some documentation

The introduction of the `-multi` option to the x509 subcommand
introduced a regression to the `-checkend` behaviour, preventing
openssl to correctly indicate the certificate expiry status via
its exit code.

This commit introduces a (maybe temporary) workaround by instead
checking the output string.

.github/FUNDING.yml

@@ -0,0 +1,2 @@
+github: lukas2511
+custom: ["https://paypal.me/lukas2511", "http://www.amazon.de/registry/wishlist/1TUCFJK35IO4Q"]

CHANGELOG

@@ -1,6 +1,81 @@
 # Change Log
 This file contains a log of major changes in dehydrated
 
+## [x.x.x] - xxxx-xx-xx
+## Fixed
+- Various bugfixes around IP certificate orders
+- Implement workaround for OpenSSL regression which broke the time-based validity check
+
+## Added
+- Added a configuration parameter to allow for timeouts during domain validation processing (`VALIDATION_TIMEOUT`, defaults to 0 = no timeout)
+- Added documentation for IP certificates
+
+## Changed
+- Only validate existance of wellknown directory or hook script when actually needed
+- Also allow setting `KEEP_GOING` in config file instead of relying on cli arguments
+- Allow skipping over OCSP stapling errors, indicate that some CAs no longer support OCSP
+- Throw error with information about OCSP deprecation if certificate doesn't indicate OCSP support
+
+## [0.7.2] - 2025-05-18
+## Added
+- Implemented support for certificate profile selection
+- Added a configuration parameter to allow for timeouts during order processing (`ORDER_TIMEOUT`, defaults to 0 = no timeout)
+- Allowed for automatic deletion of old files (`AUTO_CLEANUP_DELETE`, disabled by default)
+- Added CA presets for Google Trust Services (prod: google, test: google-test)
+
+## Changed
+- Renew certificates with 32 days remaining (instead of 30) to avoid issues with monthly cronjobs (`RENEW_DAYS=32`)
+
+## Fixed
+- Changed behaviour of `openssl req` stdin handling to fix compatibility with OpenSSL version 3.2+
+
+## [0.7.1] - 2022-10-31
+## Changed
+- `--force` no longer forces domain name revalidation by default, a new argument `--force-validation` has been added for that
+- Added support for EC secp521r1 algorithm (works with e.g. zerossl)
+- `EC PARAMETERS` are no longer written to privkey.pem (didn't seem necessary and was causing issues with various software)
+
+## Fixed
+- Requests resulting in `badNonce` errors are now automatically retried (fixes operation with LE staging servers)
+- Deprecated `egrep` usage has been removed
+
+## Added
+- Implemented EC for account keys
+- Domain list now also read from domains.txt.d subdirectory (behaviour might change, see docs)
+- Implemented RFC 8738 (validating/signing certificates for IP addresses instead of domain names) support (this will not work with most public CAs, if any!)
+
+## [0.7.0] - 2020-12-10
+## Added
+- Support for external account bindings
+- Special support for ZeroSSL
+- Support presets for some CAs instead of requiring URLs
+- Allow requesting preferred chain (`--preferred-chain`)
+- Added method to show CAs current terms of service (`--display-terms`)
+- Allow setting path to domains.txt using cli arguments (`--domains-txt`)
+- Added new cli command `--cleanupdelete` which deletes old files instead of archiving them
+
+## Fixed
+- No more silent failures on broken hook-scripts
+- Better error-handling with KEEP_GOING enabled
+- Check actual order status instead of assuming it's valid
+- Don't include keyAuthorization in challenge validation (RFC compliance)
+
+## Changed
+- Using EC secp384r1 as default certificate type
+- Use JSON.sh to parse JSON
+- Use account URL instead of account ID (RFC compliance)
+- Dehydrated now has a new home: https://github.com/dehydrated-io/dehydrated
+- Added `OCSP_FETCH` and `OCSP_DAYS` to per-certificate configurable options
+- Cleanup now also removes dangling symlinks
+
+## [0.6.5] - 2019-06-26
+## Fixed
+- Fixed broken APIv1 compatibility from last update
+
+## [0.6.4] - 2019-06-25
+## Changed
+- Fetch account ID from Location header instead of account json
+
 ## [0.6.3] - 2019-06-25
 ## Changed
 - OCSP refresh interval is now configurable

LICENSE

@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2015-2018 Lukas Schauer
+Copyright (c) 2015-2021 Lukas Schauer
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -1,6 +1,6 @@
 # dehydrated [![Donate](https://img.shields.io/badge/Donate-PayPal-green.svg)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=23P9DSJBTY7C8)
 
-![](docs/logo.jpg)
+![](docs/logo.png)
 
 Dehydrated is a client for signing certificates with an ACME-server (e.g. Let's Encrypt) implemented as a relatively simple (zsh-compatible) bash-script.
 This client supports both ACME v1 and the new ACME v2 including support for wildcard certificates!
@@ -14,6 +14,7 @@ Current features:
 - Signing of a custom CSR (either standalone or completely automated using hooks!)
 - Renewal if a certificate is about to expire or defined set of domains changed
 - Certificate revocation
+- and lots more..
 
 Please keep in mind that this software, the ACME-protocol and all supported CA servers out there are relatively young and there might be a few issues. Feel free to report any issues you find with this script or contribute by submitting a pull request,
 but please check for duplicates first (feel free to comment on those to get things rolling).
@@ -49,12 +50,15 @@ Default command: help
 
 Commands:
  --version (-v)                   Print version information
+ --display-terms                  Display current terms of service
  --register                       Register account key
  --account                        Update account contact information
  --cron (-c)                      Sign/renew non-existent/changed/expiring certificates.
  --signcsr (-s) path/to/csr.pem   Sign a given CSR, output CRT on stdout (advanced usage)
  --revoke (-r) path/to/cert.pem   Revoke specified certificate
+ --deactivate                     Deactivate account
  --cleanup (-gc)                  Move unused certificate files to archive directory
+ --cleanup-delete (-gcd)          Deletes (!) unused certificate files
  --help (-h)                      Show help text
  --env (-e)                       Output configuration variables for use in other scripts
 
@@ -64,39 +68,30 @@ Parameters:
  --ipv4 (-4)                      Resolve names to IPv4 addresses only
  --ipv6 (-6)                      Resolve names to IPv6 addresses only
  --domain (-d) domain.tld         Use specified domain name(s) instead of domains.txt entry (one certificate!)
+ --ca url/preset                  Use specified CA URL or preset
  --alias certalias                Use specified name for certificate directory (and per-certificate config) instead of the primary domain (only used if --domain is specified)
  --keep-going (-g)                Keep going after encountering an error while creating/renewing multiple certificates in cron mode
- --force (-x)                     Force renew of certificate even if it is longer valid than value in RENEW_DAYS
+ --force (-x)                     Force certificate renewal even if it is not due to expire within RENEW_DAYS
+ --force-validation               Force revalidation of domain names (used in combination with --force)
  --no-lock (-n)                   Don't use lockfile (potentially dangerous!)
  --lock-suffix example.com        Suffix lockfile name with a string (useful for with -d)
  --ocsp                           Sets option in CSR indicating OCSP stapling to be mandatory
  --privkey (-p) path/to/key.pem   Use specified private key instead of account key (useful for revocation)
+ --domains-txt path/to/domains.txt Use specified domains.txt instead of default/configured one
  --config (-f) path/to/config     Use specified config file
  --hook (-k) path/to/hook.sh      Use specified script for hooks
+ --preferred-chain issuer-cn      Use alternative certificate chain identified by issuer CN
  --out (-o) certs/directory       Output certificates into the specified directory
  --alpn alpn-certs/directory      Output alpn verification certificates into the specified directory
- --challenge (-t) http-01|dns-01  Which challenge should be used? Currently http-01 and dns-01 are supported
+ --challenge (-t) http-01|dns-01|tls-alpn-01 Which challenge should be used? Currently http-01, dns-01, and tls-alpn-01 are supported
  --algo (-a) rsa|prime256v1|secp384r1 Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1
+ --acme-profile profile_name      Use specified ACME profile
+ --order-timeout seconds          Amount of seconds to wait for processing of order until erroring out
+ --validation-timeout seconds     Amount of seconds to wait for processing of domain validations until erroring out
 ```
 
-## Donate
+## Chat
 
-I'm a student hacker with a few (unfortunately) quite expensive hobbies (self-hosting, virtualization clusters, routing,
-high-speed networking, embedded hardware, etc.).
-I'm really having fun playing around with hard- and software and I'm steadily learning new things.
-Without those hobbies I probably would never have started working on dehydrated to begin with :)
+Dehydrated has an official IRC-channel `#dehydrated` on libera.chat that can be used for general discussion and suggestions.
 
-I'd really appreciate if you could [donate a bit of money](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=23P9DSJBTY7C8)
-so I can buy cool stuff (while still being able to afford food :D).  
-
-If you have hardware laying around that you think I'd enjoy playing with (e.g. decommissioned but still modern-ish servers,
-10G networking hardware, enterprise grade routers or APs, interesting ARM/MIPS boards, etc.) and that you would be willing
-to ship to me please contact me at `donations@dehydrated.io` or on Twitter [@lukas2511](https://twitter.com/lukas2511).
-
-If you want your name to be added to the [donations list](https://dehydrated.io/donations.html) please add a note or send me an
-email `donations@dehydrated.io`. I respect your privacy and won't publish your name without permission.
-
-Other ways of donating:
- - [My Amazon Wishlist](http://www.amazon.de/registry/wishlist/1TUCFJK35IO4Q)
- - Monero: 4Kkf4tF4r9DakxLj37HDXLJgmpVfQoFhT7JLDvXwtUZZMTbsK9spsAPXivWPAFcDUj6jHhY8hJSHX8Cb8ndMhKeQHPSkBZZiK89Fx8NTHk
- - Bitcoin: 12487bHxcrREffTGwUDnoxF1uYxCA7ztKK
+The channel can also be accessed with Matrix using the official libera.chat bridge at `#dehydrated:libera.chat`.

docs/dns-verification.md

@@ -28,4 +28,4 @@ Or when you do have a DNS API, pass the details accordingly to achieve the same
 
 You can delete the TXT record when called with operation `clean_challenge`, when $2 is also the domain name.
 
-Here are some examples: [Examples for DNS-01 hooks](https://github.com/lukas2511/dehydrated/wiki/Examples-for-DNS-01-hooks)
+Here are some examples: [Examples for DNS-01 hooks](https://github.com/dehydrated-io/dehydrated/wiki)

docs/domains_txt.md

@@ -34,6 +34,30 @@ under your `CERTDIR`.
 example.net www.example.net wiki.example.net > certalias
 ```
 
+This allows to set per certificates options. The options you can change are
+explained in [Per Certificate Config](per-certificate-config.md).
+
+If you want to create different certificate types for the same domain
+you can use:
+
+```text
+*.service.example.org service.example.org  > star_service_example_org_rsa
+*.service.example.org service.example.org  > star_service_example_org_ecdsa
+```
+
+Then add a config file `certs/star_service_example_org_rsa/config` with
+the value
+
+```
+KEY_ALGO="rsa"
+```
+
+or respectively
+
+```
+KEY_ALGO="ecdsa"
+```
+
 ### Wildcards
 
 Support for wildcards was added by the ACME v2 protocol.
@@ -70,3 +94,14 @@ This creates two certificates one for `service.example.com` with an
 **Note:** The first certificate is valid for both `service.example.com` and for
 `*.service.example.com` which can be a useful way to create wildcard
 certificates.
+
+### Drop-in directory
+
+If a directory named `domains.txt.d` exists in the same location as
+`domains.txt`, the contents of `*.txt` files in that directory are appended to
+the list of domains, in alphabetical order of the filenames. This is useful for
+automation, as it doesn't require editing an existing file to add new domains.
+
+Warning: Behaviour of this might change as the naming between `domains.txt.d`
+and the `DOMAINS_D` config variable (which is used for per-certificate
+configuration) is a bit confusing.

docs/examples/config

@@ -10,10 +10,10 @@
 # Default values of this config are in comments        #
 ########################################################
 
-# Which user should dehydrated run as? This will be implictly enforced when running as root
+# Which user should dehydrated run as? This will be implicitly enforced when running as root
 #DEHYDRATED_USER=
 
-# Which group should dehydrated run as? This will be implictly enforced when running as root
+# Which group should dehydrated run as? This will be implicitly enforced when running as root
 #DEHYDRATED_GROUP=
 
 # Resolve names to addresses of IP version only. (curl)
@@ -21,8 +21,10 @@
 # default: <unset>
 #IP_VERSION=
 
-# Path to certificate authority (default: https://acme-v02.api.letsencrypt.org/directory)
-#CA="https://acme-v02.api.letsencrypt.org/directory"
+# URL to certificate authority or internal preset
+# Presets: letsencrypt, letsencrypt-test, zerossl, buypass, buypass-test, google, google-test
+# default: letsencrypt
+#CA="letsencrypt"
 
 # Path to old certificate authority
 # Set this value to your old CA value when upgrading from ACMEv1 to ACMEv2 under a different endpoint.
@@ -90,8 +92,8 @@
 # Chain clean_challenge|deploy_challenge arguments together into one hook call per certificate (default: no)
 #HOOK_CHAIN="no"
 
-# Minimum days before expiration to automatically renew certificate (default: 30)
-#RENEW_DAYS="30"
+# Minimum days before expiration to automatically renew certificate (default: 32)
+#RENEW_DAYS="32"
 
 # Regenerate private keys instead of just signing new certificates on renewal (default: yes)
 #PRIVATE_KEY_RENEW="yes"
@@ -100,7 +102,7 @@
 #PRIVATE_KEY_ROLLOVER="no"
 
 # Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1
-#KEY_ALGO=rsa
+#KEY_ALGO=secp384r1
 
 # E-mail to use during the registration (default: <unset>)
 #CONTACT_EMAIL=
@@ -123,5 +125,20 @@
 # Automatic cleanup (default: no)
 #AUTO_CLEANUP="no"
 
+# Delete files during automatic cleanup instead of moving to archive (default: no)
+#AUTO_CLEANUP_DELETE="no"
+
 # ACME API version (default: auto)
 #API=auto
+
+# Preferred issuer chain (default: <unset> -> uses default chain)
+#PREFERRED_CHAIN=
+
+# Request certificate with specific profile (default: <unset>)
+#ACME_PROFILE=
+
+# Amount of seconds to wait for processing of order until erroring out (default: 0 => no timeout)
+#ORDER_TIMEOUT=0
+
+# Skip over errors during certificate orders and updating of OCSP stapling information (default: no)
+#KEEP_GOING=no

docs/examples/domains.txt

@@ -24,6 +24,15 @@ example.net www.example.net > certalias
 # NOTE: It is a certificate for 'service.example.org'
 *.service.example.org service.example.org  > star_service_example_org
 
+# Optionally you can also append the certificate algorithm here to create
+# multiple certificate types for the same domain.
+#
+# This allows to set per certificates options. How to do this is
+# explained in [domains.txt documentation](domains_txt.md).
+#
+*.service.example.org service.example.org  > star_service_example_org_rsa
+*.service.example.org service.example.org  > star_service_example_org_ecdsa
+
 # Create a certificate for 'service.example.net' with an alternative name of
 # '*.service.example.net' (which is a wildcard domain) and store it in the
 # directory ${CERTDIR}/service.example.net

docs/examples/hook.sh

@@ -60,7 +60,7 @@ sync_cert() {
   #   The path of the file containing the certificate signing request.
 
   # Simple example: sync the files before symlinking them
-    # sync "${KEYFILE}" "${CERTFILE} "${FULLCHAINFILE}" "${CHAINFILE}" "${REQUESTFILE}"
+  # sync "${KEYFILE}" "${CERTFILE}" "${FULLCHAINFILE}" "${CHAINFILE}" "${REQUESTFILE}"
 }
 
 deploy_cert() {
@@ -177,7 +177,7 @@ generate_csr() {
   # This hook is called before any certificate signing operation takes place.
   # It can be used to generate or fetch a certificate signing request with external
   # tools.
-    # The output should be just the cerificate signing request formatted as PEM.
+  # The output should be just the certificate signing request formatted as PEM.
   #
   # Parameters:
   # - DOMAIN

docs/import-from-official-client.md

@@ -1,3 +0,0 @@
-# Import
-
-If you want to import existing keys from the official letsencrypt client have a look at [Import from official letsencrypt client](https://github.com/lukas2511/dehydrated/wiki/Import-from-official-letsencrypt-client).

docs/ip-certificates.md

@@ -0,0 +1,97 @@
+## IP Certificates
+
+In addition to issuing certificates for domain names, the ACME protocol also supports certificates
+for IP addresses. Dehydrated has included support for IP identifiers for quite some time, but this
+feature only became practically useful once Let’s Encrypt made IP certificate issuance publicly
+available.
+
+IP certificates can be helpful in scenarios where a service is accessed directly via an address
+rather than a hostname, for example in internal networks, appliances, temporary systems, or
+environments without reliable DNS.
+
+### Limitations and requirements
+
+Currently, there are a few important constraints to be aware of:
+
+- Validation is only possible using http-01 challenges. This means you must have a web server publicly reachable on the IP address you want to certify.
+- Let's Encrypt only issues IP certificates via the shortlived ACME profile. Certificates issued through this profile are currently valid for 7 days.
+
+Because of the short lifetime, it’s important to renew these certificates frequently and adjust
+any automated jobs accordingly.
+
+### Preparing an IP certificate in dehydrated
+
+For convenience, create the certificate directory and a per-certificate configuration file in advance.
+
+Example for an IPv6 address:
+
+```bash
+ip="2001:0db8:0:3::1337"
+```
+
+Or for IPv4:
+
+```bash
+ip="224.13.37.42"
+```
+
+Then set up the certificate directory and configuration and add the ip to domains.txt:
+
+```bash
+# Create certificate directory
+mkdir -p "certs/ip:${ip}"
+
+# Use the shortlived ACME profile for this certificate
+echo "ACME_PROFILE=shortlived" >> "certs/ip:${ip}/config"
+
+# Renew this certificate every 4 days
+echo "RENEW_DAYS=4" >> "certs/ip:${ip}/config"
+
+# Add IP to domains.txt
+echo ip:${ip} >> domains.txt
+```
+
+Keep in mind that you also can use aliases for better readability in your directory structure.
+See the `domains.txt` documentation for more information.
+
+### Requesting the certificate
+
+Once the directory and configuration are in place, you can request and renew the certificate as usual:
+
+```bash
+dehydrated -c
+```
+
+Dehydrated will automatically include the IP identifier and use the configured ACME profile.
+
+### Renewal considerations
+
+Since short-lived certificates expire after one week, make sure that:
+
+- Your renewal job runs frequently enough (for example daily or every few days)
+- Monitoring or alerting accounts for the much shorter validity period
+- Failing to renew in time will result in expired certificates much sooner than with standard domain certificates.
+
+### IPv6 address normalization
+
+To ensure compatibility with Let's Encrypt's seemingly somewhat non-standard handling of IP identifiers,
+dehydrated internally normalizes IPv6 addresses before using them as certificate names.
+
+This process first expands and reformats IPv6 notation into a consistent representation, eliminating
+shorthand forms such as :: compression. Afterwards it re-shortens the IPv6 address in a way that is
+accepted by Let's Encrypt. Doing so guarantees that:
+
+- IPv6 addresses are compatible with Let's Encrypt
+- Matching of existing and configured identifiers works, without dependency on special formatting in domains.txt
+
+This happens internally and should be invisible to most users, but if you are running this against
+a custom ACME server you might want to be aware of this behaviour.
+
+Example formatting:
+
+- Original IPv6 address: `2001:db8:0:3:0:0:0:1337` (not accepted by Let's Encrypt)
+- Fully expanded IPv6 address: `2001:0db8:0000:0003:0000:0000:0000:1337` (also not accepted)
+- Re-shortened IPv6 address: `2001:db8:0:3::1337` (gets accepted)
+
+
+

docs/man/dehydrated.1

@@ -20,8 +20,8 @@ Dehydrated will notify if no account is configured. Run with \fB--register
 
 Next, all domain names must be provided in domains.txt. The format is line
 based: If the file contains two lines "example.com" and "example.net",
-Dehydrated will request two certificate, one for "example.com" and the other
-for "example.net". A single line while "example.com example.net" will request a
+dehydrated will request two certificate, one for "example.com" and the other
+for "example.net". A single line containing "example.com example.net" will request a
 single certificate valid for both "example.net" and "example.com" through the \fISubject
 Alternative Name\fR (SAN) field.
 
@@ -106,7 +106,7 @@ Keep going after encountering an error while creating/renewing multiple
 certificates in cron mode
 .TP
 .BR \-\-force ", " \-x
-Force renew of certificate even if it is longer valid than value in RENEW_DAYS
+Force certificate renewal even if it is not due to expire within RENEW_DAYS
 .TP
 .BR \-\-no\-lock ", " \-n
 Don't use lockfile (potentially dangerous!)
@@ -139,7 +139,7 @@ secp384r1
 The program exits 0 if everything was fine, 1 if an error occurred.
 .SH BUGS
 Please report any bugs that you may encounter at the project web site
-.UR https://github.com/lukas2511/dehydrated/issues
+.UR https://github.com/dehydrated-io/dehydrated/issues
 .UE .
 .SH AUTHOR
 Dehydrated was written by Lukas Schauer. This man page was contributed by
@@ -151,5 +151,5 @@ distribution for licensing information.
 .SH SEE ALSO
 Full documentation along with configuration examples are provided in the \fIdocs\fR
 directory of the distribution, or at
-.UR https://github.com/lukas2511/dehydrated/tree/master/docs
+.UR https://github.com/dehydrated-io/dehydrated/tree/master/docs
 .UE .

docs/per-certificate-config.md

@@ -11,12 +11,15 @@ Currently supported options:
 - KEY_ALGO
 - KEYSIZE
 - OCSP_MUST_STAPLE
+- OCSP_FETCH
+- OCSP_DAYS
 - CHALLENGETYPE
 - HOOK
 - HOOK_CHAIN
 - WELLKNOWN
 - OPENSSL_CNF
 - RENEW_DAYS
+- PREFERRED_CHAIN
 
 ## DOMAINS_D
 

docs/staging.md

@@ -8,10 +8,7 @@ you will quickly hit these limits and find yourself locked out.
 To avoid this, please set the CA property to the Let’s Encrypt staging server URL in your config file:
 
 ```bash
-CA="https://acme-staging.api.letsencrypt.org/directory"
+CA="https://acme-staging-v02.api.letsencrypt.org/directory"
 ```
 
-# ACMEv2 staging
-
-You can use `CA="https://acme-staging-v02.api.letsencrypt.org/directory"` to test dehydrated with
-the ACMEv2 staging endpoint.
+Alternatively you can define the CA using the CLI argument `--ca letsencrypt-test` (`letsencrypt-test` is an integrated preset-CA corresponding to the URL above).

docs/tls-alpn.md

@@ -6,6 +6,26 @@ It will do that for any (sub-)domain you want to sign a certificate for.
 
 Dehydrated generates the required verification certificates, but the delivery is out of its scope.
 
+### Example lighttpd config
+
+lighttpd can be configured to recognize ALPN `acme-tls/1` and to respond to such
+requests using the specially crafted TLS certificates generated by dehydrated.
+Configure lighttpd and dehydrated to use the same path for these certificates.
+(Be sure to allow read access to the user account under which the lighttpd
+server is running.) `mkdir -p /etc/dehydrated/alpn-certs`
+
+lighttpd.conf:
+```
+ssl.acme-tls-1 = "/etc/dehydrated/alpn-certs"
+```
+
+When renewing certificates, specify `-t tls-alpn-01` and `--alpn /etc/dehydrated/alpn-certs` to dehydrated, e.g.
+```
+dehydrated -t tls-alpn-01 --alpn /etc/dehydrated/alpn-certs -c --out /etc/lighttpd/certs -d www.example.com
+# gracefully reload lighttpd to use the new certificates by sending lighttpd pid SIGUSR1
+systemctl reload lighttpd
+```
+
 ### Example nginx config
 
 On an nginx tcp load-balancer you can use the `ssl_preread` module to map a different port for acme-tls
@@ -15,7 +35,6 @@ Your config should look something like this:
 
 ```nginx
 stream {
-  server {
   map $ssl_preread_alpn_protocols $tls_port {
     ~\bacme-tls/1\b 10443;
     default 443;
@@ -27,7 +46,6 @@ stream {
     proxy_pass 10.13.37.42:$tls_port;
     ssl_preread on;
   }
-  }
 }
 ```