throw error with information about OCSP deprecation if certificate doesn't indicate...

diff --git a/CHANGELOG b/CHANGELOG
index 57c452a903a0df0eff40bcf7a38fa0f82e97683e..cef201d52fbc11acf2a1c26d9c9c45e7aea57115 100644 (file)
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -9,6 +9,7 @@ This file contains a log of major changes in dehydrated
 - Only validate existance of wellknown directory or hook script when actually needed
 - Also allow setting `KEEP_GOING` in config file instead of relying on cli arguments
 - Allow skipping over OCSP stapling errors, indicate that some CAs no longer support OCSP
+- Throw error with information about OCSP deprecation if certificate doesn't indicate OCSP support
 
 ## [0.7.2] - 2025-05-18
 ## Added

diff --git a/dehydrated b/dehydrated
index 29e0ec5c56e4c1dbe887bb3da43b1cae7000de56..28c4711cfccdfc4700807f7110a55e608bbcd57f 100755 (executable)
--- a/dehydrated
+++ b/dehydrated
@@ -1650,6 +1650,12 @@ update_ocsp_stapling() {
 
     local ocsp_url="$(get_ocsp_url "${cert}")"
 
+    if [[ -z "${ocsp_url}" ]]; then
+      echo " ! ERROR: OCSP stapling requested but no OCSP url found in certificate." >&2
+      echo " ! Keep in mind that some CAs ended support for OCSP: https://letsencrypt.org/2024/12/05/ending-ocsp/" >&2
+      return 1
+    fi
+
     if [[ ! -e "${certdir}/ocsp.der" ]]; then
       update_ocsp="yes"
     elif ! ("${OPENSSL}" ocsp -no_nonce -issuer "${chain}" -verify_other "${chain}" -cert "${cert}" -respin "${certdir}/ocsp.der" -status_age $((OCSP_DAYS*24*3600)) 2>&1 | grep -q "${cert}: good"); then