot's `manual` plugin. This allows you to create DNS records to
+prove to Let's Encrypt you control the requested domain name. To use
+this feature, include `--manual --preferred-challenges dns` on the
+command line.
 * Help with enabling Extra Packages for Enterprise Linux (EPEL) on
 CentOS 6 when using `certbot-auto`. To use `certbot-auto` on CentOS 6,
 the EPEL repository has to be enabled. `certbot-auto` will now prompt
@@ -175,20 +216,25 @@ included on the command line.
 More details about these changes can be found on our GitHub repo:
 https://github.com/certbot/certbot/issues?q=is%3Aissue+milestone%3A0.9.0+is%3Aclosed
 
-# 0.8.1
-## 06/14/2016
+## 0.8.1 - 2016-06-14
 
-* Preserving a certificate's common name when using `renew`
+### Added
+
+* Preserve a certificate's common name when using `renew`
 * Save webroot values for renewal when they are entered interactively
-* Problems with an invalid user-agent string on OS X
-* Gracefully reporting the Apache plugin isn't usable when Augeas is not installed
+* Gracefully report the Apache plugin isn't usable when Augeas is not installed
 * Experimental support for Mageia has been added to `certbot-auto`
 
+### Fixed
+
+* Fix problems with an invalid user-agent string on OS X
+
 More details about these changes can be found on our GitHub repo:
 https://github.com/certbot/certbot/issues?q=is%3Aissue+milestone%3A0.8.1+
 
-# 0.8.0
-## 06/02/2016
+## 0.8.0 - 2016-06-02
+
+### Added
 
 * The main new feature in this release is the `register` subcommand which
 can be used to register an account with the Let's Encrypt CA.
@@ -198,76 +244,94 @@ change the e-mail address associated with your registration.
 More details about these changes can be found on our GitHub repo:
 https://github.com/certbot/certbot/issues?q=is%3Aissue+milestone%3A0.8.0+
 
-# 0.7.0
-## 05/27/2016
+## 0.7.0 - 2016-05-27
 
-* `--must-staple` to request certificates from Let's Encrypt with the
-OCSP must staple extension
-* automatic configuration of OSCP stapling for Apache
-* requesting certificates for domains found in the common name of a
-custom CSR
-* a number of bug fixes
+### Added
+
+* Added `--must-staple` to request certificates from Let's Encrypt
+with the OCSP must staple extension
+* Automatically configure OSCP stapling for Apache
+* Allow requesting certificates for domains found in the common name
+of a custom CSR
+
+### Fixed
+
+* Miscellaneous bug fixes
 
 More details about these changes can be found on our GitHub repo:
 https://github.com/certbot/certbot/issues?q=milestone%3A0.7.0+is%3Aissue
 
-# 0.6.0
-## 05/12/2016
+## 0.6.0 - 2016-05-12
+
+### Added
+
+* Versioned the datetime dependency in setup.py
+
+### Changed
 
 * Renamed the client from `letsencrypt` to `certbot`
+
+### Fixed
+
 * Fixed a small json deserialization error
-* Versioned the datetime dependency in setup.py
 * Preserve domain order in generated CSRs
 * Some minor bug fixes
 
 More details about these changes can be found on our GitHub repo:
 https://github.com/certbot/certbot/issues?q=is%3Aissue%20milestone%3A0.6.0%20is%3Aclosed%20
 
-# 0.5.0
-## 04/05/2016
+## 0.5.0 - 2016-04-05
 
-* The ability to use the webroot plugin interactively.
-* The flags --pre-hook, --post-hook, and --renew-hook which can be used
-with the renew subcommand to register shell commands to run in
-response to renewal events. Pre-hook commands will be run before
-any certs are renewed, post-hook commands will be run after any
-certs are renewed, and renew-hook commands will be run after each
-cert is renewed. If no certs are due for renewal, no command is run.
-* Cleaner renewal configuration files. In /etc/letsencrypt/renewal by
-default, these files can be used to control what parameters are used
-when renewing a specific certificate.
+### Added
+
+* Add the ability to use the webroot plugin interactively.
+* The flags --pre-hook, --post-hook, and --renew-hook can be used with
+the renew subcommand to register shell commands to run in response to
+renewal events. Pre-hook commands will be run before any certs are
+renewed, post-hook commands will be run after any certs are renewed,
+and renew-hook commands will be run after each cert is renewed. If no
+certs are due for renewal, no command is run.
 * A -q/--quiet flag which silences all output except errors.
 * An --allow-subset-of-domains flag which can be used with the renew
 command to prevent renewal failures for a subset of the requested
 domains from causing the client to exit.
 
+### Changed
+
+* Use cleaner renewal configuration files. In /etc/letsencrypt/renewal
+by default, these files can be used to control what parameters are
+used when renewing a specific certificate.
+
 More details about these changes can be found on our GitHub repo:
 https://github.com/letsencrypt/letsencrypt/issues?q=milestone%3A0.5.0+is%3Aissue
 
-# 0.4.2
-## 03/03/2016
+## 0.4.2 - 2016-03-03
+
+### Fixed
 
 * Resolves problems encountered when compiling letsencrypt
 against the new OpenSSL release.
-* A patch fixing problems of using letsencrypt renew with configuration files
+* A patch fixing problems of using `letsencrypt renew` with configuration files
 from private beta has been added.
 
 More details about these changes can be found on our GitHub repo:
 https://github.com/letsencrypt/letsencrypt/issues?q=is%3Aissue+milestone%3A0.4.2
 
-# 0.4.1
-## 02/29/2016
+## 0.4.1 - 2016-02-29
 
-* Fixes Apache parsing errors with some configurations
-* Fixes Werkzeug dependency problems on some Red Hat systems
-* Fixes bootstrapping failures when using letsencrypt-auto with --no-self-upgrade
-* Fixes problems with parsing renewal config files from private beta
+### Fixed
+
+* Fix Apache parsing errors with some configurations
+* Fix Werkzeug dependency problems on some Red Hat systems
+* Fix bootstrapping failures when using letsencrypt-auto with --no-self-upgrade
+* Fix problems with parsing renewal config files from private beta
 
 More details about these changes can be found on our GitHub repo:
 https://github.com/letsencrypt/letsencrypt/issues?q=is:issue+milestone:0.4.1
 
-# 0.4.0
-## 02/10/2016
+## 0.4.0 - 2016-02-10
+
+### Added
 
 * The new verb/subcommand `renew` can be used to renew your existing
 certificates as they approach expiration. Running `letsencrypt renew`
@@ -290,13 +354,13 @@ stability, security, and performance of the script.
 More details about these changes can be found on our GitHub repo:
 https://github.com/letsencrypt/letsencrypt/issues?q=is%3Aissue+milestone%3A0.4.0
 
-# 0.3.0
-## 01/27/2016
+## 0.3.0 - 2016-01-27
 
-* A non-interactive mode which can be enabled by including `-n` or
-`--non-interactive` on the command line. This can be used to
-guarantee the client will not prompt when run automatically using
-cron/systemd.
+### Added
+
+* Add a non-interactive mode which can be enabled by including `-n` or
+`--non-interactive` on the command line. This can be used to guarantee
+the client will not prompt when run automatically using cron/systemd.
 * Preparation for the new letsencrypt-auto script. Over the past
 couple months, we've been working on increasing the reliability and
 security of letsencrypt-auto. A number of changes landed in this
@@ -305,8 +369,9 @@ release to prepare for the new version of this script.
 More details about these changes can be found on our GitHub repo:
 https://github.com/letsencrypt/letsencrypt/issues?q=is%3Aissue+milestone%3A0.3.0
 
-# 0.2.0
-## 01/14/2016
+## 0.2.0 - 2016-01-14
+
+### Added
 
 * Apache plugin support for non-Debian based systems. Support has been
 added for modern Red Hat based systems such as Fedora 23, Red Hat 7,
@@ -314,23 +379,30 @@ and CentOS 7 running Apache 2.4. In theory, this plugin should be
 able to be configured to run on any Unix-like OS running Apache 2.4.
 * Relaxed PyOpenSSL version requirements. This adds support for systems
 with PyOpenSSL versions 0.13 or 0.14.
+* Improved error messages from the client.
+
+### Fixed
+
 * Resolves issues with the Apache plugin enabling an HTTP to HTTPS
 redirect on some systems.
-* Improved error messages from the client.
 
 More details about these changes can be found on our GitHub repo:
 https://github.com/letsencrypt/letsencrypt/issues?q=is%3Aissue+milestone%3A0.2.0
 
-# 0.1.1
-## 12/15/2015
+## 0.1.1 - 2015-12-15
+
+### Added
 
-* Fix a confusing UI path that caused some users to repeatedly renew
-their certs while experimenting with the client, in some cases
-hitting issuance rate limits
-* Fixes numerous Apache configuration parser fixes
 * Avoids attempting to issue for unqualified domain names like
 "localhost"
-* Fixes --webroot permission handling for non-root users
+
+### Fixed
+
+* Fix a confusing UI path that caused some users to repeatedly renew
+their certs while experimenting with the client, in some cases hitting
+issuance rate limits
+* Fix numerous Apache configuration parser problems
+* Fix --webroot permission handling for non-root users
 
 More details about these changes can be found on our GitHub repo:
 https://github.com/letsencrypt/letsencrypt/issues?q=milestone%3A0.1.1