From 12877bb23836f08078ee77e78e39247eb7736789 Mon Sep 17 00:00:00 2001
From: Lukas Schauer <lukas@schauer.dev>
Date: Sat, 5 Jul 2025 11:12:31 +0200
Subject: [PATCH] throw error with information about OCSP deprecation if
 certificate doesn't indicate OCSP support

---
 CHANGELOG  | 1 +
 dehydrated | 6 ++++++
 2 files changed, 7 insertions(+)

diff --git a/CHANGELOG b/CHANGELOG
index 57c452a..cef201d 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -9,6 +9,7 @@ This file contains a log of major changes in dehydrated
 - Only validate existance of wellknown directory or hook script when actually needed
 - Also allow setting `KEEP_GOING` in config file instead of relying on cli arguments
 - Allow skipping over OCSP stapling errors, indicate that some CAs no longer support OCSP
+- Throw error with information about OCSP deprecation if certificate doesn't indicate OCSP support
 
 ## [0.7.2] - 2025-05-18
 ## Added
diff --git a/dehydrated b/dehydrated
index 29e0ec5..28c4711 100755
--- a/dehydrated
+++ b/dehydrated
@@ -1650,6 +1650,12 @@ update_ocsp_stapling() {
 
     local ocsp_url="$(get_ocsp_url "${cert}")"
 
+    if [[ -z "${ocsp_url}" ]]; then
+      echo " ! ERROR: OCSP stapling requested but no OCSP url found in certificate." >&2
+      echo " ! Keep in mind that some CAs ended support for OCSP: https://letsencrypt.org/2024/12/05/ending-ocsp/" >&2
+      return 1
+    fi
+
     if [[ ! -e "${certdir}/ocsp.der" ]]; then
       update_ocsp="yes"
     elif ! ("${OPENSSL}" ocsp -no_nonce -issuer "${chain}" -verify_other "${chain}" -cert "${cert}" -respin "${certdir}/ocsp.der" -status_age $((OCSP_DAYS*24*3600)) 2>&1 | grep -q "${cert}: good"); then
-- 
2.39.5