mirror of
https://github.com/dehydrated-io/dehydrated.git
synced 2026-04-21 16:01:20 +02:00
made ocsp refresh interval configurable
This commit is contained in:
@@ -3,7 +3,7 @@ This file contains a log of major changes in dehydrated
|
|||||||
|
|
||||||
## [x.x.x] - xxxx-xx-xx
|
## [x.x.x] - xxxx-xx-xx
|
||||||
## Changed
|
## Changed
|
||||||
- ??
|
- OCSP refresh interval is now configurable
|
||||||
|
|
||||||
## Added
|
## Added
|
||||||
- ??
|
- ??
|
||||||
|
|||||||
@@ -106,6 +106,7 @@ verify_config() {
|
|||||||
[[ "${IP_VERSION}" = "4" || "${IP_VERSION}" = "6" ]] || _exiterr "Unknown IP version ${IP_VERSION}... cannot continue."
|
[[ "${IP_VERSION}" = "4" || "${IP_VERSION}" = "6" ]] || _exiterr "Unknown IP version ${IP_VERSION}... cannot continue."
|
||||||
fi
|
fi
|
||||||
[[ "${API}" == "auto" || "${API}" == "1" || "${API}" == "2" ]] || _exiterr "Unsupported API version defined in config: ${API}"
|
[[ "${API}" == "auto" || "${API}" == "1" || "${API}" == "2" ]] || _exiterr "Unsupported API version defined in config: ${API}"
|
||||||
|
[[ "${OCSP_DAYS}" =~ ^[0-9]+$ ]] || _exiterr "OCSP_DAYS must be a number"
|
||||||
}
|
}
|
||||||
|
|
||||||
# Setup default config values, search for and load configuration files
|
# Setup default config values, search for and load configuration files
|
||||||
@@ -145,6 +146,7 @@ load_config() {
|
|||||||
LOCKFILE=
|
LOCKFILE=
|
||||||
OCSP_MUST_STAPLE="no"
|
OCSP_MUST_STAPLE="no"
|
||||||
OCSP_FETCH="no"
|
OCSP_FETCH="no"
|
||||||
|
OCSP_DAYS=5
|
||||||
IP_VERSION=
|
IP_VERSION=
|
||||||
CHAINCACHE=
|
CHAINCACHE=
|
||||||
AUTO_CLEANUP="no"
|
AUTO_CLEANUP="no"
|
||||||
@@ -1310,7 +1312,7 @@ command_sign_domains() {
|
|||||||
|
|
||||||
if [[ ! -e "${certdir}/ocsp.der" ]]; then
|
if [[ ! -e "${certdir}/ocsp.der" ]]; then
|
||||||
update_ocsp="yes"
|
update_ocsp="yes"
|
||||||
elif ! ("${OPENSSL}" ocsp -no_nonce -issuer "${chain}" -verify_other "${chain}" -cert "${cert}" -respin "${certdir}/ocsp.der" -status_age 432000 2>&1 | grep -q "${cert}: good"); then
|
elif ! ("${OPENSSL}" ocsp -no_nonce -issuer "${chain}" -verify_other "${chain}" -cert "${cert}" -respin "${certdir}/ocsp.der" -status_age $((OCSP_DAYS*24*3600)) 2>&1 | grep -q "${cert}: good"); then
|
||||||
update_ocsp="yes"
|
update_ocsp="yes"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|||||||
@@ -106,6 +106,9 @@
|
|||||||
# Fetch OCSP responses (default: no)
|
# Fetch OCSP responses (default: no)
|
||||||
#OCSP_FETCH="no"
|
#OCSP_FETCH="no"
|
||||||
|
|
||||||
|
# OCSP refresh interval (default: 5 days)
|
||||||
|
#OCSP_DAYS=5
|
||||||
|
|
||||||
# Issuer chain cache directory (default: $BASEDIR/chains)
|
# Issuer chain cache directory (default: $BASEDIR/chains)
|
||||||
#CHAINCACHE="${BASEDIR}/chains"
|
#CHAINCACHE="${BASEDIR}/chains"
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user