From 1dbbc64ce947af000b764e806429e3f87cb3a55e Mon Sep 17 00:00:00 2001
From: Lukas Schauer <lukas@schauer.dev>
Date: Fri, 24 Oct 2025 09:14:05 +0200
Subject: [PATCH] implement workaround for openssl regression (fixes #981)

The introduction of the `-multi` option to the x509 subcommand
introduced a regression to the `-checkend` behaviour, preventing
openssl to correctly indicate the certificate expiry status via
its exit code.

This commit introduces a (maybe temporary) workaround by instead
checking the output string.
---
 dehydrated | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dehydrated b/dehydrated
index 28c4711..4867151 100755
--- a/dehydrated
+++ b/dehydrated
@@ -1952,7 +1952,7 @@ command_sign_domains() {
       valid="$("${OPENSSL}" x509 -enddate -noout -in "${cert}" | cut -d= -f2- )"
 
       printf " + Valid till %s " "${valid}"
-      if ("${OPENSSL}" x509 -checkend $((RENEW_DAYS * 86400)) -noout -in "${cert}" > /dev/null 2>&1); then
+      if ("${OPENSSL}" x509 -checkend $((RENEW_DAYS * 86400)) -noout -in "${cert}" 2>&1 | grep -q "will not expire"); then
         printf "(Longer than %d days). " "${RENEW_DAYS}"
         if [[ "${force_renew}" = "yes" ]]; then
           echo "Ignoring because renew was forced!"
-- 
2.47.3