starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-01-11 22:30:44 +01:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

support/usage for "--must-staple --redirect --hsts --uir" cert options? #175

New Issue
Closed
opened 2025-12-29 00:26:32 +01:00 by adam · 2 comments
adam commented 2025-12-29 00:26:32 +01:00
Owner
Copy Link

Originally created by @ghost on GitHub (Jan 1, 2017).

I currently use my own certbot-auto certonly ... process/scripts to get my LE certs via standalone webserver mode.

I currently require/pass arguments to certbot-auto that include

--staple-ocsp --must-staple --redirect --hsts --uir

I'd like to switch to dns-01 challenge; I'm revisiting 'dehydrated' script.

In its options I find only

--ocsp     Sets option in CSR indicating OCSP stapling

and in "docs/per-certificate-config.md",

Currently supported options:

- PRIVATE_KEY_RENEW
- KEY_ALGO
- KEYSIZE
- OCSP_MUST_STAPLE
- CHALLENGETYPE
- HOOK
- HOOK_CHAIN
- WELLKNOWN
- OPENSSL_CNF
- RENEW_DAYS

(1) is dehydrated's cmd-lin "--ocsp" option equivalent to

--staple-ocsp --must-staple

? or, is the "OCSP_MUST_STAPLE" config additionally required?

(2) does dehydrated support any of

--redirect --hsts --uir

and, if so, what's the syntax/usage?

Originally created by @ghost on GitHub (Jan 1, 2017). I currently use my own `certbot-auto certonly ...` process/scripts to get my LE certs via standalone webserver mode. I currently require/pass arguments to certbot-auto that include --staple-ocsp --must-staple --redirect --hsts --uir I'd like to switch to dns-01 challenge; I'm revisiting 'dehydrated' script. In its options I find only --ocsp Sets option in CSR indicating OCSP stapling and in "docs/per-certificate-config.md", Currently supported options: - PRIVATE_KEY_RENEW - KEY_ALGO - KEYSIZE - OCSP_MUST_STAPLE - CHALLENGETYPE - HOOK - HOOK_CHAIN - WELLKNOWN - OPENSSL_CNF - RENEW_DAYS (1) is dehydrated's cmd-lin "--ocsp" option equivalent to --staple-ocsp --must-staple ? or, is the "OCSP_MUST_STAPLE" config additionally required? (2) does dehydrated support any of --redirect --hsts --uir and, if so, what's the syntax/usage?
adam closed this issue 2025-12-29 00:26:32 +01:00
adam commented 2025-12-29 00:26:38 +01:00
Author
Owner
Copy Link

@txr13 commented on GitHub (Jan 1, 2017):

--ocsp / OCSP_MUST_STAPLE is the dehydrated equivalent for --must-staple. (Setting --ocsp on the command line is equivalent to setting OCSP_MUST_STAPLE in a config file.)

--staple-ocsp, --redirect, --hsts, and --uir look like features not implemented by dehydrated. This is largely because dehydrated is a script, not a webserver. If you need your webserver to implement these options, you should configure it accordingly. That would be outside the scope of dehydrated itself.

Dehydrated does support the use of hook scripts (and in fact requires them for handling dns-01 challenges). If you needed to configure a webserver during (or after) certificate renewal, you may be able to do so with a hook script. But if you're going to switch to dns-01 challenges, I don't think you'd need the other flags (besides OCSP_MUST_STAPLE). At least not in dehydrated.

@txr13 commented on GitHub (Jan 1, 2017): --ocsp / OCSP_MUST_STAPLE is the dehydrated equivalent for --must-staple. (Setting --ocsp on the command line is equivalent to setting OCSP_MUST_STAPLE in a config file.) --staple-ocsp, --redirect, --hsts, and --uir look like features not implemented by dehydrated. This is largely because dehydrated is a script, not a webserver. If you need your webserver to implement these options, you should configure it accordingly. That would be outside the scope of dehydrated itself. Dehydrated does support the use of hook scripts (and in fact requires them for handling dns-01 challenges). If you needed to configure a webserver during (or after) certificate renewal, you may be able to do so with a hook script. But if you're going to switch to dns-01 challenges, I don't think you'd need the other flags (besides OCSP_MUST_STAPLE). At least not in dehydrated.
adam commented 2025-12-29 00:26:38 +01:00
Author
Owner
Copy Link

@lukas2511 commented on GitHub (Jan 6, 2017):

dehydrated doesn't configure your webserver for you, it only tries to get certificates signed, like @txr13 already said.

@lukas2511 commented on GitHub (Jan 6, 2017): dehydrated doesn't configure your webserver for you, it only tries to get certificates signed, like @txr13 already said.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Complicated
bug
enhancement
help wanted
pull-request
Mirrored from GitHub Pull Request
 suggestions wanted
testing
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/dehydrated#175
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?