added option to pass environment variables over sudo

Newer versions of openssl seem to send the verify outout to stdout instead of
stderr in the past. Ignore that output when retrieving altnames.

CHANGELOG

@@ -2,11 +2,19 @@
 This file contains a log of major changes in dehydrated
 
 ## [x.x.x] - xxxx-xx-xx
+## Added
+- New config variable `DEHYDRATED_SUDO_ENV` to allow passing environment variables over sudo calls
+
+## [0.7.1] - 2022-10-31
 ## Changed
 - `--force` no longer forces domain name revalidation by default, a new argument `--force-validation` has been added for that
 - Added support for EC secp521r1 algorithm (works with e.g. zerossl)
 - `EC PARAMETERS` are no longer written to privkey.pem (didn't seem necessary and was causing issues with various software)
 
+## Fixed
+- Requests resulting in `badNonce` errors are now automatically retried (fixes operation with LE staging servers)
+- Deprecated `egrep` usage has been removed
+
 ## Added
 - Implemented EC for account keys
 - Domain list now also read from domains.txt.d subdirectory (behaviour might change, see docs)

README.md

@@ -71,7 +71,7 @@ Parameters:
  --ca url/preset                  Use specified CA URL or preset
  --alias certalias                Use specified name for certificate directory (and per-certificate config) instead of the primary domain (only used if --domain is specified)
  --keep-going (-g)                Keep going after encountering an error while creating/renewing multiple certificates in cron mode
- --force (-x)                     Force renew of certificate even if it is longer valid than value in RENEW_DAYS
+ --force (-x)                     Force certificate renewal even if it is not due to expire within RENEW_DAYS
  --force-validation               Force revalidation of domain names (used in combination with --force)
  --no-lock (-n)                   Don't use lockfile (potentially dangerous!)
  --lock-suffix example.com        Suffix lockfile name with a string (useful for with -d)
@@ -86,3 +86,9 @@ Parameters:
  --challenge (-t) http-01|dns-01|tls-alpn-01 Which challenge should be used? Currently http-01, dns-01, and tls-alpn-01 are supported
  --algo (-a) rsa|prime256v1|secp384r1 Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1
 ```
+
+## Chat
+
+Dehydrated has an official IRC-channel `#dehydrated` on libera.chat that can be used for general discussion and suggestions.
+
+The channel can also be accessed with Matrix using the official libera.chat bridge at `#dehydrated:libera.chat`.

dehydrated

@@ -17,7 +17,7 @@ umask 077 # paranoid umask, we're creating private keys
 exec 3>&-
 exec 4>&-
 
-VERSION="0.7.1"
+VERSION="0.7.2"
 
 # Find directory in which this script is stored by traversing all symbolic links
 SOURCE="${0}"
@@ -143,7 +143,7 @@ jsonsh() {
 
     # Force zsh to expand $A into multiple words
     local is_wordsplit_disabled
-    is_wordsplit_disabled="$(unsetopt 2>/dev/null | grep -c '^shwordsplit$')"
+    is_wordsplit_disabled="$(unsetopt 2>/dev/null | grep -c '^shwordsplit$' || true)"
     if [ "${is_wordsplit_disabled}" != "0" ]; then setopt shwordsplit; fi
     $GREP "$STRING|$NUMBER|$KEYWORD|$SPACE|." | grep -Ev "^$SPACE$"
     if [ "${is_wordsplit_disabled}" != "0" ]; then unsetopt shwordsplit; fi
@@ -217,7 +217,7 @@ jsonsh() {
       '[') parse_array  "$jpath" ;;
       # At this point, the only valid single-character tokens are digits.
       ''|[!0-9]) throw "EXPECTED value GOT ${token:-EOF}" ;;
-      *) value="${token/\\\///}"
+      *) value="${token//\\\///}"
          # replace solidus ("\/") in json strings with normalized value: "/"
          ;;
     esac
@@ -260,7 +260,7 @@ _mktemp() {
 # Check for script dependencies
 check_dependencies() {
   # look for required binaries
-  for binary in grep mktemp diff sed awk curl cut; do
+  for binary in grep mktemp diff sed awk curl cut head tail hexdump; do
     bin_path="$(command -v "${binary}" 2>/dev/null)" || _exiterr "This script requires ${binary}."
     [[ -x "${bin_path}" ]] || _exiterr "${binary} found in PATH but it's not executable"
   done
@@ -390,6 +390,7 @@ load_config() {
   AUTO_CLEANUP="no"
   DEHYDRATED_USER=
   DEHYDRATED_GROUP=
+  DEHYDRATED_SUDO_ENV="no"
   API="auto"
 
   if [[ -z "${CONFIG:-}" ]]; then
@@ -442,8 +443,12 @@ load_config() {
     if [[ -z "${DEHYDRATED_GROUP}" ]]; then
       if [[ "${EUID}" != "${TARGET_UID}" ]]; then
         echo "# INFO: Running $0 as ${DEHYDRATED_USER}"
+        if [ "${DEHYDRATED_SUDO_ENV}" = "yes" ]; then
+          has_sudo && exec sudo -E -H -u "${DEHYDRATED_USER}" "${0}" "${ORIGARGS[@]}"
+        else
           has_sudo && exec sudo -u "${DEHYDRATED_USER}" "${0}" "${ORIGARGS[@]}"
         fi
+      fi
     else
       TARGET_GID="$(getent group "${DEHYDRATED_GROUP}" | cut -d':' -f3)" || _exiterr "DEHYDRATED_GROUP ${DEHYDRATED_GROUP} is invalid"
       if [[ -z "${EGID:-}" ]]; then
@@ -452,9 +457,13 @@ load_config() {
       fi
       if [[ "${EUID}" != "${TARGET_UID}" ]] || [[ "${EGID}" != "${TARGET_GID}" ]]; then
         echo "# INFO: Running $0 as ${DEHYDRATED_USER}/${DEHYDRATED_GROUP}"
+        if [ "${DEHYDRATED_SUDO_ENV}" = "yes" ]; then
+          has_sudo && exec sudo -E -H -u "${DEHYDRATED_USER}" -g "${DEHYDRATED_GROUP}" "${0}" "${ORIGARGS[@]}"
+        else
           has_sudo && exec sudo -u "${DEHYDRATED_USER}" -g "${DEHYDRATED_GROUP}" "${0}" "${ORIGARGS[@]}"
         fi
       fi
+    fi
   elif [[ -n "${DEHYDRATED_GROUP}" ]]; then
     _exiterr "DEHYDRATED_GROUP can only be used in combination with DEHYDRATED_USER."
   fi
@@ -839,7 +848,7 @@ hex2bin() {
 
 # Convert binary data to hex string
 bin2hex() {
-  hexdump -e '16/1 "%02x"'
+  hexdump -v -e '/1 "%02x"'
 }
 
 # OpenSSL writes to stderr/stdout even when there are no errors. So just
@@ -1011,7 +1020,7 @@ signed_request() {
 extract_altnames() {
   csr="${1}" # the CSR itself (not a file)
 
-  if ! <<<"${csr}" "${OPENSSL}" req -verify -noout 2>/dev/null; then
+  if ! <<<"${csr}" "${OPENSSL}" req -verify -noout >/dev/null 2>&1; then
     _exiterr "Certificate signing request isn't valid"
   fi
 
@@ -2262,7 +2271,7 @@ main() {
         ;;
 
       # PARAM_Usage: --force (-x)
-      # PARAM_Description: Force renew of certificate even if it is longer valid than value in RENEW_DAYS
+      # PARAM_Description: Force certificate renewal even if it is not due to expire within RENEW_DAYS
       --force|-x)
         PARAM_FORCE="yes"
         ;;

docs/examples/config

@@ -16,6 +16,9 @@
 # Which group should dehydrated run as? This will be implicitly enforced when running as root
 #DEHYDRATED_GROUP=
 
+# Should dehydrated pass environment variables over sudo?
+#DEHYDRATED_SUDO_ENV="no"
+
 # Resolve names to addresses of IP version only. (curl)
 # supported values: 4, 6
 # default: <unset>

docs/man/dehydrated.1

@@ -20,8 +20,8 @@ Dehydrated will notify if no account is configured. Run with \fB--register
 
 Next, all domain names must be provided in domains.txt. The format is line
 based: If the file contains two lines "example.com" and "example.net",
-Dehydrated will request two certificate, one for "example.com" and the other
+dehydrated will request two certificate, one for "example.com" and the other
-for "example.net". A single line while "example.com example.net" will request a
+for "example.net". A single line containing "example.com example.net" will request a
 single certificate valid for both "example.net" and "example.com" through the \fISubject
 Alternative Name\fR (SAN) field.
 
@@ -106,7 +106,7 @@ Keep going after encountering an error while creating/renewing multiple
 certificates in cron mode
 .TP
 .BR \-\-force ", " \-x
-Force renew of certificate even if it is longer valid than value in RENEW_DAYS
+Force certificate renewal even if it is not due to expire within RENEW_DAYS
 .TP
 .BR \-\-no\-lock ", " \-n
 Don't use lockfile (potentially dangerous!)