dehydrated 0.5.0: dehydrated -c -g stops after first domain #276

New Issue

Closed

opened 2025-12-29 01:20:51 +01:00 by adam · 9 comments

adam commented 2025-12-29 01:20:51 +01:00

Owner

Copy Link

Originally created by @basbebe on GitHub (Feb 6, 2018).

Since dehydrated 0.5.0, when I run dehydrated -c -g only the first domain in my domains.txt is being checked / renewed.
The cron job works as expected (run via FreeBSD periodic scripts), but when I run it manually only one domain gets checked.

Originally created by @basbebe on GitHub (Feb 6, 2018). Since dehydrated 0.5.0, when I run `dehydrated -c -g` only the first domain in my `domains.txt` is being checked / renewed. The cron job works as expected (run via FreeBSD periodic scripts), but when I run it manually only one domain gets checked.

adam closed this issue 2025-12-29 01:20:52 +01:00

adam commented 2025-12-29 01:20:52 +01:00

Author

Owner

Copy Link

@lukas2511 commented on GitHub (Feb 6, 2018):

Can you provide any more information on this? Is there a weird exit code? Are you running dehydrated with bash or zsh? Can you post the output of dehydrated -v please?

@lukas2511 commented on GitHub (Feb 6, 2018): Can you provide any more information on this? Is there a weird exit code? Are you running dehydrated with bash or zsh? Can you post the output of `dehydrated -v` please?

adam commented 2025-12-29 01:20:53 +01:00

Author

Owner

Copy Link

@basbebe commented on GitHub (Feb 6, 2018):

There is no exit code – the execution just ends (note that since I added an alias for the first domain, the first two lines are being executed):

~ # ❯❯❯ dehydrated -c -g
# INFO: Using main config file /usr/local/etc/dehydrated/config
Processing www.[XXX].com with alternative names: [XXX].com www.[XXX].de [XXX].de
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Apr  6 02:48:35 2018 GMT (Longer than 30 days). Skipping renew!
 + OSCP stapling file is still valid (skipping update)
Processing www.[XXX].com with alternative names: [XXX].com www.[XXX].de [XXX].de
 + Using certificate specific config file!
   + KEY_ALGO = secp384r1
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till May  7 13:10:53 2018 GMT (Longer than 30 days). Skipping renew!
 + Updating OCSP stapling file
~ # ❯❯❯

This is my main config (note that for some reason the file registration_info.json does not exist:

~ # ❯❯❯ dehydrated -e
# dehydrated configuration
# INFO: Using main config file /usr/local/etc/dehydrated/config
declare -- CA="https://acme-v01.api.letsencrypt.org/directory"
declare -- LICENSE=""
declare -- CERTDIR="/usr/local/etc/dehydrated/certs"
declare -- CHALLENGETYPE="http-01"
declare -- DOMAINS_D=""
declare -- DOMAINS_TXT="/usr/local/etc/dehydrated/domains.txt"
declare -- HOOK="/usr/local/etc/dehydrated/hook.sh"
declare -- HOOK_CHAIN="no"
declare -- RENEW_DAYS="30"
declare -- ACCOUNT_KEY="/usr/local/etc/dehydrated/accounts/aHR0cHM6Ly9hY21lLXYwMS5hcGkubGV0c2VuY3J5cHQub3JnL2RpcmVjdG9yeQo/account_key.pem"
declare -- ACCOUNT_KEY_JSON="/usr/local/etc/dehydrated/accounts/aHR0cHM6Ly9hY21lLXYwMS5hcGkubGV0c2VuY3J5cHQub3JnL2RpcmVjdG9yeQo/registration_info.json"
declare -- KEYSIZE="4096"
declare -- WELLKNOWN="/usr/local/www/dehydrated"
declare -- PRIVATE_KEY_RENEW="yes"
declare -- OPENSSL_CNF="/usr/local/etc/ssl/openssl.cnf"
declare -- CONTACT_EMAIL="hostmaster@[XXX].comcom"
declare -- LOCKFILE="/usr/local/etc/dehydrated/lock"

This is my domains.txt:

www.[XXX].com [XXX].com www.[XXX].de [XXX].de
www.[XXX].com [XXX].com www.[XXX].de [XXX].de > www.[XXX].com.ecdsa
cloud.[XXX].com
cloud.[XXX].com > cloud.[XXX].com.ecdsa
tools.[XXX].com push.[XXX].com adminer.[XXX].com webmail.[XXX].com rspamd.[XXX].com
tools.[XXX].com push.[XXX].com adminer.[XXX].com webmail.[XXX].com rspamd.[XXX].com > tools.[XXX].com.ecdsa
mail.[XXX].com
mail.[XXX].com > mail.[XXX].com.ecdsa

and this is my www.[XXX].com.ecdsa/config:

# Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1
KEY_ALGO="secp384r1"

@basbebe commented on GitHub (Feb 6, 2018): There is no exit code – the execution just ends (note that since I added an alias for the first domain, the first two lines are being executed): ``` ~ # ❯❯❯ dehydrated -c -g # INFO: Using main config file /usr/local/etc/dehydrated/config Processing www.[XXX].com with alternative names: [XXX].com www.[XXX].de [XXX].de + Checking domain name(s) of existing cert... unchanged. + Checking expire date of existing cert... + Valid till Apr 6 02:48:35 2018 GMT (Longer than 30 days). Skipping renew! + OSCP stapling file is still valid (skipping update) Processing www.[XXX].com with alternative names: [XXX].com www.[XXX].de [XXX].de + Using certificate specific config file! + KEY_ALGO = secp384r1 + Checking domain name(s) of existing cert... unchanged. + Checking expire date of existing cert... + Valid till May 7 13:10:53 2018 GMT (Longer than 30 days). Skipping renew! + Updating OCSP stapling file ~ # ❯❯❯ ``` This is my main config (note that for some reason the file `registration_info.json` does *not* exist: ``` ~ # ❯❯❯ dehydrated -e # dehydrated configuration # INFO: Using main config file /usr/local/etc/dehydrated/config declare -- CA="https://acme-v01.api.letsencrypt.org/directory" declare -- LICENSE="" declare -- CERTDIR="/usr/local/etc/dehydrated/certs" declare -- CHALLENGETYPE="http-01" declare -- DOMAINS_D="" declare -- DOMAINS_TXT="/usr/local/etc/dehydrated/domains.txt" declare -- HOOK="/usr/local/etc/dehydrated/hook.sh" declare -- HOOK_CHAIN="no" declare -- RENEW_DAYS="30" declare -- ACCOUNT_KEY="/usr/local/etc/dehydrated/accounts/aHR0cHM6Ly9hY21lLXYwMS5hcGkubGV0c2VuY3J5cHQub3JnL2RpcmVjdG9yeQo/account_key.pem" declare -- ACCOUNT_KEY_JSON="/usr/local/etc/dehydrated/accounts/aHR0cHM6Ly9hY21lLXYwMS5hcGkubGV0c2VuY3J5cHQub3JnL2RpcmVjdG9yeQo/registration_info.json" declare -- KEYSIZE="4096" declare -- WELLKNOWN="/usr/local/www/dehydrated" declare -- PRIVATE_KEY_RENEW="yes" declare -- OPENSSL_CNF="/usr/local/etc/ssl/openssl.cnf" declare -- CONTACT_EMAIL="hostmaster@[XXX].comcom" declare -- LOCKFILE="/usr/local/etc/dehydrated/lock" ``` This is my `domains.txt`: ``` www.[XXX].com [XXX].com www.[XXX].de [XXX].de www.[XXX].com [XXX].com www.[XXX].de [XXX].de > www.[XXX].com.ecdsa cloud.[XXX].com cloud.[XXX].com > cloud.[XXX].com.ecdsa tools.[XXX].com push.[XXX].com adminer.[XXX].com webmail.[XXX].com rspamd.[XXX].com tools.[XXX].com push.[XXX].com adminer.[XXX].com webmail.[XXX].com rspamd.[XXX].com > tools.[XXX].com.ecdsa mail.[XXX].com mail.[XXX].com > mail.[XXX].com.ecdsa ``` and this is my `www.[XXX].com.ecdsa/config`: ``` # Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1 KEY_ALGO="secp384r1" ```

adam commented 2025-12-29 01:20:54 +01:00

Author

Owner

Copy Link

@lukas2511 commented on GitHub (Feb 6, 2018):

Mh, can you check if it works when disabling OCSP_FETCH?

@lukas2511 commented on GitHub (Feb 6, 2018): Mh, can you check if it works when disabling `OCSP_FETCH`?

adam commented 2025-12-29 01:20:55 +01:00

Author

Owner

Copy Link

@lukas2511 commented on GitHub (Feb 6, 2018):

And please run bash -x dehydrated -c -g and paste the last few dozen lines, that would show where it stops.

@lukas2511 commented on GitHub (Feb 6, 2018): And please run `bash -x dehydrated -c -g` and paste the last few dozen lines, that would show where it stops.

adam commented 2025-12-29 01:20:56 +01:00

Author

Owner

Copy Link

@basbebe commented on GitHub (Feb 6, 2018):

yes, it works when disabling COSP_FETCH

Any information on why I don't have the file registration_info.json?
And: Is IP_VERSION on a per-certificate basis planned for future releases?

Thanks!

These are the last few dozen lines:

++ echo cert.csr
++ cut -d. -f1
+ filebase=cert
++ echo cert.csr
++ cut -d. -f2
+ fileext=csr
+ for file in "${certdir}/${filebase}-"*".${fileext}" "${certdir}/${filebase}-"*".${fileext}-revoked"
++ basename /usr/local/etc/dehydrated/certs/www.[XXX].com.ecdsa/cert-1517926233.csr
+ filename=cert-1517926233.csr
+ [[ ! cert-1517926233.csr = \c\e\r\t\-\1\5\1\7\9\2\6\2\3\3\.\c\s\r ]]
+ for filetype in cert.csr cert.pem chain.pem fullchain.pem privkey.pem ocsp.der
+ [[ -r /usr/local/etc/dehydrated/certs/www.[XXX].com.ecdsa/cert.pem ]]
+++ readlink /usr/local/etc/dehydrated/certs/www.[XXX].com.ecdsa/cert.pem
++ basename cert-1517926233.pem
+ current=cert-1517926233.pem
++ echo cert.pem
++ cut -d. -f1
+ filebase=cert
++ echo cert.pem
++ cut -d. -f2
+ fileext=pem
+ for file in "${certdir}/${filebase}-"*".${fileext}" "${certdir}/${filebase}-"*".${fileext}-revoked"
++ basename /usr/local/etc/dehydrated/certs/www.[XXX].com.ecdsa/cert-1517926233.pem
+ filename=cert-1517926233.pem
+ [[ ! cert-1517926233.pem = \c\e\r\t\-\1\5\1\7\9\2\6\2\3\3\.\p\e\m ]]
+ for filetype in cert.csr cert.pem chain.pem fullchain.pem privkey.pem ocsp.der
+ [[ -r /usr/local/etc/dehydrated/certs/www.[XXX].com.ecdsa/chain.pem ]]
+++ readlink /usr/local/etc/dehydrated/certs/www.[XXX].com.ecdsa/chain.pem
++ basename chain-1517926233.pem
+ current=chain-1517926233.pem
++ echo chain.pem
++ cut -d. -f1
+ filebase=chain
++ echo chain.pem
++ cut -d. -f2
+ fileext=pem
+ for file in "${certdir}/${filebase}-"*".${fileext}" "${certdir}/${filebase}-"*".${fileext}-revoked"
++ basename /usr/local/etc/dehydrated/certs/www.[XXX].com.ecdsa/chain-1517926233.pem
+ filename=chain-1517926233.pem
+ [[ ! chain-1517926233.pem = \c\h\a\i\n\-\1\5\1\7\9\2\6\2\3\3\.\p\e\m ]]
+ for filetype in cert.csr cert.pem chain.pem fullchain.pem privkey.pem ocsp.der
+ [[ -r /usr/local/etc/dehydrated/certs/www.[XXX].com.ecdsa/fullchain.pem ]]
+++ readlink /usr/local/etc/dehydrated/certs/www.[XXX].com.ecdsa/fullchain.pem
++ basename fullchain-1517926233.pem
+ current=fullchain-1517926233.pem
++ echo fullchain.pem
++ cut -d. -f1
+ filebase=fullchain
++ echo fullchain.pem
++ cut -d. -f2
+ fileext=pem
+ for file in "${certdir}/${filebase}-"*".${fileext}" "${certdir}/${filebase}-"*".${fileext}-revoked"
++ basename /usr/local/etc/dehydrated/certs/www.[XXX].com.ecdsa/fullchain-1517926233.pem
+ filename=fullchain-1517926233.pem
+ [[ ! fullchain-1517926233.pem = \f\u\l\l\c\h\a\i\n\-\1\5\1\7\9\2\6\2\3\3\.\p\e\m ]]
+ for filetype in cert.csr cert.pem chain.pem fullchain.pem privkey.pem ocsp.der
+ [[ -r /usr/local/etc/dehydrated/certs/www.[XXX].com.ecdsa/privkey.pem ]]
+++ readlink /usr/local/etc/dehydrated/certs/www.[XXX].com.ecdsa/privkey.pem
++ basename privkey-1517926233.pem
+ current=privkey-1517926233.pem
++ echo privkey.pem
++ cut -d. -f1
+ filebase=privkey
++ echo privkey.pem
++ cut -d. -f2
+ fileext=pem
+ for file in "${certdir}/${filebase}-"*".${fileext}" "${certdir}/${filebase}-"*".${fileext}-revoked"
++ basename /usr/local/etc/dehydrated/certs/www.[XXX].com.ecdsa/privkey-1517926233.pem
+ filename=privkey-1517926233.pem
+ [[ ! privkey-1517926233.pem = \p\r\i\v\k\e\y\-\1\5\1\7\9\2\6\2\3\3\.\p\e\m ]]
+ for filetype in cert.csr cert.pem chain.pem fullchain.pem privkey.pem ocsp.der
+ [[ -r /usr/local/etc/dehydrated/certs/www.[XXX].com.ecdsa/ocsp.der ]]
+++ readlink /usr/local/etc/dehydrated/certs/www.[XXX].com.ecdsa/ocsp.der
++ basename ocsp-1517938814.der
+ current=ocsp-1517938814.der
++ echo ocsp.der
++ cut -d. -f1
+ filebase=ocsp
++ echo ocsp.der
++ cut -d. -f2
+ fileext=der
+ for file in "${certdir}/${filebase}-"*".${fileext}" "${certdir}/${filebase}-"*".${fileext}-revoked"
++ basename /usr/local/etc/dehydrated/certs/www.[XXX].com.ecdsa/ocsp-1517938814.der
+ filename=ocsp-1517938814.der
+ [[ ! ocsp-1517938814.der = \o\c\s\p\-\1\5\1\7\9\3\8\8\1\4\.\d\e\r ]]
+ exit 0
+ remove_lock
+ rm -f /usr/local/etc/dehydrated/lock

@basbebe commented on GitHub (Feb 6, 2018): yes, it works when disabling `COSP_FETCH` Any information on why I don't have the file `registration_info.json`? And: Is IP_VERSION on a per-certificate basis planned for future releases? Thanks! These are the last few dozen lines: ``` ++ echo cert.csr ++ cut -d. -f1 + filebase=cert ++ echo cert.csr ++ cut -d. -f2 + fileext=csr + for file in "${certdir}/${filebase}-"*".${fileext}" "${certdir}/${filebase}-"*".${fileext}-revoked" ++ basename /usr/local/etc/dehydrated/certs/www.[XXX].com.ecdsa/cert-1517926233.csr + filename=cert-1517926233.csr + [[ ! cert-1517926233.csr = \c\e\r\t\-\1\5\1\7\9\2\6\2\3\3\.\c\s\r ]] + for filetype in cert.csr cert.pem chain.pem fullchain.pem privkey.pem ocsp.der + [[ -r /usr/local/etc/dehydrated/certs/www.[XXX].com.ecdsa/cert.pem ]] +++ readlink /usr/local/etc/dehydrated/certs/www.[XXX].com.ecdsa/cert.pem ++ basename cert-1517926233.pem + current=cert-1517926233.pem ++ echo cert.pem ++ cut -d. -f1 + filebase=cert ++ echo cert.pem ++ cut -d. -f2 + fileext=pem + for file in "${certdir}/${filebase}-"*".${fileext}" "${certdir}/${filebase}-"*".${fileext}-revoked" ++ basename /usr/local/etc/dehydrated/certs/www.[XXX].com.ecdsa/cert-1517926233.pem + filename=cert-1517926233.pem + [[ ! cert-1517926233.pem = \c\e\r\t\-\1\5\1\7\9\2\6\2\3\3\.\p\e\m ]] + for filetype in cert.csr cert.pem chain.pem fullchain.pem privkey.pem ocsp.der + [[ -r /usr/local/etc/dehydrated/certs/www.[XXX].com.ecdsa/chain.pem ]] +++ readlink /usr/local/etc/dehydrated/certs/www.[XXX].com.ecdsa/chain.pem ++ basename chain-1517926233.pem + current=chain-1517926233.pem ++ echo chain.pem ++ cut -d. -f1 + filebase=chain ++ echo chain.pem ++ cut -d. -f2 + fileext=pem + for file in "${certdir}/${filebase}-"*".${fileext}" "${certdir}/${filebase}-"*".${fileext}-revoked" ++ basename /usr/local/etc/dehydrated/certs/www.[XXX].com.ecdsa/chain-1517926233.pem + filename=chain-1517926233.pem + [[ ! chain-1517926233.pem = \c\h\a\i\n\-\1\5\1\7\9\2\6\2\3\3\.\p\e\m ]] + for filetype in cert.csr cert.pem chain.pem fullchain.pem privkey.pem ocsp.der + [[ -r /usr/local/etc/dehydrated/certs/www.[XXX].com.ecdsa/fullchain.pem ]] +++ readlink /usr/local/etc/dehydrated/certs/www.[XXX].com.ecdsa/fullchain.pem ++ basename fullchain-1517926233.pem + current=fullchain-1517926233.pem ++ echo fullchain.pem ++ cut -d. -f1 + filebase=fullchain ++ echo fullchain.pem ++ cut -d. -f2 + fileext=pem + for file in "${certdir}/${filebase}-"*".${fileext}" "${certdir}/${filebase}-"*".${fileext}-revoked" ++ basename /usr/local/etc/dehydrated/certs/www.[XXX].com.ecdsa/fullchain-1517926233.pem + filename=fullchain-1517926233.pem + [[ ! fullchain-1517926233.pem = \f\u\l\l\c\h\a\i\n\-\1\5\1\7\9\2\6\2\3\3\.\p\e\m ]] + for filetype in cert.csr cert.pem chain.pem fullchain.pem privkey.pem ocsp.der + [[ -r /usr/local/etc/dehydrated/certs/www.[XXX].com.ecdsa/privkey.pem ]] +++ readlink /usr/local/etc/dehydrated/certs/www.[XXX].com.ecdsa/privkey.pem ++ basename privkey-1517926233.pem + current=privkey-1517926233.pem ++ echo privkey.pem ++ cut -d. -f1 + filebase=privkey ++ echo privkey.pem ++ cut -d. -f2 + fileext=pem + for file in "${certdir}/${filebase}-"*".${fileext}" "${certdir}/${filebase}-"*".${fileext}-revoked" ++ basename /usr/local/etc/dehydrated/certs/www.[XXX].com.ecdsa/privkey-1517926233.pem + filename=privkey-1517926233.pem + [[ ! privkey-1517926233.pem = \p\r\i\v\k\e\y\-\1\5\1\7\9\2\6\2\3\3\.\p\e\m ]] + for filetype in cert.csr cert.pem chain.pem fullchain.pem privkey.pem ocsp.der + [[ -r /usr/local/etc/dehydrated/certs/www.[XXX].com.ecdsa/ocsp.der ]] +++ readlink /usr/local/etc/dehydrated/certs/www.[XXX].com.ecdsa/ocsp.der ++ basename ocsp-1517938814.der + current=ocsp-1517938814.der ++ echo ocsp.der ++ cut -d. -f1 + filebase=ocsp ++ echo ocsp.der ++ cut -d. -f2 + fileext=der + for file in "${certdir}/${filebase}-"*".${fileext}" "${certdir}/${filebase}-"*".${fileext}-revoked" ++ basename /usr/local/etc/dehydrated/certs/www.[XXX].com.ecdsa/ocsp-1517938814.der + filename=ocsp-1517938814.der + [[ ! ocsp-1517938814.der = \o\c\s\p\-\1\5\1\7\9\3\8\8\1\4\.\d\e\r ]] + exit 0 + remove_lock + rm -f /usr/local/etc/dehydrated/lock ```

adam commented 2025-12-29 01:20:56 +01:00

Author

Owner

Copy Link

@lukas2511 commented on GitHub (Feb 6, 2018):

IP_VERSION is only for communication with the CA not the other way around, so it doesn't make sense on a per-certificate basis.

registration_info.json is only created in more recent versions of dehydrated, if you have a very old account key that file just was never generated

Unfortunately I kinda posted you the directions in the wrong order so now I see only the trace of a fully working run. Could you try removing ocsp.der for one of your certificates and run the debug command again? I'm guessing it fails on the openssl command... which openssl version are you using?

@lukas2511 commented on GitHub (Feb 6, 2018): `IP_VERSION` is only for communication with the CA not the other way around, so it doesn't make sense on a per-certificate basis. `registration_info.json` is only created in more recent versions of dehydrated, if you have a very old account key that file just was never generated Unfortunately I kinda posted you the directions in the wrong order so now I see only the trace of a fully working run. Could you try removing `ocsp.der` for one of your certificates and run the debug command again? I'm guessing it fails on the openssl command... which openssl version are you using?

adam commented 2025-12-29 01:20:57 +01:00

Author

Owner

Copy Link

@basbebe commented on GitHub (Feb 6, 2018):

+ [[ -e /usr/local/etc/dehydrated/certs/cloud.[XXX].com/cert.pem ]]
+ echo ' + Checking expire date of existing cert...'
 + Checking expire date of existing cert...
++ openssl x509 -enddate -noout -in /usr/local/etc/dehydrated/certs/cloud.[XXX].com/cert.pem
++ cut -d= -f2-
+ valid='Apr  6 02:48:42 2018 GMT'
+ printf ' + Valid till %s ' 'Apr  6 02:48:42 2018 GMT'
 + Valid till Apr  6 02:48:42 2018 GMT + openssl x509 -checkend 2592000 -noout -in /usr/local/etc/dehydrated/certs/cloud.[XXX].com/cert.pem
+ printf '(Longer than %d days). ' 30
(Longer than 30 days). + [[ no = \y\e\s ]]
+ echo 'Skipping renew!'
Skipping renew!
+ [[ -n /usr/local/etc/dehydrated/hook.sh ]]
+ /usr/local/etc/dehydrated/hook.sh unchanged_cert cloud.[XXX].com /usr/local/etc/dehydrated/certs/cloud.[XXX].com/privkey.pem /usr/local/etc/dehydrated/certs/cloud.[XXX].com/cert.pem /usr/local/etc/dehydrated/certs/cloud.[XXX].com/fullchain.pem /usr/local/etc/dehydrated/certs/cloud.[XXX].com/chain.pem
+ skip=yes
+ local update_ocsp
+ update_ocsp=no
+ [[ ! yes = \y\e\s ]]
+ [[ yes = \y\e\s ]]
+ local ocsp_url
++ get_ocsp_url /usr/local/etc/dehydrated/certs/cloud.[XXX].com/cert.pem
++ certificate=/usr/local/etc/dehydrated/certs/cloud.[XXX].com/cert.pem
++ openssl x509 -in /usr/local/etc/dehydrated/certs/cloud.[XXX].com/cert.pem -noout -ocsp_uri
+ ocsp_url=http://ocsp.int-x3.letsencrypt.org
+ [[ ! -e /usr/local/etc/dehydrated/certs/cloud.[XXX].com/ocsp.der ]]
+ update_ocsp=yes
+ [[ yes = \y\e\s ]]
+ echo ' + Updating OCSP stapling file'
 + Updating OCSP stapling file
++ date +%s
+ ocsp_timestamp=1517940370
+ grep -qE '^(0|(1\.0))\.'
++ openssl version
++ awk '{print $2}'
+ openssl ocsp -no_nonce -issuer /usr/local/etc/dehydrated/certs/cloud.[XXX].com/chain.pem -verify_other /usr/local/etc/dehydrated/certs/cloud.[XXX].com/chain.pem -cert /usr/local/etc/dehydrated/certs/cloud.[XXX].com/cert.pem -respout /usr/local/etc/dehydrated/certs/cloud.[XXX].com/ocsp-1517940370.der -url http://ocsp.int-x3.letsencrypt.org
+ remove_lock
+ rm -f /usr/local/etc/dehydrated/lock

~ # ❯❯❯ openssl version
LibreSSL 2.6.4

It does work in any case with OpenSSL (just checked)

@basbebe commented on GitHub (Feb 6, 2018): ``` + [[ -e /usr/local/etc/dehydrated/certs/cloud.[XXX].com/cert.pem ]] + echo ' + Checking expire date of existing cert...' + Checking expire date of existing cert... ++ openssl x509 -enddate -noout -in /usr/local/etc/dehydrated/certs/cloud.[XXX].com/cert.pem ++ cut -d= -f2- + valid='Apr 6 02:48:42 2018 GMT' + printf ' + Valid till %s ' 'Apr 6 02:48:42 2018 GMT' + Valid till Apr 6 02:48:42 2018 GMT + openssl x509 -checkend 2592000 -noout -in /usr/local/etc/dehydrated/certs/cloud.[XXX].com/cert.pem + printf '(Longer than %d days). ' 30 (Longer than 30 days). + [[ no = \y\e\s ]] + echo 'Skipping renew!' Skipping renew! + [[ -n /usr/local/etc/dehydrated/hook.sh ]] + /usr/local/etc/dehydrated/hook.sh unchanged_cert cloud.[XXX].com /usr/local/etc/dehydrated/certs/cloud.[XXX].com/privkey.pem /usr/local/etc/dehydrated/certs/cloud.[XXX].com/cert.pem /usr/local/etc/dehydrated/certs/cloud.[XXX].com/fullchain.pem /usr/local/etc/dehydrated/certs/cloud.[XXX].com/chain.pem + skip=yes + local update_ocsp + update_ocsp=no + [[ ! yes = \y\e\s ]] + [[ yes = \y\e\s ]] + local ocsp_url ++ get_ocsp_url /usr/local/etc/dehydrated/certs/cloud.[XXX].com/cert.pem ++ certificate=/usr/local/etc/dehydrated/certs/cloud.[XXX].com/cert.pem ++ openssl x509 -in /usr/local/etc/dehydrated/certs/cloud.[XXX].com/cert.pem -noout -ocsp_uri + ocsp_url=http://ocsp.int-x3.letsencrypt.org + [[ ! -e /usr/local/etc/dehydrated/certs/cloud.[XXX].com/ocsp.der ]] + update_ocsp=yes + [[ yes = \y\e\s ]] + echo ' + Updating OCSP stapling file' + Updating OCSP stapling file ++ date +%s + ocsp_timestamp=1517940370 + grep -qE '^(0|(1\.0))\.' ++ openssl version ++ awk '{print $2}' + openssl ocsp -no_nonce -issuer /usr/local/etc/dehydrated/certs/cloud.[XXX].com/chain.pem -verify_other /usr/local/etc/dehydrated/certs/cloud.[XXX].com/chain.pem -cert /usr/local/etc/dehydrated/certs/cloud.[XXX].com/cert.pem -respout /usr/local/etc/dehydrated/certs/cloud.[XXX].com/ocsp-1517940370.der -url http://ocsp.int-x3.letsencrypt.org + remove_lock + rm -f /usr/local/etc/dehydrated/lock ``` ``` ~ # ❯❯❯ openssl version LibreSSL 2.6.4 ``` It does work in any case with OpenSSL (just checked)

adam commented 2025-12-29 01:20:57 +01:00

Author

Owner

Copy Link

@lukas2511 commented on GitHub (Feb 6, 2018):

Meh... I kinda guessed that would be the problem, the syntax probably is a bit different...

Would you mind going into the script, look for the line containing if grep -qE "^(0|(1\.0))\." <<< "$(${OPENSSL} version | awk '{print $2}')"; then and replace the whole line with a if true; then. It should then use the syntax for the old OpenSSL version, I'm wondering if that might actually do the trick...

@lukas2511 commented on GitHub (Feb 6, 2018): Meh... I kinda guessed that would be the problem, the syntax probably is a bit different... Would you mind going into the script, look for the line containing `if grep -qE "^(0|(1\.0))\." <<< "$(${OPENSSL} version | awk '{print $2}')"; then` and replace the whole line with a `if true; then`. It should then use the syntax for the old OpenSSL version, I'm wondering if that might actually do the trick...

adam commented 2025-12-29 01:20:58 +01:00

Author

Owner

Copy Link

@lukas2511 commented on GitHub (Mar 11, 2018):

Since c0bcf91410 dehydrated will show an error message if fetching of the ocsp stapling file fails. Since enabling this kinda shows that the user needs and may rely on it I'll keep this as a hard failure.

@lukas2511 commented on GitHub (Mar 11, 2018): Since c0bcf91410a57f292416ac911440c606524f16e6 dehydrated will show an error message if fetching of the ocsp stapling file fails. Since enabling this kinda shows that the user needs and may rely on it I'll keep this as a hard failure.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

sudo-env

testing

rfc8738

jsonsh

v0.7.2

v0.7.1

v0.7.0

v0.6.5

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.0

v0.4.0

v0.3.1

v0.3.0

v0.2.0

v0.1.0

Labels

Clear labels

Complicated

bug

enhancement

help wanted

pull-request

Mirrored from GitHub Pull Request

suggestions wanted

testing

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/dehydrated#276