mirror of
https://github.com/dehydrated-io/dehydrated.git
synced 2026-07-11 15:42:44 +02:00
Do not revalidate authorizations on forced renewal
This commit introduces a new cli argument `--force-validation` which, when used in combination with `--force` ignores valid domain authorizations and forces a revalidation. This has been implemented since at least LE seems to have changed some behavior on valid authorizations. Only the previously validated authorization-type is reusable, causing dehydrated to error out when changing from recently validated authorization types while still trying to force-renew certificates for whatever reason (e.g. changing algorithms).
This commit is contained in:
@@ -2,7 +2,8 @@
|
|||||||
This file contains a log of major changes in dehydrated
|
This file contains a log of major changes in dehydrated
|
||||||
|
|
||||||
## [x.x.x] - xxxx-xx-xx
|
## [x.x.x] - xxxx-xx-xx
|
||||||
No major changes yet.
|
## Changed
|
||||||
|
- `--force` no longer forces domain name revalidation by default, a new argument `--force-validation` has been added for that
|
||||||
|
|
||||||
## [0.7.0] - 2020-12-10
|
## [0.7.0] - 2020-12-10
|
||||||
## Added
|
## Added
|
||||||
|
|||||||
@@ -74,6 +74,7 @@ Parameters:
|
|||||||
--alias certalias Use specified name for certificate directory (and per-certificate config) instead of the primary domain (only used if --domain is specified)
|
--alias certalias Use specified name for certificate directory (and per-certificate config) instead of the primary domain (only used if --domain is specified)
|
||||||
--keep-going (-g) Keep going after encountering an error while creating/renewing multiple certificates in cron mode
|
--keep-going (-g) Keep going after encountering an error while creating/renewing multiple certificates in cron mode
|
||||||
--force (-x) Force renew of certificate even if it is longer valid than value in RENEW_DAYS
|
--force (-x) Force renew of certificate even if it is longer valid than value in RENEW_DAYS
|
||||||
|
--force-validation Force revalidation of domain names (used in combination with --force)
|
||||||
--no-lock (-n) Don't use lockfile (potentially dangerous!)
|
--no-lock (-n) Don't use lockfile (potentially dangerous!)
|
||||||
--lock-suffix example.com Suffix lockfile name with a string (useful for with -d)
|
--lock-suffix example.com Suffix lockfile name with a string (useful for with -d)
|
||||||
--ocsp Sets option in CSR indicating OCSP stapling to be mandatory
|
--ocsp Sets option in CSR indicating OCSP stapling to be mandatory
|
||||||
|
|||||||
+17
-3
@@ -512,6 +512,10 @@ load_config() {
|
|||||||
[[ -n "${PARAM_OCSP_MUST_STAPLE:-}" ]] && OCSP_MUST_STAPLE="${PARAM_OCSP_MUST_STAPLE}"
|
[[ -n "${PARAM_OCSP_MUST_STAPLE:-}" ]] && OCSP_MUST_STAPLE="${PARAM_OCSP_MUST_STAPLE}"
|
||||||
[[ -n "${PARAM_IP_VERSION:-}" ]] && IP_VERSION="${PARAM_IP_VERSION}"
|
[[ -n "${PARAM_IP_VERSION:-}" ]] && IP_VERSION="${PARAM_IP_VERSION}"
|
||||||
|
|
||||||
|
if [ "${PARAM_FORCE_VALIDATION:-no}" = "yes" ] && [ "${PARAM_FORCE:-no}" = "no" ]; then
|
||||||
|
_exiterr "Argument --force-validation can only be used in combination with --force (-x)"
|
||||||
|
fi
|
||||||
|
|
||||||
if [ ! "${1:-}" = "noverify" ]; then
|
if [ ! "${1:-}" = "noverify" ]; then
|
||||||
verify_config
|
verify_config
|
||||||
fi
|
fi
|
||||||
@@ -1010,9 +1014,13 @@ sign_csr() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# Check if authorization has already been validated
|
# Check if authorization has already been validated
|
||||||
if [ "$(echo "${response}" | _sed 's/"challenges": \[\{.*\}\]//' | get_json_string_value status)" = "valid" ] && [ ! "${PARAM_FORCE:-no}" = "yes" ]; then
|
if [ "$(echo "${response}" | get_json_string_value status)" = "valid" ]; then
|
||||||
echo " + Found valid authorization for ${identifier}"
|
if [ "${PARAM_FORCE_VALIDATION:-no}" = "yes" ]; then
|
||||||
continue
|
echo " + A valid authorization has been found but will be ignored"
|
||||||
|
else
|
||||||
|
echo " + Found valid authorization for ${identifier}"
|
||||||
|
continue
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Find challenge in authorization
|
# Find challenge in authorization
|
||||||
@@ -2107,6 +2115,12 @@ main() {
|
|||||||
PARAM_FORCE="yes"
|
PARAM_FORCE="yes"
|
||||||
;;
|
;;
|
||||||
|
|
||||||
|
# PARAM_Usage: --force-validation
|
||||||
|
# PARAM_Description: Force revalidation of domain names (used in combination with --force)
|
||||||
|
--force-validation)
|
||||||
|
PARAM_FORCE_VALIDATION="yes"
|
||||||
|
;;
|
||||||
|
|
||||||
# PARAM_Usage: --no-lock (-n)
|
# PARAM_Usage: --no-lock (-n)
|
||||||
# PARAM_Description: Don't use lockfile (potentially dangerous!)
|
# PARAM_Description: Don't use lockfile (potentially dangerous!)
|
||||||
--no-lock|-n)
|
--no-lock|-n)
|
||||||
|
|||||||
Reference in New Issue
Block a user