starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-04-24 09:18:28 +02:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

Do not revalidate authorizations on forced renewal

Browse Source 
This commit introduces a new cli argument `--force-validation` which,
when used in combination with `--force` ignores valid domain
authorizations and forces a revalidation.

This has been implemented since at least LE seems to have changed some
behavior on valid authorizations. Only the previously validated
authorization-type is reusable, causing dehydrated to error out when
changing from recently validated authorization types while still trying
to force-renew certificates for whatever reason (e.g. changing algorithms).
This commit is contained in:
Lukas Schauer
2020-12-12 03:01:47 +01:00
parent 29b67962ac
commit 316054ad1c
3 changed files with 20 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
dehydrated
View File

@@ -512,6 +512,10 @@ load_config() {
[[ -n "${PARAM_OCSP_MUST_STAPLE:-}" ]] && OCSP_MUST_STAPLE="${PARAM_OCSP_MUST_STAPLE}"
[[ -n "${PARAM_IP_VERSION:-}" ]] && IP_VERSION="${PARAM_IP_VERSION}"
if [ "${PARAM_FORCE_VALIDATION:-no}" = "yes" ] && [ "${PARAM_FORCE:-no}" = "no" ]; then
_exiterr "Argument --force-validation can only be used in combination with --force (-x)"
fi
if [ ! "${1:-}" = "noverify" ]; then
verify_config
fi
@@ -1010,9 +1014,13 @@ sign_csr() {
fi
# Check if authorization has already been validated
if [ "$(echo "${response}" | _sed 's/"challenges": \[\{.*\}\]//' | get_json_string_value status)" = "valid" ] && [ ! "${PARAM_FORCE:-no}" = "yes" ]; then
echo " + Found valid authorization for ${identifier}"
continue
if [ "$(echo "${response}" | get_json_string_value status)" = "valid" ]; then
if [ "${PARAM_FORCE_VALIDATION:-no}" = "yes" ]; then
echo " + A valid authorization has been found but will be ignored"
else
echo " + Found valid authorization for ${identifier}"
continue
fi
fi
# Find challenge in authorization
@@ -2107,6 +2115,12 @@ main() {
PARAM_FORCE="yes"
;;
# PARAM_Usage: --force-validation
# PARAM_Description: Force revalidation of domain names (used in combination with --force)
--force-validation)
PARAM_FORCE_VALIDATION="yes"
;;
# PARAM_Usage: --no-lock (-n)
# PARAM_Description: Don't use lockfile (potentially dangerous!)
--no-lock|-n)