starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-01-11 22:30:44 +01:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity
704 Commits 5 Branches 15 Tags
1dbbc64ce947af000b764e806429e3f87cb3a55e
Commit Graph

704 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Lukas Schauer
1dbbc64ce9 implement workaround for openssl regression (fixes #981) 
The introduction of the `-multi` option to the x509 subcommand
introduced a regression to the `-checkend` behaviour, preventing
openssl to correctly indicate the certificate expiry status via
its exit code.

This commit introduces a (maybe temporary) workaround by instead
checking the output string.
 2025-10-24 09:22:31 +02:00
Lukas Schauer
12877bb238 throw error with information about OCSP deprecation if certificate doesn't indicate OCSP support 2025-07-05 11:13:45 +02:00
Lukas Schauer
ad43e250b2 allow KEEP_GOING to also skip over ocsp stapling errors, update ocsp error message with a hint about deprecation on some CAs 2025-07-05 10:55:33 +02:00
Lukas Schauer
8e9e5ef9c7 also allow setting KEEP_GOING as a config option 2025-07-05 10:54:29 +02:00
Lukas Schauer
a7deeaedbc set empty subject for ip-certificates 
as suggested by @candlerb in #783
 2025-07-05 10:28:13 +02:00
Victor Coss
3d95f18000 Don't allow CDN's to send cached responses 
A lot of CA's use a CDN service to protect and speed up their ACME service. These CDN services can sometimes miss-behave and send cached results. For example DigiCert's ACME service uses the Imperva CDN. It will send cached results on the DNS validation, challenge endpoint, resulting in it being stuck in the processing status, thus dehydrated is hung and never gets the certificate.
 2025-06-17 19:52:29 +02:00
Lukas Schauer
ce9eb300e2 implemented domain validation timeout 2025-06-17 19:51:27 +02:00
Lukas Schauer
9cfcd66f15 small addition to 0.7.2 changelog 2025-05-18 02:28:57 +02:00
Lukas Schauer
73bb54a4b2 updated changelog 2025-05-18 02:16:14 +02:00
Lukas Schauer
3a71a7ad94 only validate existance of wellknown directory or hook script when actually necessary (fixes #965) 2025-05-18 02:07:04 +02:00
Lukas Schauer
0290338853 post-v0.7.2-release 2025-05-18 01:36:16 +02:00
Lukas Schauer
fcca67b53c release v0.7.2 v0.7.2 2025-05-18 01:34:32 +02:00
Lukas Schauer
cf9e6a33fd Allow for automatic deletion of old files 2025-05-02 15:00:48 +02:00
Lukas Schauer
bec154f070 Added a configuration parameter to allow for timeouts during order processing (fixes #955) 2025-05-02 14:42:57 +02:00
Lukas Schauer
0141d86267 Update README (closes #964) 2025-05-02 14:38:45 +02:00
Lukas Schauer
a86a176805 use temporary csr file instead of stdin (keeps compatibility to older openssl versions) 2025-04-23 11:24:42 +02:00
Lukas Schauer
200cd68e7e updated changelog 2025-04-14 19:49:31 +02:00
Christian Kujau
e973cb2d8a Disable warning when reading CSRs from stdin. 
Coming across the same warning that was reported in
[PR#929](https://github.com/dehydrated-io/dehydrated/pull/929 "Suppress
openssl warning about reading from stdin") this is my attempt to disable
this warning. Instead of discarding stderr in total (this can still be
useful), we just use the "-in" parameter as hinted in the warning:

 $ foo=$(cat req.csr)
 $ <<<${foo} openssl req -noout -verify > /dev/null; echo $?
 Warning: Will read cert request from stdin since no -in option is given
 0

 $ <<<${foo} openssl req -in - -noout -verify > /dev/null; echo $?
 0
 2025-04-14 19:42:15 +02:00
Lukas Schauer
7c438c484f added google ca to example config and added documentation link to error message 2025-04-14 19:12:59 +02:00
hshh
a94f451014 Add support for Google Trust Services. 
Official Documentation: https://cloud.google.com/certificate-manager/docs/public-ca-tutorial
The first registration requires obtaining EAB_KID and EAB_HMAC_KEY according to the document, and setting CONTACT_EMAIL, EAB_HMAC_KEY, EAB_KID in the configuration file.
 2025-04-14 18:59:59 +02:00
Bob Idle
a615a55ad6 Update dehydrated repo urls in man page 2025-04-14 18:57:00 +02:00
Lukas Schauer
f6d82e2715 fix small issue with certificate profile selection (use key instead of value) 2025-04-14 18:49:44 +02:00
Lukas Schauer
1a1cb94a61 added changelog + default config entries for certificate profile selection 2025-04-14 18:41:38 +02:00
Youfu Zhang
5ab8c3806d implemented certificate profile selection (draft-aaron-acme-profiles-00) 
https://letsencrypt.org/2025/01/09/acme-profiles/
https://datatracker.ietf.org/doc/html/draft-aaron-acme-profiles-00

Signed-off-by: Youfu Zhang <zhangyoufu@gmail.com>
 2025-04-14 18:35:10 +02:00
Lukas Schauer
4ea5081640 renew certificates with 32 days remaining (instead of 30) to avoid issues with monthly cronjobs (fixes #963) 2025-04-11 10:33:07 +02:00
Wilfried Teiken
4fd777e87e Ignore output of 'openssl req -verify'. 
Newer versions of openssl seem to send the verify outout to stdout instead of
stderr in the past. Ignore that output when retrieving altnames.
 2023-12-05 02:36:40 +01:00
Lukas Schauer
e3ef43c816 fix zsh compatibility (fixes #896) 2023-01-16 22:41:05 +01:00
Alexander Sulfrian
67b111a7b0 Replace all escaped slashes in json strings (closes #866) 
${var/pattern/string} will only replace the first occurence. We should
use ${var//pattern/string} to replace all escaped slashes.
 2022-10-31 16:27:16 +01:00
Daniel Molkentin
fa68ad8b23 improve man page based on feedback from debian-l10n-english (fixes #873, closes #875) 
Also propagate changes to dehydrated help and README.md
 2022-10-31 16:22:04 +01:00
Lukas Schauer
5c4adf6baa added note about dehydrated irc channel 2022-10-31 15:46:28 +01:00
Lukas Schauer
35bfea55b6 increase dehydrated version for git master use 2022-10-31 15:46:07 +01:00
Lukas Schauer
ea84199863 release 0.7.1 (it finally happened!) v0.7.1 2022-10-31 15:12:38 +01:00
Krayon
6091ba4bc2 Add missing checks and fix hexdump output (closes #878) 2022-10-31 15:12:04 +01:00
Lukas Schauer
6fb8eba56a implemented workaround for retrying on badNonce errors 2022-09-07 15:09:57 +02:00
Simon Deziel
19c7fbbf47 egrep is deprecated 
egrep has been deprecated since 2007 and warns it's obsolete since:
https://git.savannah.gnu.org/cgit/grep.git/commit/?id=a9515624709865d480e3142fd959bccd1c9372d1

Signed-off-by: Simon Deziel <simon@sdeziel.info>
 2022-04-07 21:49:56 +02:00
Lukas Schauer
7128e6b63c rfc8738: fix CN on certs with mixed ip+dns 2022-04-07 01:34:21 +02:00
Lukas Schauer
861f4c733d rfc8738: only replace ip with reverse dns thingy if tls-alpn-01 is used 2022-04-07 01:33:48 +02:00
Lukas Schauer
ad3f08084c implemented rfc 8738 support 2022-04-06 22:23:43 +02:00
Lukas Schauer
784fb806c8 really reverted regression in somehow broken array expansion from e963438c.. 2021-11-02 09:05:19 +01:00
Lukas Schauer
b2574b16d1 reverted regression in somehow broken array expansion from e963438c (fixes #850) 2021-11-02 09:01:00 +01:00
Lukas Schauer
da641588ce removed old logo 2021-11-01 19:25:17 +01:00
Lukas Schauer
8e6ddf6286 readme and (temporary) logo update 2021-11-01 19:22:50 +01:00
Lukas Schauer
8e5977890a fix regression from e963438c (fixes #849) 2021-11-01 18:57:57 +01:00
Lukas Schauer
3bcf0c7f5a use noglob helpers for domains.txt.d parsing 2021-11-01 18:57:49 +01:00
Lukas Schauer
b347bc9086 added some changes to changelog 2021-10-31 22:58:06 +01:00
Lukas Schauer
08477170e9 Exit with error if somebody is trying to use EC account keys with ACME v1 2021-10-31 22:36:40 +01:00
Lukas Schauer
f4cf92bae5 extend ec algorithms with secp521r1 (not yet supported by LetsEncrypt, but maybe by other CAs) 2021-10-31 22:31:09 +01:00
Lukas Schauer
93573cda3c experimental support for ec account keys (fixes #827) 2021-10-31 22:29:44 +01:00
Lukas Schauer
607a6088d3 Avoid writing ec-parameters to private-key file (fixes #830) 2021-10-31 20:20:40 +01:00
Lukas Schauer
880c99aa63 Better solution for issue #845 2021-10-31 20:11:31 +01:00