throw error with information about OCSP deprecation if certificate doesn't indicate OCSP support

2026-01-11 14:20:30 +01:00 · 2025-07-05 11:12:31 +02:00
parent ad43e250b2
commit 12877bb238
2 changed files with 7 additions and 0 deletions
--- a/1
+++ b/1
@@ -9,6 +9,7 @@ This file contains a log of major changes in dehydrated
 - Only validate existance of wellknown directory or hook script when actually needed
 - Also allow setting `KEEP_GOING` in config file instead of relying on cli arguments
 - Allow skipping over OCSP stapling errors, indicate that some CAs no longer support OCSP
+- Throw error with information about OCSP deprecation if certificate doesn't indicate OCSP support

 ## [0.7.2] - 2025-05-18
 ## Added
--- a/6
+++ b/6
@@ -1650,6 +1650,12 @@ update_ocsp_stapling() {

    local ocsp_url="$(get_ocsp_url "${cert}")"

+    if [[ -z "${ocsp_url}" ]]; then
+      echo " ! ERROR: OCSP stapling requested but no OCSP url found in certificate." >&2
+      echo " ! Keep in mind that some CAs ended support for OCSP: https://letsencrypt.org/2024/12/05/ending-ocsp/" >&2
+      return 1
+    fi
+
    if [[ ! -e "${certdir}/ocsp.der" ]]; then
      update_ocsp="yes"
    elif ! ("${OPENSSL}" ocsp -no_nonce -issuer "${chain}" -verify_other "${chain}" -cert "${cert}" -respin "${certdir}/ocsp.der" -status_age $((OCSP_DAYS*24*3600)) 2>&1 | grep -q "${cert}: good"); then