letsencrypt is phasing out the v1 server:
```
+ ERROR: An error occurred while sending get-request to https://acme-staging.api.letsencrypt.org/directory (Status 403)
Details:
HTTP/2 403
server: nginx
date: Thu, 01 Apr 2021 20:48:17 GMT
content-type: application/problem+json
content-length: 189
etag: "600b3710-bd"
{
"type": "urn:acme:error:serverInternal",
"detail": "ACMEv1 Brownout in Progress. ACMEv1 will fully turn off on June 1, 2021. Check https://letsencrypt.status.io/ for more details."
}
```
- Ensure that all per-certificate settings are saved and restored in
store_configvars() and reset_configvars() - that's what makes them
per-certificate in the first place...
- Add OCSP_FETCH and OCSP_DAYS in the documented list of supported
per-certificate configs, since the code does allow these.
This commit introduces a new cli argument `--force-validation` which,
when used in combination with `--force` ignores valid domain
authorizations and forces a revalidation.
This has been implemented since at least LE seems to have changed some
behavior on valid authorizations. Only the previously validated
authorization-type is reusable, causing dehydrated to error out when
changing from recently validated authorization types while still trying
to force-renew certificates for whatever reason (e.g. changing algorithms).
The cleanup command skips filetypes for which the symlink is broken or
doesn't exist. However, if dehydrated fails, we may end up in exactly
the situation that the symlink doesn't exist (yet). If dehydrated fails
repeatedly, we may end up with a lot of old cert.csr, cert.pem and
privkey.pem files, so we really want to be able to clean them up.
Remove all files if the symlink is broken/missing, instead of skipping
those files.
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
libressl did not pick up the implicit host header patches
of OpenSSL 1.1 even in version 3 and thus exhibits the same
behavior as OpenSSL 1.0.
Patch by Chen, Chih-Chia <pigfoot@gmail.com>
Fixes#778
before applying heuristics, use PRETTY_NAME from os-release(3),
which reliably exists on all common linux distributions.
keep the /etc/issue parsing as fallback.
27o