implement workaround for openssl regression (fixes #981)

The introduction of the `-multi` option to the x509 subcommand
introduced a regression to the `-checkend` behaviour, preventing
openssl to correctly indicate the certificate expiry status via
its exit code.

This commit introduces a (maybe temporary) workaround by instead
checking the output string.

.github/FUNDING.yml

@@ -0,0 +1,2 @@
+github: lukas2511
+custom: ["https://paypal.me/lukas2511", "http://www.amazon.de/registry/wishlist/1TUCFJK35IO4Q"]

.travis.yml

@@ -1,14 +0,0 @@
-sudo: false
-language: shell
-
-os:
-  - linux
-  - osx
-
-cache:
-  directories:
-    - ngrok
-
-script:
-  - export CI="true"
-  - ./test.sh

CHANGELOG

@@ -1,6 +1,119 @@
 # Change Log
 This file contains a log of major changes in dehydrated
 
+## [x.x.x] - xxxx-xx-xx
+## Added
+- Added a configuration parameter to allow for timeouts during domain validation processing (`VALIDATION_TIMEOUT`, defaults to 0 = no timeout)
+
+## Changed
+- Only validate existance of wellknown directory or hook script when actually needed
+- Also allow setting `KEEP_GOING` in config file instead of relying on cli arguments
+- Allow skipping over OCSP stapling errors, indicate that some CAs no longer support OCSP
+- Throw error with information about OCSP deprecation if certificate doesn't indicate OCSP support
+
+## [0.7.2] - 2025-05-18
+## Added
+- Implemented support for certificate profile selection
+- Added a configuration parameter to allow for timeouts during order processing (`ORDER_TIMEOUT`, defaults to 0 = no timeout)
+- Allowed for automatic deletion of old files (`AUTO_CLEANUP_DELETE`, disabled by default)
+- Added CA presets for Google Trust Services (prod: google, test: google-test)
+
+## Changed
+- Renew certificates with 32 days remaining (instead of 30) to avoid issues with monthly cronjobs (`RENEW_DAYS=32`)
+
+## Fixed
+- Changed behaviour of `openssl req` stdin handling to fix compatibility with OpenSSL version 3.2+
+
+## [0.7.1] - 2022-10-31
+## Changed
+- `--force` no longer forces domain name revalidation by default, a new argument `--force-validation` has been added for that
+- Added support for EC secp521r1 algorithm (works with e.g. zerossl)
+- `EC PARAMETERS` are no longer written to privkey.pem (didn't seem necessary and was causing issues with various software)
+
+## Fixed
+- Requests resulting in `badNonce` errors are now automatically retried (fixes operation with LE staging servers)
+- Deprecated `egrep` usage has been removed
+
+## Added
+- Implemented EC for account keys
+- Domain list now also read from domains.txt.d subdirectory (behaviour might change, see docs)
+- Implemented RFC 8738 (validating/signing certificates for IP addresses instead of domain names) support (this will not work with most public CAs, if any!)
+
+## [0.7.0] - 2020-12-10
+## Added
+- Support for external account bindings
+- Special support for ZeroSSL
+- Support presets for some CAs instead of requiring URLs
+- Allow requesting preferred chain (`--preferred-chain`)
+- Added method to show CAs current terms of service (`--display-terms`)
+- Allow setting path to domains.txt using cli arguments (`--domains-txt`)
+- Added new cli command `--cleanupdelete` which deletes old files instead of archiving them
+
+## Fixed
+- No more silent failures on broken hook-scripts
+- Better error-handling with KEEP_GOING enabled
+- Check actual order status instead of assuming it's valid
+- Don't include keyAuthorization in challenge validation (RFC compliance)
+
+## Changed
+- Using EC secp384r1 as default certificate type
+- Use JSON.sh to parse JSON
+- Use account URL instead of account ID (RFC compliance)
+- Dehydrated now has a new home: https://github.com/dehydrated-io/dehydrated
+- Added `OCSP_FETCH` and `OCSP_DAYS` to per-certificate configurable options
+- Cleanup now also removes dangling symlinks
+
+## [0.6.5] - 2019-06-26
+## Fixed
+- Fixed broken APIv1 compatibility from last update
+
+## [0.6.4] - 2019-06-25
+## Changed
+- Fetch account ID from Location header instead of account json
+
+## [0.6.3] - 2019-06-25
+## Changed
+- OCSP refresh interval is now configurable
+- Implemented POST-as-GET
+- Call exit_hook on errors (with error-message as first parameter)
+
+## Added
+- Initial support for tls-alpn-01 validation
+- New hook: sync_cert (for syncing certificate files to disk, see example hook description)
+
+## Fixes
+- Fetch account information after registration to avoid missing account id
+
+## [0.6.2] - 2018-04-25
+## Added
+- New deploy_ocsp hook
+- Allow account registration with custom key
+
+## Changed
+- Don't walk certificate chain for ACMEv2 (certificate contains chain by default)
+- Improved documentation on wildcards
+
+## Fixes
+- Added workaround for compatibility with filesystem ACLs
+- Close unwanted external file-descriptors
+- Fixed JSON parsing on force-renewal
+- Fixed cleanup of challenge files/dns-entries on validation errors
+- A few more minor fixes
+
+## [0.6.1] - 2018-03-13
+## Changed
+- Use new ACME v2 endpoint by default
+
+## [0.6.0] - 2018-03-11
+## Changed
+- Challenge validation loop has been modified to loop over authorization identifiers instead of altnames (ACMEv2 + wildcard support)
+- Removed LICENSE parameter from config (terms of service is now acquired directly from the CA directory)
+
+## Added
+- Support for ACME v02 (including wildcard certificates!)
+- New hook: generate_csr (see example hook script for more information)
+- Calling random hook on startup to make it clear to hook script authors that unknown hooks should just be ignored...
+
 ## [0.5.0] - 2018-01-13
 ## Changed
 - Certificate chain is now cached (CHAINCACHE)

LICENSE

@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2015-2017 Lukas Schauer
+Copyright (c) 2015-2021 Lukas Schauer
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -1,20 +1,23 @@
-# dehydrated
+# dehydrated [![Donate](https://img.shields.io/badge/Donate-PayPal-green.svg)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=23P9DSJBTY7C8)
 
-![](docs/logo.jpg)
+![](docs/logo.png)
 
-This is a client for signing certificates with an ACME-server (currently only provided by Let's Encrypt) implemented as a relatively simple bash-script.
+Dehydrated is a client for signing certificates with an ACME-server (e.g. Let's Encrypt) implemented as a relatively simple (zsh-compatible) bash-script.
+This client supports both ACME v1 and the new ACME v2 including support for wildcard certificates!
 
 It uses the `openssl` utility for everything related to actually handling keys and certificates, so you need to have that installed.
 
-Other dependencies are: cURL, sed, grep, mktemp (all found on almost any system, cURL being the only exception)
+Other dependencies are: cURL, sed, grep, awk, mktemp (all found pre-installed on almost any system, cURL being the only exception).
 
 Current features:
-- Signing of a list of domains
-- Signing of a CSR
-- Renewal if a certificate is about to expire or SAN (subdomains) changed
+- Signing of a list of domains (including wildcard domains!)
+- Signing of a custom CSR (either standalone or completely automated using hooks!)
+- Renewal if a certificate is about to expire or defined set of domains changed
 - Certificate revocation
+- and lots more..
 
-Please keep in mind that this software and even the acme-protocol are relatively young and may still have some unresolved issues. Feel free to report any issues you find with this script or contribute by submitting a pull request.
+Please keep in mind that this software, the ACME-protocol and all supported CA servers out there are relatively young and there might be a few issues. Feel free to report any issues you find with this script or contribute by submitting a pull request,
+but please check for duplicates first (feel free to comment on those to get things rolling).
 
 ## Getting started
 
@@ -47,12 +50,15 @@ Default command: help
 
 Commands:
  --version (-v)                   Print version information
+ --display-terms                  Display current terms of service
  --register                       Register account key
  --account                        Update account contact information
  --cron (-c)                      Sign/renew non-existent/changed/expiring certificates.
  --signcsr (-s) path/to/csr.pem   Sign a given CSR, output CRT on stdout (advanced usage)
  --revoke (-r) path/to/cert.pem   Revoke specified certificate
+ --deactivate                     Deactivate account
  --cleanup (-gc)                  Move unused certificate files to archive directory
+ --cleanup-delete (-gcd)          Deletes (!) unused certificate files
  --help (-h)                      Show help text
  --env (-e)                       Output configuration variables for use in other scripts
 
@@ -62,47 +68,30 @@ Parameters:
  --ipv4 (-4)                      Resolve names to IPv4 addresses only
  --ipv6 (-6)                      Resolve names to IPv6 addresses only
  --domain (-d) domain.tld         Use specified domain name(s) instead of domains.txt entry (one certificate!)
+ --ca url/preset                  Use specified CA URL or preset
  --alias certalias                Use specified name for certificate directory (and per-certificate config) instead of the primary domain (only used if --domain is specified)
  --keep-going (-g)                Keep going after encountering an error while creating/renewing multiple certificates in cron mode
- --force (-x)                     Force renew of certificate even if it is longer valid than value in RENEW_DAYS
+ --force (-x)                     Force certificate renewal even if it is not due to expire within RENEW_DAYS
+ --force-validation               Force revalidation of domain names (used in combination with --force)
  --no-lock (-n)                   Don't use lockfile (potentially dangerous!)
  --lock-suffix example.com        Suffix lockfile name with a string (useful for with -d)
  --ocsp                           Sets option in CSR indicating OCSP stapling to be mandatory
  --privkey (-p) path/to/key.pem   Use specified private key instead of account key (useful for revocation)
+ --domains-txt path/to/domains.txt Use specified domains.txt instead of default/configured one
  --config (-f) path/to/config     Use specified config file
  --hook (-k) path/to/hook.sh      Use specified script for hooks
+ --preferred-chain issuer-cn      Use alternative certificate chain identified by issuer CN
  --out (-o) certs/directory       Output certificates into the specified directory
- --challenge (-t) http-01|dns-01  Which challenge should be used? Currently http-01 and dns-01 are supported
+ --alpn alpn-certs/directory      Output alpn verification certificates into the specified directory
+ --challenge (-t) http-01|dns-01|tls-alpn-01 Which challenge should be used? Currently http-01, dns-01, and tls-alpn-01 are supported
  --algo (-a) rsa|prime256v1|secp384r1 Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1
+ --acme-profile profile_name      Use specified ACME profile
+ --order-timeout seconds          Amount of seconds to wait for processing of order until erroring out
+ --validation-timeout seconds     Amount of seconds to wait for processing of domain validations until erroring out
 ```
 
-## Donate
+## Chat
 
-I'm having fun developing dehydrated, but it takes time, and time is money, at least that's what I've been told.
-
-I will definitively continue developing dehydrated for free, but if you want to support me you can do so using the following ways:
-
-### PayPal
-
-[![Donate](https://img.shields.io/badge/Donate-PayPal-green.svg)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=23P9DSJBTY7C8)
-
-### BitCoin
-
-Send bitcoins to 12487bHxcrREffTGwUDnoxF1uYxCA7ztKK
-
-### Server
-
-I'm still planning on building a bigger testing-suite for dehydrated, it would be really cool to have a big(ish) server running
-in a datacenter somewhere without having to pay for it... If you are a server provider and can offer me a (dedicated!) machine,
-please contact me at `donations@dehydrated.de`.
-
-### Other ways
-
-I always like to play around with modern(ish) network and computer gear, 10G switches and stuff, modern ARM boards
-(but please not that Raspberry Pi rubbish), tiny PCs for routing, etc.
-
-If you have something that seems of value and that you don't need anymore feel free to contact me at
-`donations@dehydrated.de`.
-
-Also here is my [Amazon Wishlist](http://www.amazon.de/registry/wishlist/1TUCFJK35IO4Q) :)
+Dehydrated has an official IRC-channel `#dehydrated` on libera.chat that can be used for general discussion and suggestions.
 
+The channel can also be accessed with Matrix using the official libera.chat bridge at `#dehydrated:libera.chat`.

docs/acme-v1.md

@@ -0,0 +1,19 @@
+## (Future) Removal of API version 1
+
+The ACME API version 1 was never really standardized and was only supported by Let's Encrypt. Even though the protocol specification was public,
+it wasn't really friendly to be integrated into existing CA systems so initial adoption was basically non-existant.
+
+ACME version 2 is being designed to overcome these issues by becoming an official IETF standard and supporting a more traditional approach of account
+and order management in the backend, making it friendlier to integrate into existing systems centered around those. It has since become a semi-stable IETF
+standard draft which only ever got two breaking changes, Content-Type enforcement and `POST-as-GET`, the latter being announced in October 2018 to be enforced
+by November 2019. See https://datatracker.ietf.org/wg/acme/documents/ for a better insight into the draft and its changes.
+
+Next to backend changes that many users won't really care about ACME v2 has all of the features ACME v1 had, but also some additional new features like
+e.g. support for [wildcard certificates](domains_txt.md#wildcards).
+
+Since ACME v2 is basically to be considered stable and ACME v1 has no real benefits over v2, there doesn't seem to be much of a reason to keep the old
+protocol around, but since there actually are a few Certificate Authorities and resellers that implemented the v1 protocol and didn't yet make the change
+to v2, so dehydrated still supports the old protocol for now.
+
+Please keep in mind that support for the old ACME protocol version 1 might get removed at any point of bigger inconvenience, e.g. on code changes that
+would require a lot of work or ugly workarounds to keep both versions supported.

docs/dns-verification.md

@@ -28,4 +28,4 @@ Or when you do have a DNS API, pass the details accordingly to achieve the same
 
 You can delete the TXT record when called with operation `clean_challenge`, when $2 is also the domain name.
 
-Here are some examples: [Examples for DNS-01 hooks](https://github.com/lukas2511/dehydrated/wiki/Examples-for-DNS-01-hooks)
+Here are some examples: [Examples for DNS-01 hooks](https://github.com/dehydrated-io/dehydrated/wiki)

docs/domains_txt.md

@@ -1,19 +1,107 @@
-### domains.txt
+## domains.txt
 
-dehydrated uses the file `domains.txt` as configuration for which certificates should be requested.
+dehydrated uses the file `domains.txt` as configuration for which certificates
+should be requested.
 
 The file should have the following format:
 
 ```text
+example.org
 example.com www.example.com
 example.net www.example.net wiki.example.net
+```
+
+This states that there are the following certificates:
+  * `example.org` without any *alternative names*
+  * `example.com` with an *alternative name* of `www.example.com`
+  * `example.net` with the *alternative names*: `www.example.net` and
+    `wiki.example.net`
+
+### Aliases
+
+You can define an *alias* for your certificate which will (instead of the
+primary domain) be used as the directory name under your `CERTDIR` and for a
+per-certificate lookup. This is done using the `>` character.  This allows
+multiple certificates with identical sets of domains but different
+configuration to exist.
+
+Here is an example of using an *alias* called `certalias` for creating the
+certificate for `example.net` with *alternative names* `www.example.net` and
+`wiki.example.net`. The certificate will be stored in the directory `certalias`
+under your `CERTDIR`.
+
+```text
 example.net www.example.net wiki.example.net > certalias
 ```
 
-This states that there should be two certificates `example.com` and `example.net`,
-with the other domains in the corresponding line being their alternative names.
+This allows to set per certificates options. The options you can change are
+explained in [Per Certificate Config](per-certificate-config.md).
 
-You can define an alias for your certificate which will (instead of the primary domain) be
-used as directory name under your certdir and for a per-certificate lookup.
-This allows multiple certificates with identical sets of domains but different configuration
-to exist.
+If you want to create different certificate types for the same domain
+you can use:
+
+```text
+*.service.example.org service.example.org  > star_service_example_org_rsa
+*.service.example.org service.example.org  > star_service_example_org_ecdsa
+```
+
+Then add a config file `certs/star_service_example_org_rsa/config` with
+the value
+
+```
+KEY_ALGO="rsa"
+```
+
+or respectively
+
+```
+KEY_ALGO="ecdsa"
+```
+
+### Wildcards
+
+Support for wildcards was added by the ACME v2 protocol.
+
+Certificates with a wildcard domain as the first (or only) name require an
+*alias* to be set.  *Aliases* can't start with `*.`.
+
+For example to create the wildcard for `*.service.example.com` your
+`domains.txt` could use the *alias* method like this:
+
+```text
+*.service.example.com > star_service_example_com
+```
+
+This creates a wildcard certificate for only `*.service.example.com` and will
+store it in the directory `star_service_example_com` under your `CERTDIR`. As a
+note this certificate will **NOT** be valid for `service.example.com` but only
+for `*.service.example.com`. So it would, for example, be valid for
+`foo.service.example.com`.
+
+
+Another way to create it is using *alternative names*. For example your
+`domains.txt` could do this:
+
+```text
+service.example.com *.service.example.com
+eggs.example.com *.ham.example.com
+```
+
+This creates two certificates one for `service.example.com` with an
+*alternative name* of `*.service.example.com` and a second certificate for
+`eggs.example.com` with an *alternative name* of `*.ham.example.com`.
+
+**Note:** The first certificate is valid for both `service.example.com` and for
+`*.service.example.com` which can be a useful way to create wildcard
+certificates.
+
+### Drop-in directory
+
+If a directory named `domains.txt.d` exists in the same location as
+`domains.txt`, the contents of `*.txt` files in that directory are appended to
+the list of domains, in alphabetical order of the filenames. This is useful for
+automation, as it doesn't require editing an existing file to add new domains.
+
+Warning: Behaviour of this might change as the naming between `domains.txt.d`
+and the `DOMAINS_D` config variable (which is used for per-certificate
+configuration) is a bit confusing.

docs/examples/config

@@ -10,10 +10,10 @@
 # Default values of this config are in comments        #
 ########################################################
 
-# Which user should dehydrated run as? This will be implictly enforced when running as root
+# Which user should dehydrated run as? This will be implicitly enforced when running as root
 #DEHYDRATED_USER=
 
-# Which group should dehydrated run as? This will be implictly enforced when running as root
+# Which group should dehydrated run as? This will be implicitly enforced when running as root
 #DEHYDRATED_GROUP=
 
 # Resolve names to addresses of IP version only. (curl)
@@ -21,16 +21,19 @@
 # default: <unset>
 #IP_VERSION=
 
-# Path to certificate authority (default: https://acme-v01.api.letsencrypt.org/directory)
-#CA="https://acme-v01.api.letsencrypt.org/directory"
+# URL to certificate authority or internal preset
+# Presets: letsencrypt, letsencrypt-test, zerossl, buypass, buypass-test, google, google-test
+# default: letsencrypt
+#CA="letsencrypt"
 
-# Path to certificate authority license terms redirect (default: https://acme-v01.api.letsencrypt.org/terms)
-#CA_TERMS="https://acme-v01.api.letsencrypt.org/terms"
+# Path to old certificate authority
+# Set this value to your old CA value when upgrading from ACMEv1 to ACMEv2 under a different endpoint.
+# If dehydrated detects an account-key for the old CA it will automatically reuse that key
+# instead of registering a new one.
+# default: https://acme-v01.api.letsencrypt.org/directory
+#OLDCA="https://acme-v01.api.letsencrypt.org/directory"
 
-# Path to license agreement (default: <unset>)
-#LICENSE=""
-
-# Which challenge should be used? Currently http-01 and dns-01 are supported
+# Which challenge should be used? Currently http-01, dns-01 and tls-alpn-01 are supported
 #CHALLENGETYPE="http-01"
 
 # Path to a directory containing additional config files, allowing to override
@@ -39,6 +42,11 @@
 # default: <unset>
 #CONFIG_D=
 
+# Directory for per-domain configuration files.
+# If not set, per-domain configurations are sourced from each certificates output directory.
+# default: <unset>
+#DOMAINS_D=
+
 # Base directory for account key, generated certificates and list of domains (default: $SCRIPTDIR -- uses config directory if undefined)
 #BASEDIR=$SCRIPTDIR
 
@@ -48,6 +56,9 @@
 # Output directory for generated certificates
 #CERTDIR="${BASEDIR}/certs"
 
+# Output directory for alpn verification certificates
+#ALPNCERTDIR="${BASEDIR}/alpn-certs"
+
 # Directory for account keys and registration information
 #ACCOUNTDIR="${BASEDIR}/accounts"
 
@@ -81,8 +92,8 @@
 # Chain clean_challenge|deploy_challenge arguments together into one hook call per certificate (default: no)
 #HOOK_CHAIN="no"
 
-# Minimum days before expiration to automatically renew certificate (default: 30)
-#RENEW_DAYS="30"
+# Minimum days before expiration to automatically renew certificate (default: 32)
+#RENEW_DAYS="32"
 
 # Regenerate private keys instead of just signing new certificates on renewal (default: yes)
 #PRIVATE_KEY_RENEW="yes"
@@ -91,7 +102,7 @@
 #PRIVATE_KEY_ROLLOVER="no"
 
 # Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1
-#KEY_ALGO=rsa
+#KEY_ALGO=secp384r1
 
 # E-mail to use during the registration (default: <unset>)
 #CONTACT_EMAIL=
@@ -105,8 +116,29 @@
 # Fetch OCSP responses (default: no)
 #OCSP_FETCH="no"
 
+# OCSP refresh interval (default: 5 days)
+#OCSP_DAYS=5
+
 # Issuer chain cache directory (default: $BASEDIR/chains)
 #CHAINCACHE="${BASEDIR}/chains"
 
 # Automatic cleanup (default: no)
 #AUTO_CLEANUP="no"
+
+# Delete files during automatic cleanup instead of moving to archive (default: no)
+#AUTO_CLEANUP_DELETE="no"
+
+# ACME API version (default: auto)
+#API=auto
+
+# Preferred issuer chain (default: <unset> -> uses default chain)
+#PREFERRED_CHAIN=
+
+# Request certificate with specific profile (default: <unset>)
+#ACME_PROFILE=
+
+# Amount of seconds to wait for processing of order until erroring out (default: 0 => no timeout)
+#ORDER_TIMEOUT=0
+
+# Skip over errors during certificate orders and updating of OCSP stapling information (default: no)
+#KEEP_GOING=no

docs/examples/domains.txt

@@ -1,2 +1,39 @@
+# Create certificate for 'example.org' with an alternative name of
+# 'www.example.org'. It will be stored in the directory ${CERT_DIR}/example.org
 example.org www.example.org
+
+# Create certificate for 'example.com' with alternative names of
+# 'www.example.com' & 'wiki.example.com'. It will be stored in the directory
+# ${CERT_DIR}/example.com
 example.com www.example.com wiki.example.com
+
+# Using the alias 'certalias' create certificate for 'example.net' with
+# alternate name 'www.example.net' and store it in the directory
+# ${CERTDIR}/certalias
+example.net www.example.net > certalias
+
+# Using the alias 'service_example_com' create a wildcard certificate for
+# '*.service.example.com' and store it in the directory
+# ${CERTDIR}/service_example_com
+# NOTE: It is NOT a certificate for 'service.example.com'
+*.service.example.com > service_example_com
+
+# Using the alias 'star_service_example_org' create a wildcard certificate for
+# '*.service.example.org' with an alternative name of `service.example.org'
+# and store it in the directory ${CERTDIR}/star_service_example_org
+# NOTE: It is a certificate for 'service.example.org'
+*.service.example.org service.example.org  > star_service_example_org
+
+# Optionally you can also append the certificate algorithm here to create
+# multiple certificate types for the same domain.
+#
+# This allows to set per certificates options. How to do this is
+# explained in [domains.txt documentation](domains_txt.md).
+#
+*.service.example.org service.example.org  > star_service_example_org_rsa
+*.service.example.org service.example.org  > star_service_example_org_ecdsa
+
+# Create a certificate for 'service.example.net' with an alternative name of
+# '*.service.example.net' (which is a wildcard domain) and store it in the
+# directory ${CERTDIR}/service.example.net
+service.example.net *.service.example.net

docs/examples/hook.sh

@@ -1,108 +1,199 @@
 #!/usr/bin/env bash
 
 deploy_challenge() {
-    local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"
+  local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"
 
-    # This hook is called once for every domain that needs to be
-    # validated, including any alternative names you may have listed.
-    #
-    # Parameters:
-    # - DOMAIN
-    #   The domain name (CN or subject alternative name) being
-    #   validated.
-    # - TOKEN_FILENAME
-    #   The name of the file containing the token to be served for HTTP
-    #   validation. Should be served by your web server as
-    #   /.well-known/acme-challenge/${TOKEN_FILENAME}.
-    # - TOKEN_VALUE
-    #   The token value that needs to be served for validation. For DNS
-    #   validation, this is what you want to put in the _acme-challenge
-    #   TXT record. For HTTP validation it is the value that is expected
-    #   be found in the $TOKEN_FILENAME file.
+  # This hook is called once for every domain that needs to be
+  # validated, including any alternative names you may have listed.
+  #
+  # Parameters:
+  # - DOMAIN
+  #   The domain name (CN or subject alternative name) being
+  #   validated.
+  # - TOKEN_FILENAME
+  #   The name of the file containing the token to be served for HTTP
+  #   validation. Should be served by your web server as
+  #   /.well-known/acme-challenge/${TOKEN_FILENAME}.
+  # - TOKEN_VALUE
+  #   The token value that needs to be served for validation. For DNS
+  #   validation, this is what you want to put in the _acme-challenge
+  #   TXT record. For HTTP validation it is the value that is expected
+  #   be found in the $TOKEN_FILENAME file.
+
+  # Simple example: Use nsupdate with local named
+  # printf 'server 127.0.0.1\nupdate add _acme-challenge.%s 300 IN TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /var/run/named/session.key
 }
 
 clean_challenge() {
-    local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"
+  local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"
 
-    # This hook is called after attempting to validate each domain,
-    # whether or not validation was successful. Here you can delete
-    # files or DNS records that are no longer needed.
-    #
-    # The parameters are the same as for deploy_challenge.
+  # This hook is called after attempting to validate each domain,
+  # whether or not validation was successful. Here you can delete
+  # files or DNS records that are no longer needed.
+  #
+  # The parameters are the same as for deploy_challenge.
+
+  # Simple example: Use nsupdate with local named
+  # printf 'server 127.0.0.1\nupdate delete _acme-challenge.%s TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /var/run/named/session.key
+}
+
+sync_cert() {
+  local KEYFILE="${1}" CERTFILE="${2}" FULLCHAINFILE="${3}" CHAINFILE="${4}" REQUESTFILE="${5}"
+
+  # This hook is called after the certificates have been created but before
+  # they are symlinked. This allows you to sync the files to disk to prevent
+  # creating a symlink to empty files on unexpected system crashes.
+  #
+  # This hook is not intended to be used for further processing of certificate
+  # files, see deploy_cert for that.
+  #
+  # Parameters:
+  # - KEYFILE
+  #   The path of the file containing the private key.
+  # - CERTFILE
+  #   The path of the file containing the signed certificate.
+  # - FULLCHAINFILE
+  #   The path of the file containing the full certificate chain.
+  # - CHAINFILE
+  #   The path of the file containing the intermediate certificate(s).
+  # - REQUESTFILE
+  #   The path of the file containing the certificate signing request.
+
+  # Simple example: sync the files before symlinking them
+  # sync "${KEYFILE}" "${CERTFILE}" "${FULLCHAINFILE}" "${CHAINFILE}" "${REQUESTFILE}"
 }
 
 deploy_cert() {
-    local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" TIMESTAMP="${6}"
+  local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" TIMESTAMP="${6}"
 
-    # This hook is called once for each certificate that has been
-    # produced. Here you might, for instance, copy your new certificates
-    # to service-specific locations and reload the service.
-    #
-    # Parameters:
-    # - DOMAIN
-    #   The primary domain name, i.e. the certificate common
-    #   name (CN).
-    # - KEYFILE
-    #   The path of the file containing the private key.
-    # - CERTFILE
-    #   The path of the file containing the signed certificate.
-    # - FULLCHAINFILE
-    #   The path of the file containing the full certificate chain.
-    # - CHAINFILE
-    #   The path of the file containing the intermediate certificate(s).
-    # - TIMESTAMP
-    #   Timestamp when the specified certificate was created.
+  # This hook is called once for each certificate that has been
+  # produced. Here you might, for instance, copy your new certificates
+  # to service-specific locations and reload the service.
+  #
+  # Parameters:
+  # - DOMAIN
+  #   The primary domain name, i.e. the certificate common
+  #   name (CN).
+  # - KEYFILE
+  #   The path of the file containing the private key.
+  # - CERTFILE
+  #   The path of the file containing the signed certificate.
+  # - FULLCHAINFILE
+  #   The path of the file containing the full certificate chain.
+  # - CHAINFILE
+  #   The path of the file containing the intermediate certificate(s).
+  # - TIMESTAMP
+  #   Timestamp when the specified certificate was created.
+
+  # Simple example: Copy file to nginx config
+  # cp "${KEYFILE}" "${FULLCHAINFILE}" /etc/nginx/ssl/; chown -R nginx: /etc/nginx/ssl
+  # systemctl reload nginx
 }
 
-unchanged_cert() {
-    local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}"
+deploy_ocsp() {
+  local DOMAIN="${1}" OCSPFILE="${2}" TIMESTAMP="${3}"
 
-    # This hook is called once for each certificate that is still
-    # valid and therefore wasn't reissued.
-    #
-    # Parameters:
-    # - DOMAIN
-    #   The primary domain name, i.e. the certificate common
-    #   name (CN).
-    # - KEYFILE
-    #   The path of the file containing the private key.
-    # - CERTFILE
-    #   The path of the file containing the signed certificate.
-    # - FULLCHAINFILE
-    #   The path of the file containing the full certificate chain.
-    # - CHAINFILE
-    #   The path of the file containing the intermediate certificate(s).
+  # This hook is called once for each updated ocsp stapling file that has
+  # been produced. Here you might, for instance, copy your new ocsp stapling
+  # files to service-specific locations and reload the service.
+  #
+  # Parameters:
+  # - DOMAIN
+  #   The primary domain name, i.e. the certificate common
+  #   name (CN).
+  # - OCSPFILE
+  #   The path of the ocsp stapling file
+  # - TIMESTAMP
+  #   Timestamp when the specified ocsp stapling file was created.
+
+  # Simple example: Copy file to nginx config
+  # cp "${OCSPFILE}" /etc/nginx/ssl/; chown -R nginx: /etc/nginx/ssl
+  # systemctl reload nginx
+}
+
+
+unchanged_cert() {
+  local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}"
+
+  # This hook is called once for each certificate that is still
+  # valid and therefore wasn't reissued.
+  #
+  # Parameters:
+  # - DOMAIN
+  #   The primary domain name, i.e. the certificate common
+  #   name (CN).
+  # - KEYFILE
+  #   The path of the file containing the private key.
+  # - CERTFILE
+  #   The path of the file containing the signed certificate.
+  # - FULLCHAINFILE
+  #   The path of the file containing the full certificate chain.
+  # - CHAINFILE
+  #   The path of the file containing the intermediate certificate(s).
 }
 
 invalid_challenge() {
-    local DOMAIN="${1}" RESPONSE="${2}"
+  local DOMAIN="${1}" RESPONSE="${2}"
 
-    # This hook is called if the challenge response has failed, so domain
-    # owners can be aware and act accordingly.
-    #
-    # Parameters:
-    # - DOMAIN
-    #   The primary domain name, i.e. the certificate common
-    #   name (CN).
-    # - RESPONSE
-    #   The response that the verification server returned
+  # This hook is called if the challenge response has failed, so domain
+  # owners can be aware and act accordingly.
+  #
+  # Parameters:
+  # - DOMAIN
+  #   The primary domain name, i.e. the certificate common
+  #   name (CN).
+  # - RESPONSE
+  #   The response that the verification server returned
+
+  # Simple example: Send mail to root
+  # printf "Subject: Validation of ${DOMAIN} failed!\n\nOh noez!" | sendmail root
 }
 
 request_failure() {
-    local STATUSCODE="${1}" REASON="${2}" REQTYPE="${3}"
+  local STATUSCODE="${1}" REASON="${2}" REQTYPE="${3}" HEADERS="${4}"
 
-    # This hook is called when an HTTP request fails (e.g., when the ACME
-    # server is busy, returns an error, etc). It will be called upon any
-    # response code that does not start with '2'. Useful to alert admins
-    # about problems with requests.
-    #
-    # Parameters:
-    # - STATUSCODE
-    #   The HTML status code that originated the error.
-    # - REASON
-    #   The specified reason for the error.
-    # - REQTYPE
-    #   The kind of request that was made (GET, POST...)
+  # This hook is called when an HTTP request fails (e.g., when the ACME
+  # server is busy, returns an error, etc). It will be called upon any
+  # response code that does not start with '2'. Useful to alert admins
+  # about problems with requests.
+  #
+  # Parameters:
+  # - STATUSCODE
+  #   The HTML status code that originated the error.
+  # - REASON
+  #   The specified reason for the error.
+  # - REQTYPE
+  #   The kind of request that was made (GET, POST...)
+  # - HEADERS
+  #   HTTP headers returned by the CA
+
+  # Simple example: Send mail to root
+  # printf "Subject: HTTP request failed failed!\n\nA http request failed with status ${STATUSCODE}!" | sendmail root
+}
+
+generate_csr() {
+  local DOMAIN="${1}" CERTDIR="${2}" ALTNAMES="${3}"
+
+  # This hook is called before any certificate signing operation takes place.
+  # It can be used to generate or fetch a certificate signing request with external
+  # tools.
+  # The output should be just the certificate signing request formatted as PEM.
+  #
+  # Parameters:
+  # - DOMAIN
+  #   The primary domain as specified in domains.txt. This does not need to
+  #   match with the domains in the CSR, it's basically just the directory name.
+  # - CERTDIR
+  #   Certificate output directory for this particular certificate. Can be used
+  #   for storing additional files.
+  # - ALTNAMES
+  #   All domain names for the current certificate as specified in domains.txt.
+  #   Again, this doesn't need to match with the CSR, it's just there for convenience.
+
+  # Simple example: Look for pre-generated CSRs
+  # if [ -e "${CERTDIR}/pre-generated.csr" ]; then
+  #   cat "${CERTDIR}/pre-generated.csr"
+  # fi
 }
 
 startup_hook() {
@@ -113,13 +204,17 @@ startup_hook() {
 }
 
 exit_hook() {
+  local ERROR="${1:-}"
+
   # This hook is called at the end of the cron command and can be used to
   # do some final (cleanup or other) tasks.
-
-  :
+  #
+  # Parameters:
+  # - ERROR
+  #   Contains error message if dehydrated exits with error
 }
 
 HANDLER="$1"; shift
-if [[ "${HANDLER}" =~ ^(deploy_challenge|clean_challenge|deploy_cert|unchanged_cert|invalid_challenge|request_failure|startup_hook|exit_hook)$ ]]; then
+if [[ "${HANDLER}" =~ ^(deploy_challenge|clean_challenge|sync_cert|deploy_cert|deploy_ocsp|unchanged_cert|invalid_challenge|request_failure|generate_csr|startup_hook|exit_hook)$ ]]; then
   "$HANDLER" "$@"
 fi

docs/hook_chain.md

@@ -60,4 +60,3 @@ HOOK: clean_challenge lukas.im blablabla blablabla.supersecure www.lukas.im blub
 HOOK: deploy_cert lukas.im /etc/dehydrated/certs/lukas.im/privkey.pem /etc/dehydrated/certs/lukas.im/cert.pem /etc/dehydrated/certs/lukas.im/fullchain.pem /etc/dehydrated/certs/lukas.im/chain.pem 1460152408
  + Done!
 ```
-

docs/import-from-official-client.md

@@ -1,3 +0,0 @@
-# Import
-
-If you want to import existing keys from the official letsencrypt client have a look at [Import from official letsencrypt client](https://github.com/lukas2511/dehydrated/wiki/Import-from-official-letsencrypt-client).

docs/man/dehydrated.1

@@ -1,4 +1,4 @@
-.TH DEHYDRATED 1 2017-09-20 "Dehydrated ACME Client"
+.TH DEHYDRATED 1 2018-01-13 "Dehydrated ACME Client"
 .SH NAME
 dehydrated \- ACME client implemented as a shell-script
 .SH SYNOPSIS
@@ -7,8 +7,8 @@ dehydrated \- ACME client implemented as a shell-script
 [\fBargument\fR [\fBargument\fR]]
 .IR ...
 .SH DESCRIPTION
-A client for ACME-based Certificate Authorities, such as LetsEncrypt.  It
-allows to request and obtain TLS certificates from an ACME-based
+A client for ACME-based Certificate Authorities, such as LetsEncrypt.  It can
+be used to request and obtain TLS certificates from an ACME-based
 certificate authority.
 
 Before any certificates can be requested, Dehydrated needs
@@ -20,13 +20,13 @@ Dehydrated will notify if no account is configured. Run with \fB--register
 
 Next, all domain names must be provided in domains.txt. The format is line
 based: If the file contains two lines "example.com" and "example.net",
-Dehydrated will request two certificate, one for "example.com" and the other
-for "example.net". A single line while "example.com example.net" will request a
+dehydrated will request two certificate, one for "example.com" and the other
+for "example.net". A single line containing "example.com example.net" will request a
 single certificate valid for both "example.net" and "example.com" through the \fISubject
 Alternative Name\fR (SAN) field.
 
 For the next step, one way of verifying domain name ownership needs to be
-configured.  Dehydrated implements \fIhttp-01\fR and \fIdns-01\fR verification. 
+configured.  Dehydrated implements \fIhttp-01\fR and \fIdns-01\fR verification.
 
 The \fIhttp-01\fR verification provides proof of ownership by providing a
 challenge token. In order to do that, the directory referenced in the
@@ -106,7 +106,7 @@ Keep going after encountering an error while creating/renewing multiple
 certificates in cron mode
 .TP
 .BR \-\-force ", " \-x
-Force renew of certificate even if it is longer valid than value in RENEW_DAYS
+Force certificate renewal even if it is not due to expire within RENEW_DAYS
 .TP
 .BR \-\-no\-lock ", " \-n
 Don't use lockfile (potentially dangerous!)
@@ -139,17 +139,17 @@ secp384r1
 The program exits 0 if everything was fine, 1 if an error occurred.
 .SH BUGS
 Please report any bugs that you may encounter at the project web site
-.UR https://github.com/lukas2511/dehydrated/issues
+.UR https://github.com/dehydrated-io/dehydrated/issues
 .UE .
 .SH AUTHOR
 Dehydrated was written by Lukas Schauer. This man page was contributed by
 Daniel Molkentin.
 .SH COPYRIGHT
-Copyright 20015-2017 by Lukas Schauer and the respective contributors.
+Copyright 2015-2018 by Lukas Schauer and the respective contributors.
 Provided under the MIT License. See the LICENSE file that accompanies the
 distribution for licensing information.
 .SH SEE ALSO
 Full documentation along with configuration examples are provided in the \fIdocs\fR
 directory of the distribution, or at
-.UR https://github.com/lukas2511/dehydrated/tree/master/docs
+.UR https://github.com/dehydrated-io/dehydrated/tree/master/docs
 .UE .

docs/per-certificate-config.md

@@ -7,15 +7,19 @@ To use this feature create a `config` file in the certificates output directory
 Currently supported options:
 
 - PRIVATE_KEY_RENEW
+- PRIVATE_KEY_ROLLOVER
 - KEY_ALGO
 - KEYSIZE
 - OCSP_MUST_STAPLE
+- OCSP_FETCH
+- OCSP_DAYS
 - CHALLENGETYPE
 - HOOK
 - HOOK_CHAIN
 - WELLKNOWN
 - OPENSSL_CNF
 - RENEW_DAYS
+- PREFERRED_CHAIN
 
 ## DOMAINS_D
 

docs/staging.md

@@ -8,6 +8,7 @@ you will quickly hit these limits and find yourself locked out.
 To avoid this, please set the CA property to the Let’s Encrypt staging server URL in your config file:
 
 ```bash
-CA="https://acme-staging.api.letsencrypt.org/directory"
-CA_TERMS="https://acme-staging.api.letsencrypt.org/terms"
+CA="https://acme-staging-v02.api.letsencrypt.org/directory"
 ```
+
+Alternatively you can define the CA using the CLI argument `--ca letsencrypt-test` (`letsencrypt-test` is an integrated preset-CA corresponding to the URL above).

docs/tls-alpn.md

@@ -0,0 +1,124 @@
+# TLS-ALPN-01
+
+With `tls-alpn-01`-type verification Let's Encrypt (or the ACME-protocol in general) is checking if you are in control of a domain by accessing
+your webserver using a custom ALPN and expecting a specially crafted TLS certificate containing a verification token.
+It will do that for any (sub-)domain you want to sign a certificate for.
+
+Dehydrated generates the required verification certificates, but the delivery is out of its scope.
+
+### Example lighttpd config
+
+lighttpd can be configured to recognize ALPN `acme-tls/1` and to respond to such
+requests using the specially crafted TLS certificates generated by dehydrated.
+Configure lighttpd and dehydrated to use the same path for these certificates.
+(Be sure to allow read access to the user account under which the lighttpd
+server is running.) `mkdir -p /etc/dehydrated/alpn-certs`
+
+lighttpd.conf:
+```
+ssl.acme-tls-1 = "/etc/dehydrated/alpn-certs"
+```
+
+When renewing certificates, specify `-t tls-alpn-01` and `--alpn /etc/dehydrated/alpn-certs` to dehydrated, e.g.
+```
+dehydrated -t tls-alpn-01 --alpn /etc/dehydrated/alpn-certs -c --out /etc/lighttpd/certs -d www.example.com
+# gracefully reload lighttpd to use the new certificates by sending lighttpd pid SIGUSR1
+systemctl reload lighttpd
+```
+
+### Example nginx config
+
+On an nginx tcp load-balancer you can use the `ssl_preread` module to map a different port for acme-tls
+requests than for e.g. HTTP/2 or HTTP/1.1 requests.
+
+Your config should look something like this:
+
+```nginx
+stream {
+  map $ssl_preread_alpn_protocols $tls_port {
+    ~\bacme-tls/1\b 10443;
+    default 443;
+  }
+
+  server {
+    listen 443;
+    listen [::]:443;
+    proxy_pass 10.13.37.42:$tls_port;
+    ssl_preread on;
+  }
+}
+```
+
+That way https requests are forwarded to port 443 on the backend server, and acme-tls/1 requests are
+forwarded to port 10443.
+
+In the future nginx might support internal routing based on custom ALPNs, but for now you'll have to
+use a custom responder for the alpn verification certificates (see below).
+
+### Example responder
+
+I hacked together a simple responder in Python, it might not be the best, but it works for me:
+
+```python
+#!/usr/bin/env python3
+
+import ssl
+import socketserver
+import threading
+import re
+import os
+
+ALPNDIR="/etc/dehydrated/alpn-certs"
+PROXY_PROTOCOL=False
+
+FALLBACK_CERTIFICATE="/etc/ssl/certs/ssl-cert-snakeoil.pem"
+FALLBACK_KEY="/etc/ssl/private/ssl-cert-snakeoil.key"
+
+class ThreadedTCPServer(socketserver.ThreadingMixIn, socketserver.TCPServer):
+    pass
+
+class ThreadedTCPRequestHandler(socketserver.BaseRequestHandler):
+    def create_context(self, certfile, keyfile, first=False):
+        ssl_context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
+        ssl_context.set_ciphers('ECDHE+AESGCM')
+        ssl_context.set_alpn_protocols(["acme-tls/1"])
+        ssl_context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
+        if first:
+            ssl_context.set_servername_callback(self.load_certificate)
+        ssl_context.load_cert_chain(certfile=certfile, keyfile=keyfile)
+        return ssl_context
+
+    def load_certificate(self, sslsocket, sni_name, sslcontext):
+        print("Got request for %s" % sni_name)
+        if not re.match(r'^(([a-zA-Z]{1})|([a-zA-Z]{1}[a-zA-Z]{1})|([a-zA-Z]{1}[0-9]{1})|([0-9]{1}[a-zA-Z]{1})|([a-zA-Z0-9][-_.a-zA-Z0-9]{0,61}[a-zA-Z0-9]))\.([a-zA-Z]{2,13}|[a-zA-Z0-9-]{2,30}.[a-zA-Z]{2,3})$', sni_name):
+            return
+
+        certfile = os.path.join(ALPNDIR, "%s.crt.pem" % sni_name)
+        keyfile = os.path.join(ALPNDIR, "%s.key.pem" % sni_name)
+
+        if not os.path.exists(certfile) or not os.path.exists(keyfile):
+            return
+
+        sslsocket.context = self.create_context(certfile, keyfile)
+
+    def handle(self):
+        if PROXY_PROTOCOL:
+            buf = b""
+            while b"\r\n" not in buf:
+                buf += self.request.recv(1)
+
+        ssl_context = self.create_context(FALLBACK_CERTIFICATE, FALLBACK_KEY, True)
+        newsock = ssl_context.wrap_socket(self.request, server_side=True)
+
+if __name__ == "__main__":
+    HOST, PORT = "0.0.0.0", 10443
+
+    server = ThreadedTCPServer((HOST, PORT), ThreadedTCPRequestHandler, bind_and_activate=False)
+    server.allow_reuse_address = True
+    try:
+        server.server_bind()
+        server.server_activate()
+        server.serve_forever()
+    except:
+        server.shutdown()
+```

docs/troubleshooting.md

@@ -11,12 +11,6 @@ the current workaround is to move `private_key.pem` (and, if you care, `private_
 
 This will hopefully be fixed in the future.
 
-## "Provided agreement URL [LICENSE1] does not match current agreement URL [LICENSE2]"
-
-Set LICENSE in your config to the value in place of "LICENSE2".
-
-LICENSE1 and LICENSE2 are just placeholders for the real values in this troubleshooting document!
-
 ## "Error creating new cert :: Too many certificates already issued for: [...]"
 
 This is not an issue with dehydrated but an API limit with boulder (the ACME server).
@@ -36,3 +30,23 @@ If you are using HTTP validation make sure that the path you have configured wit
 To test this create a file (e.g. `test.txt`) in that directory and try opening it with your browser: `http://example.org/.well-known/acme-challenge/test.txt`. Note that if you have an IPv6 address, the challenge connection will be on IPv6. Be sure that you test HTTP connections on both IPv4 and IPv6. Checking the test file in your browser is often not sufficient because the browser just fails over to IPv4.
 
 If you get any error you'll have to fix your web server configuration.
+
+## DNS invalid challenge since dehydrated 0.6.0 / Why are DNS challenges deployed first and verified later?
+
+Since Let's Encrypt (and in general the ACMEv2 protocol) now supports wildcard domains there is a situation where DNS caching can become a problem.
+If somebody wants to validate a certificate with `example.org` and `*.example.org` there are two tokens that have to be deployed on `_acme-challenge.example.org`.
+
+If dehydrated would deploy and verify each token on its own the CA would cache the first token on `_acme-challenge.example.org` and the next challenge would simply fail.
+Let's Encrypt uses your DNS TTL with a max limit of 5 minutes, but this doesn't seem to be part of the ACME protocol, just some LE specific configuration,
+so with other CAs and certain DNS providers who don't allow low TTLs this could potentially take hours.
+
+Since dehydrated now deploys all challenges first that no longer is a problem. The CA will query and cache both challenges, and both authorizations can be validated.
+Some hook-scripts were written in a way that erases the old TXT record rather than adding a new entry, those should be (and many of them already have been) fixed.
+
+There are certain DNS providers which really only allow one TXT record on a domain. This is really odd and you should probably contact your DNS provider and ask them
+to fix this.
+
+If for whatever reason you can't switch DNS providers and your DNS provider only supports one TXT record and doesn't want to fix that you could try splitting your
+certificate into multiple certificates and add a sleep in the `deploy_cert` hook.
+If you can't do that or really don't want to please leave a comment on https://github.com/lukas2511/dehydrated/issues/554,
+if many people are having this unfixable problem I might try to implement a workaround.

docs/wellknown.md

@@ -24,7 +24,7 @@ With Nginx you'll need to add this to any of your `server`/VHost config blocks:
 ```nginx
 server {
   [...]
-  location /.well-known/acme-challenge {
+  location ^~ /.well-known/acme-challenge {
     alias /var/www/dehydrated;
   }
   [...]

test.sh

@@ -1,266 +0,0 @@
-#!/usr/bin/env bash
-
-# Fail early
-set -eu -o pipefail
-
-# Check if running in CI environment
-if [[ ! "${CI:-false}" == "true" ]]; then
-  echo "ERROR: Not running in CI environment!"
-  exit 1
-fi
-
-_TEST() {
-  echo
-  echo "${1} "
-}
-_SUBTEST() {
-  echo -n " + ${1} "
-}
-_PASS() {
-  echo -e "[\u001B[32mPASS\u001B[0m]"
-}
-_FAIL() {
-  echo -e "[\u001B[31mFAIL\u001B[0m]"
-  echo
-  echo "Problem: ${@}"
-  echo
-  echo "STDOUT:"
-  cat tmplog
-  echo
-  echo "STDERR:"
-  cat errorlog
-  exit 1
-}
-_CHECK_FILE() {
-  _SUBTEST "Checking if file '${1}' exists..."
-  if [[ -e "${1}" ]]; then
-    _PASS
-  else
-    _FAIL "Missing file: ${1}"
-  fi
-}
-_CHECK_LOG() {
-  _SUBTEST "Checking if log contains '${1}'..."
-  if grep -- "${1}" tmplog > /dev/null; then
-    _PASS
-  else
-    _FAIL "Missing in log: ${1}"
-  fi
-}
-_CHECK_NOT_LOG() {
-  _SUBTEST "Checking if log doesn't contain '${1}'..."
-  if grep -- "${1}" tmplog > /dev/null; then
-    _FAIL "Found in log: ${1}"
-  else
-    _PASS
-  fi
-}
-_CHECK_ERRORLOG() {
-  _SUBTEST "Checking if errorlog is empty..."
-  if [[ -z "$(cat errorlog)" ]]; then
-    _PASS
-  else
-    _FAIL "Non-empty errorlog"
-  fi
-}
-
-# If not found (should be cached in travis) download ngrok
-if [[ ! -e "ngrok/ngrok" ]]; then
-  (
-    mkdir -p ngrok
-    cd ngrok
-    if [ "${TRAVIS_OS_NAME}" = "linux" ]; then
-      wget -O ngrok.zip https://bin.equinox.io/c/4VmDzA7iaHb/ngrok-stable-linux-amd64.zip
-    elif [ "${TRAVIS_OS_NAME}" = "osx" ]; then
-      wget -O ngrok.zip https://bin.equinox.io/c/4VmDzA7iaHb/ngrok-stable-darwin-amd64.zip
-    else
-      echo "No ngrok for ${TRAVIS_OS_NAME}"
-      exit 1
-    fi
-    unzip ngrok.zip ngrok
-    chmod +x ngrok
-  )
-fi
-
-# Run ngrok and grab temporary url from logfile
-ngrok/ngrok http 8080 --log stdout --log-format logfmt --log-level debug > tmp.log &
-ngrok/ngrok http 8080 --log stdout --log-format logfmt --log-level debug > tmp2.log &
-ngrok/ngrok http 8080 --log stdout --log-format logfmt --log-level debug > tmp3.log &
-sleep 2
-TMP_URL="$(grep -Eo "Hostname:[a-z0-9]+.ngrok.io" tmp.log | head -1 | cut -d':' -f2)"
-TMP2_URL="$(grep -Eo "Hostname:[a-z0-9]+.ngrok.io" tmp2.log | head -1 | cut -d':' -f2)"
-TMP3_URL="$(grep -Eo "Hostname:[a-z0-9]+.ngrok.io" tmp3.log | head -1 | cut -d':' -f2)"
-if [[ -z "${TMP_URL}" ]] || [[ -z "${TMP2_URL}" ]] || [[ -z "${TMP3_URL}" ]]; then
-  echo "Couldn't get an url from ngrok, not a dehydrated bug, tests can't continue."
-  exit 1
-fi
-
-# Run python webserver in .acme-challenges directory to serve challenge responses
-mkdir -p .acme-challenges/.well-known/acme-challenge
-(
-  cd .acme-challenges
-  python -m SimpleHTTPServer 8080 > /dev/null 2> /dev/null
-) &
-
-# Generate config and create empty domains.txt
-echo 'CA="https://testca.kurz.pw/directory"' > config
-echo 'CA_TERMS="https://testca.kurz.pw/terms"' >> config
-echo 'WELLKNOWN=".acme-challenges/.well-known/acme-challenge"' >> config
-echo 'RENEW_DAYS="14"' >> config
-touch domains.txt
-
-# Check if help command is working
-_TEST "Checking if help command is working..."
-./dehydrated --help > tmplog 2> errorlog || _FAIL "Script execution failed"
-_CHECK_LOG "Default command: help"
-_CHECK_LOG "--help (-h)"
-_CHECK_LOG "--domain (-d) domain.tld"
-_CHECK_ERRORLOG
-
-# Register account key without LICENSE set
-_TEST "Register account key without LICENSE set"
-./dehydrated --register > tmplog 2> errorlog && _FAIL "Script execution failed"
-_CHECK_LOG "To accept these terms"
-_CHECK_ERRORLOG
-
-# Register account key and agreeing to terms
-_TEST "Register account key without LICENSE set"
-./dehydrated --register --accept-terms > tmplog 2> errorlog || _FAIL "Script execution failed"
-_CHECK_LOG "Registering account key"
-_CHECK_FILE accounts/*/account_key.pem
-_CHECK_ERRORLOG
-
-# Delete accounts and add LICENSE to config for normal operation
-rm -rf accounts
-echo 'LICENSE="https://testca.kurz.pw/terms/v1"' >> config
-
-# Run in cron mode with empty domains.txt (should only generate private key and exit)
-_TEST "First run in cron mode, checking if private key is generated and registered"
-./dehydrated --cron > tmplog 2> errorlog || _FAIL "Script execution failed"
-_CHECK_LOG "Registering account key"
-_CHECK_FILE accounts/*/account_key.pem
-_CHECK_ERRORLOG
-
-# Temporarily move config out of the way and try signing certificate by using temporary config location
-_TEST "Try signing using temporary config location and with domain as command line parameter"
-mv config tmp_config
-./dehydrated --cron --domain "${TMP_URL}" --domain "${TMP2_URL}" --accept-terms -f tmp_config > tmplog 2> errorlog || _FAIL "Script execution failed"
-_CHECK_NOT_LOG "Checking domain name(s) of existing cert"
-_CHECK_LOG "Generating private key"
-_CHECK_LOG "Requesting challenge for ${TMP_URL}"
-_CHECK_LOG "Requesting challenge for ${TMP2_URL}"
-_CHECK_LOG "Challenge is valid!"
-_CHECK_LOG "Creating fullchain.pem"
-_CHECK_LOG "Done!"
-_CHECK_ERRORLOG
-mv tmp_config config
-
-# Add third domain to command-lime, should force renewal.
-_TEST "Run in cron mode again, this time adding third domain, should force renewal."
-./dehydrated --cron --domain "${TMP_URL}" --domain "${TMP2_URL}" --domain "${TMP3_URL}" > tmplog 2> errorlog || _FAIL "Script execution failed"
-_CHECK_LOG "Domain name(s) are not matching!"
-_CHECK_LOG "Forcing renew."
-_CHECK_LOG "Generating private key"
-_CHECK_LOG "Requesting challenge for ${TMP_URL}"
-_CHECK_LOG "Requesting challenge for ${TMP2_URL}"
-_CHECK_LOG "Requesting challenge for ${TMP3_URL}"
-_CHECK_LOG "Challenge is valid!"
-_CHECK_LOG "Creating fullchain.pem"
-_CHECK_LOG "Done!"
-_CHECK_ERRORLOG
-
-# Prepare domains.txt
-# Modify TMP3_URL to be uppercase to check for upper-lower-case mismatch bugs
-echo "${TMP_URL} ${TMP2_URL} $(tr 'a-z' 'A-Z' <<<"${TMP3_URL}")" >> domains.txt
-
-# Run in cron mode again (should find a non-expiring certificate and do nothing)
-_TEST "Run in cron mode again, this time with domain in domains.txt, should find non-expiring certificate"
-./dehydrated --cron > tmplog 2> errorlog || _FAIL "Script execution failed"
-_CHECK_LOG "Checking domain name(s) of existing cert... unchanged."
-_CHECK_LOG "Skipping renew"
-_CHECK_ERRORLOG
-
-# Disable private key renew
-echo 'PRIVATE_KEY_RENEW="no"' >> config
-
-# Run in cron mode one last time, with domain in domains.txt and force-resign (should find certificate, resign anyway, and not generate private key)
-_TEST "Run in cron mode one last time, with domain in domains.txt and force-resign"
-./dehydrated --cron --force > tmplog 2> errorlog || _FAIL "Script execution failed"
-_CHECK_LOG "Checking domain name(s) of existing cert... unchanged."
-_CHECK_LOG "Ignoring because renew was forced!"
-_CHECK_NOT_LOG "Generating private key"
-_CHECK_LOG "Requesting challenge for ${TMP_URL}"
-_CHECK_LOG "Requesting challenge for ${TMP2_URL}"
-_CHECK_LOG "Requesting challenge for ${TMP3_URL}"
-_CHECK_LOG "Already validated!"
-_CHECK_LOG "Creating fullchain.pem"
-_CHECK_LOG "Done!"
-_CHECK_ERRORLOG
-
-# Check if signcsr command is working
-_TEST "Running signcsr command"
-./dehydrated --signcsr certs/${TMP_URL}/cert.csr > tmplog 2> errorlog || _FAIL "Script execution failed"
-_CHECK_LOG "BEGIN CERTIFICATE"
-_CHECK_LOG "END CERTIFICATE"
-_CHECK_NOT_LOG "ERROR"
-
-# Check if renewal works
-_TEST "Run in cron mode again, to check if renewal works"
-echo 'RENEW_DAYS="300"' >> config
-./dehydrated --cron > tmplog 2> errorlog || _FAIL "Script execution failed"
-_CHECK_LOG "Checking domain name(s) of existing cert... unchanged."
-_CHECK_LOG "Renewing!"
-_CHECK_ERRORLOG
-
-# Check if certificate is valid in various ways
-_TEST "Verifying certificate..."
-_SUBTEST "Verifying certificate on its own..."
-openssl x509 -in "certs/${TMP_URL}/cert.pem" -noout -text > tmplog 2> errorlog && _PASS || _FAIL
-_CHECK_LOG "CN=${TMP_URL}"
-_CHECK_LOG "${TMP2_URL}"
-_SUBTEST "Verifying file with full chain..."
-openssl x509 -in "certs/${TMP_URL}/fullchain.pem" -noout -text > /dev/null 2>> errorlog && _PASS || _FAIL
-_SUBTEST "Verifying certificate against CA certificate..."
-curl -s https://testca.kurz.pw/acme/issuer-cert | openssl x509 -inform DER -outform PEM > ca.pem
-(openssl verify -verbose -CAfile "ca.pem" -purpose sslserver "certs/${TMP_URL}/fullchain.pem" 2>&1 || true) | (grep -v ': OK$' || true) >> errorlog 2>> errorlog && _PASS || _FAIL
-_CHECK_ERRORLOG
-
-# Revoke certificate using certificate key
-_TEST "Revoking certificate..."
-./dehydrated --revoke "certs/${TMP_URL}/cert.pem" --privkey "certs/${TMP_URL}/privkey.pem" > tmplog 2> errorlog || _FAIL "Script execution failed"
-REAL_CERT="$(readlink -n "certs/${TMP_URL}/cert.pem")"
-_CHECK_LOG "Revoking certs/${TMP_URL}/${REAL_CERT}"
-_CHECK_LOG "Done."
-_CHECK_FILE "certs/${TMP_URL}/${REAL_CERT}-revoked"
-_CHECK_ERRORLOG
-
-# Enable private key renew
-echo 'PRIVATE_KEY_RENEW="yes"' >> config
-echo 'PRIVATE_KEY_ROLLOVER="yes"' >> config
-
-# Check if Rolloverkey creation works
-_TEST "Testing Rolloverkeys..."
-_SUBTEST "First Run: Creating rolloverkey"
-./dehydrated --cron --domain "${TMP2_URL}" > tmplog 2> errorlog || _FAIL "Script execution failed"
-CERT_ROLL_HASH=$(openssl rsa -in certs/${TMP2_URL}/privkey.roll.pem -outform DER -pubout 2>/dev/null | openssl sha -sha256)
-_CHECK_LOG "Generating private key"
-_CHECK_LOG "Generating private rollover key"
-_SUBTEST "Second Run: Force Renew, Use rolloverkey"
-./dehydrated --cron --force --domain "${TMP2_URL}" > tmplog 2> errorlog || _FAIL "Script execution failed"
-CERT_NEW_HASH=$(openssl rsa -in certs/${TMP2_URL}/privkey.pem -outform DER -pubout 2>/dev/null | openssl sha -sha256)
-_CHECK_LOG "Generating private key"
-_CHECK_LOG "Moving Rolloverkey into position"
-_SUBTEST "Verifying Hash Rolloverkey and private key second run"
-[[ "${CERT_ROLL_HASH}" = "${CERT_NEW_HASH}" ]] && _PASS || _FAIL
-_CHECK_ERRORLOG
-
-# Test cleanup command
-_TEST "Cleaning up certificates"
-./dehydrated --cleanup > tmplog 2> errorlog || _FAIL "Script execution failed"
-_CHECK_LOG "Moving unused file to archive directory: ${TMP_URL}/cert-"
-_CHECK_LOG "Moving unused file to archive directory: ${TMP_URL}/chain-"
-_CHECK_LOG "Moving unused file to archive directory: ${TMP_URL}/fullchain-"
-_CHECK_ERRORLOG
-
-# All done
-exit 0