From b9bff54bd6bca16e8195b929c869ba1cab1f569c Mon Sep 17 00:00:00 2001 From: Dominik Rimpf Date: Tue, 31 Mar 2026 19:04:14 +0200 Subject: [PATCH] fix: simplify SAN comparison + SAN regex (closes #996) --- dehydrated | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/dehydrated b/dehydrated index 38c91db..d2202ac 100755 --- a/dehydrated +++ b/dehydrated @@ -281,7 +281,7 @@ ipv6_shorten() { ipv6_normalize() { for domain in $(cat); do if [[ "${domain}" =~ : ]]; then - ipv6_expand <<< "${domain}" | ipv6_shorten + printf "%s" "${domain}" | ipv6_expand | ipv6_shorten else printf "%s" "${domain}" fi @@ -1837,6 +1837,12 @@ parse_domains_txt() { (grep -vE '^(#|$)' || true) } +# normalize SAN lists +# normalize IPv6 adresses, and sort alphabetically +normalize_san_list() { + cat | awk '{print tolower($0)}' | _sed 's/ $//' | _sed 's/^ //' | ipv6_normalize | tr ' ' '\n' | sort -u | tr '\n' ' ' | _sed 's/ $//' +} + # Usage: --cron (-c) # Description: Sign/renew non-existent/changed/expiring certificates. command_sign_domains() { @@ -1972,8 +1978,8 @@ command_sign_domains() { if [[ -e "${cert}" && "${force_renew}" = "no" ]]; then printf " + Checking domain name(s) of existing cert..." - certnames="$("${OPENSSL}" x509 -in "${cert}" -text -noout | grep -E '(DNS|IP( Address*)):' | _sed 's/(DNS|IP( Address)*)://g' | tr -d ' ' | tr ',' '\n' | sort -u | tr '\n' ' ' | _sed 's/ $//' | awk '{print tolower($0)}' | ipv6_normalize)" - givennames="$(echo "${domain}" "${morenames}"| tr ' ' '\n' | sort -u | tr '\n' ' ' | _sed 's/ip://g' | _sed 's/ $//' | _sed 's/^ //' | ipv6_normalize)" + certnames="$("${OPENSSL}" x509 -in "${cert}" -text -noout | grep -E '(DNS|IP( Address)*):' | _sed 's/(DNS|IP( Address)*)://g' | tr -d ' ' | tr ',' ' ' | normalize_san_list )" + givennames="$(echo "${domain}" "${morenames}" | _sed 's/ip://g' | normalize_san_list )" if [[ "${certnames}" = "${givennames}" ]]; then echo " unchanged."