From: Lukas Schauer Date: Sat, 5 Jul 2025 08:55:33 +0000 (+0200) Subject: allow KEEP_GOING to also skip over ocsp stapling errors, update ocsp error message... X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=ad43e250b2c3617e15a4e0aea7a4d447adc3079b;p=thirdparty%2Fdehydrated.git allow KEEP_GOING to also skip over ocsp stapling errors, update ocsp error message with a hint about deprecation on some CAs --- diff --git a/CHANGELOG b/CHANGELOG index 9c42656..57c452a 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -8,6 +8,7 @@ This file contains a log of major changes in dehydrated ## Changed - Only validate existance of wellknown directory or hook script when actually needed - Also allow setting `KEEP_GOING` in config file instead of relying on cli arguments +- Allow skipping over OCSP stapling errors, indicate that some CAs no longer support OCSP ## [0.7.2] - 2025-05-18 ## Added diff --git a/dehydrated b/dehydrated index 20f4c76..29e0ec5 100755 --- a/dehydrated +++ b/dehydrated @@ -1641,6 +1641,36 @@ sign_domain() { echo " + Done!" } +# Update OCSP stapling file +update_ocsp_stapling() { + local certdir="${1}" + local update_ocsp="${2}" + local cert="${3}" + local chain="${4}" + + local ocsp_url="$(get_ocsp_url "${cert}")" + + if [[ ! -e "${certdir}/ocsp.der" ]]; then + update_ocsp="yes" + elif ! ("${OPENSSL}" ocsp -no_nonce -issuer "${chain}" -verify_other "${chain}" -cert "${cert}" -respin "${certdir}/ocsp.der" -status_age $((OCSP_DAYS*24*3600)) 2>&1 | grep -q "${cert}: good"); then + update_ocsp="yes" + fi + + if [[ "${update_ocsp}" = "yes" ]]; then + echo " + Updating OCSP stapling file" + ocsp_timestamp="$(date +%s)" + if grep -qE "^(openssl (0|(1\.0))\.)|(libressl (1|2|3)\.)" <<< "$(${OPENSSL} version | awk '{print tolower($0)}')"; then + ocsp_log="$("${OPENSSL}" ocsp -no_nonce -issuer "${chain}" -verify_other "${chain}" -cert "${cert}" -respout "${certdir}/ocsp-${ocsp_timestamp}.der" -url "${ocsp_url}" -header "HOST" "$(echo "${ocsp_url}" | _sed -e 's/^http(s?):\/\///' -e 's/\/.*$//g')" 2>&1)" || _exiterr "Fetching of OCSP information failed. Please note that some CAs (e.g. LetsEncrypt) do no longer support OCSP. Error message: ${ocsp_log}" + else + ocsp_log="$("${OPENSSL}" ocsp -no_nonce -issuer "${chain}" -verify_other "${chain}" -cert "${cert}" -respout "${certdir}/ocsp-${ocsp_timestamp}.der" -url "${ocsp_url}" 2>&1)" || _exiterr "Fetching of OCSP information failed. Please note that some CAs (e.g. LetsEncrypt) do no longer support OCSP. Error message: ${ocsp_log}" + fi + ln -sf "ocsp-${ocsp_timestamp}.der" "${certdir}/ocsp.der" + [[ -n "${HOOK}" ]] && (altnames="${domain} ${morenames}" "${HOOK}" "deploy_ocsp" "${domain}" "${certdir}/ocsp.der" "${ocsp_timestamp}" || _exiterr 'deploy_ocsp hook returned with non-zero exit code') + else + echo " + OCSP stapling file is still valid (skipping update)" + fi +} + # Usage: --version (-v) # Description: Print version information command_version() { @@ -1953,27 +1983,13 @@ command_sign_domains() { fi if [[ "${OCSP_FETCH}" = "yes" ]]; then - local ocsp_url - ocsp_url="$(get_ocsp_url "${cert}")" - - if [[ ! -e "${certdir}/ocsp.der" ]]; then - update_ocsp="yes" - elif ! ("${OPENSSL}" ocsp -no_nonce -issuer "${chain}" -verify_other "${chain}" -cert "${cert}" -respin "${certdir}/ocsp.der" -status_age $((OCSP_DAYS*24*3600)) 2>&1 | grep -q "${cert}: good"); then - update_ocsp="yes" - fi - - if [[ "${update_ocsp}" = "yes" ]]; then - echo " + Updating OCSP stapling file" - ocsp_timestamp="$(date +%s)" - if grep -qE "^(openssl (0|(1\.0))\.)|(libressl (1|2|3)\.)" <<< "$(${OPENSSL} version | awk '{print tolower($0)}')"; then - ocsp_log="$("${OPENSSL}" ocsp -no_nonce -issuer "${chain}" -verify_other "${chain}" -cert "${cert}" -respout "${certdir}/ocsp-${ocsp_timestamp}.der" -url "${ocsp_url}" -header "HOST" "$(echo "${ocsp_url}" | _sed -e 's/^http(s?):\/\///' -e 's/\/.*$//g')" 2>&1)" || _exiterr "Error while fetching OCSP information: ${ocsp_log}" - else - ocsp_log="$("${OPENSSL}" ocsp -no_nonce -issuer "${chain}" -verify_other "${chain}" -cert "${cert}" -respout "${certdir}/ocsp-${ocsp_timestamp}.der" -url "${ocsp_url}" 2>&1)" || _exiterr "Error while fetching OCSP information: ${ocsp_log}" - fi - ln -sf "ocsp-${ocsp_timestamp}.der" "${certdir}/ocsp.der" - [[ -n "${HOOK}" ]] && (altnames="${domain} ${morenames}" "${HOOK}" "deploy_ocsp" "${domain}" "${certdir}/ocsp.der" "${ocsp_timestamp}" || _exiterr 'deploy_ocsp hook returned with non-zero exit code') + if [[ "${KEEP_GOING:-}" = "yes" ]]; then + skip_exit_hook=yes + update_ocsp_stapling "${certdir}" "${update_ocsp}" "${cert}" "${chain}" & + wait $! || exit_with_errorcode=1 + skip_exit_hook=no else - echo " + OCSP stapling file is still valid (skipping update)" + update_ocsp_stapling "${certdir}" "${update_ocsp}" "${cert}" "${chain}" fi fi done diff --git a/docs/examples/config b/docs/examples/config index 4b5b2d7..b815741 100644 --- a/docs/examples/config +++ b/docs/examples/config @@ -140,5 +140,5 @@ # Amount of seconds to wait for processing of order until erroring out (default: 0 => no timeout) #ORDER_TIMEOUT=0 -# Skip over errors during certificate orders (default: no) +# Skip over errors during certificate orders and updating of OCSP stapling information (default: no) #KEEP_GOING=no