Do not revalidate authorizations on forced renewal

This commit introduces a new cli argument `--force-validation` which, when used in combination with `--force` ignores valid domain authorizations and forces a revalidation. This has been implemented since at least LE seems to have changed some behavior on valid authorizations. Only the previously validated authorization-type is reusable, causing dehydrated to error out when changing from recently validated authorization types while still trying to force-renew certificates for whatever reason (e.g. changing algorithms).
2026-03-24 18:11:16 +01:00 · 2020-12-12 03:01:47 +01:00
parent 29b67962ac
commit 316054ad1c
3 changed files with 20 additions and 4 deletions
--- a/3
+++ b/3
@@ -2,7 +2,8 @@
 This file contains a log of major changes in dehydrated

 ## [x.x.x] - xxxx-xx-xx
-No major changes yet.
+## Changed
+- `--force` no longer forces domain name revalidation by default, a new argument `--force-validation` has been added for that

 ## [0.7.0] - 2020-12-10
 ## Added
--- a/README.md
+++ b/README.md
@@ -74,6 +74,7 @@ Parameters:
 --alias certalias                Use specified name for certificate directory (and per-certificate config) instead of the primary domain (only used if --domain is specified)
 --keep-going (-g)                Keep going after encountering an error while creating/renewing multiple certificates in cron mode
 --force (-x)                     Force renew of certificate even if it is longer valid than value in RENEW_DAYS
+ --force-validation               Force revalidation of domain names (used in combination with --force)
 --no-lock (-n)                   Don't use lockfile (potentially dangerous!)
 --lock-suffix example.com        Suffix lockfile name with a string (useful for with -d)
 --ocsp                           Sets option in CSR indicating OCSP stapling to be mandatory
--- a/20
+++ b/20
@@ -512,6 +512,10 @@ load_config() {
  [[ -n "${PARAM_OCSP_MUST_STAPLE:-}" ]] && OCSP_MUST_STAPLE="${PARAM_OCSP_MUST_STAPLE}"
  [[ -n "${PARAM_IP_VERSION:-}" ]] && IP_VERSION="${PARAM_IP_VERSION}"

+  if [ "${PARAM_FORCE_VALIDATION:-no}" = "yes" ] && [ "${PARAM_FORCE:-no}" = "no" ]; then
+    _exiterr "Argument --force-validation can only be used in combination with --force (-x)"
+  fi
+
  if [ ! "${1:-}" = "noverify" ]; then
    verify_config
  fi
@@ -1010,9 +1014,13 @@ sign_csr() {
    fi

    # Check if authorization has already been validated
-    if [ "$(echo "${response}" | _sed 's/"challenges": \[\{.*\}\]//' | get_json_string_value status)" = "valid" ] && [ ! "${PARAM_FORCE:-no}" = "yes" ]; then
-      echo " + Found valid authorization for ${identifier}"
-      continue
+    if [ "$(echo "${response}" | get_json_string_value status)" = "valid" ]; then
+      if [ "${PARAM_FORCE_VALIDATION:-no}" = "yes" ]; then
+        echo " + A valid authorization has been found but will be ignored"
+      else
+        echo " + Found valid authorization for ${identifier}"
+        continue
+      fi
    fi

    # Find challenge in authorization
@@ -2107,6 +2115,12 @@ main() {
        PARAM_FORCE="yes"
        ;;

+      # PARAM_Usage: --force-validation
+      # PARAM_Description: Force revalidation of domain names (used in combination with --force)
+      --force-validation)
+        PARAM_FORCE_VALIDATION="yes"
+        ;;
+
      # PARAM_Usage: --no-lock (-n)
      # PARAM_Description: Don't use lockfile (potentially dangerous!)
      --no-lock|-n)