starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-01-11 22:30:44 +01:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

PRIVATE_KEY_RENEW="no" ignored? #261

New Issue
Closed
opened 2025-12-29 01:20:29 +01:00 by adam · 2 comments
adam commented 2025-12-29 01:20:29 +01:00
Owner
Copy Link

Originally created by @bortzmeyer on GitHub (Oct 25, 2017).

I want to renew the certificate without changing the key, to use things like DANE or HTTP key pinning. I therefore added:

PRIVATE_KEY_RENEW="no"

to /etc/dehydrated/config. Nevertheless, the key is changed when renewal.

Here is the output of dehydrated:


# INFO: Using main config file /etc/dehydrated/config
# !! WARNING !! Extra configuration directory /etc/dehydrated/conf.d exists, but no
+configuration found in it.
Processing mercredifiction.bortzmeyer.org
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Nov 22 08:40:00 2017 GMT Certificate will expire
(Less than 30 days). Renewing!
 + Signing domains...
 + Generating signing request...
 + Requesting challenge for mercredifiction.bortzmeyer.org...
 + Responding to challenge for mercredifiction.bortzmeyer.org...
 + Challenge is valid!
 + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
Reloading apache2 configuration (via systemctl): apache2.service.
 + Done!

And here is the full config:

% cat /etc/dehydrated/config     
#############################################################
# This is the main config file for dehydrated               #
#                                                           #
# This is the default configuration for the Debian package. #
# To see a more comprehensive example, see                  #
# /usr/share/doc/dehydrated/examples/config                 #
#                                                           #
# For details please read:                                  #
# /usr/share/doc/dehydrated/README.Debian                   #
#############################################################

CONFIG_D=/etc/dehydrated/conf.d
BASEDIR=/var/lib/dehydrated
WELLKNOWN="${BASEDIR}/acme-challenges"
DOMAINS_TXT="/etc/dehydrated/domains.txt"
# Keep the key, for DANE
PRIVATE_KEY_RENEW="no"
Originally created by @bortzmeyer on GitHub (Oct 25, 2017). I want to renew the certificate without changing the key, to use things like DANE or HTTP key pinning. I therefore added: ``` PRIVATE_KEY_RENEW="no" ``` to /etc/dehydrated/config. Nevertheless, the key is changed when renewal. Here is the output of dehydrated: ``` # INFO: Using main config file /etc/dehydrated/config # !! WARNING !! Extra configuration directory /etc/dehydrated/conf.d exists, but no +configuration found in it. Processing mercredifiction.bortzmeyer.org + Checking domain name(s) of existing cert... unchanged. + Checking expire date of existing cert... + Valid till Nov 22 08:40:00 2017 GMT Certificate will expire (Less than 30 days). Renewing! + Signing domains... + Generating signing request... + Requesting challenge for mercredifiction.bortzmeyer.org... + Responding to challenge for mercredifiction.bortzmeyer.org... + Challenge is valid! + Requesting certificate... + Checking certificate... + Done! + Creating fullchain.pem... Reloading apache2 configuration (via systemctl): apache2.service. + Done! ``` And here is the full config: ``` % cat /etc/dehydrated/config ############################################################# # This is the main config file for dehydrated # # # # This is the default configuration for the Debian package. # # To see a more comprehensive example, see # # /usr/share/doc/dehydrated/examples/config # # # # For details please read: # # /usr/share/doc/dehydrated/README.Debian # ############################################################# CONFIG_D=/etc/dehydrated/conf.d BASEDIR=/var/lib/dehydrated WELLKNOWN="${BASEDIR}/acme-challenges" DOMAINS_TXT="/etc/dehydrated/domains.txt" # Keep the key, for DANE PRIVATE_KEY_RENEW="no" ```
adam closed this issue 2025-12-29 01:20:29 +01:00
adam commented 2025-12-29 01:20:30 +01:00
Author
Owner
Copy Link

@bortzmeyer commented on GitHub (Oct 25, 2017):

I forgot to add: dehydrated version 0.3.1

@bortzmeyer commented on GitHub (Oct 25, 2017): I forgot to add: dehydrated version 0.3.1
adam commented 2025-12-29 01:20:30 +01:00
Author
Owner
Copy Link

@bortzmeyer commented on GitHub (Oct 25, 2017):

Sorry for the false alarm, it was actually a wrong DANE configuration on my side (😊). I tested on the whole certificate (selector 0) not just on the key (selector 1).

I'll pay a beer to the dehydrated developer, as an apology.

@bortzmeyer commented on GitHub (Oct 25, 2017): Sorry for the false alarm, it was actually a wrong DANE configuration on my side (:blush:). I tested on the whole certificate (selector 0) not just on the key (selector 1). I'll pay a beer to the dehydrated developer, as an apology.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Complicated
bug
enhancement
help wanted
pull-request
Mirrored from GitHub Pull Request
 suggestions wanted
testing
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/dehydrated#261
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?