starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-01-11 22:30:44 +01:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

OCSP stapling file is updated after hooks are called #312

New Issue
Closed
opened 2025-12-29 01:22:18 +01:00 by adam · 2 comments
adam commented 2025-12-29 01:22:18 +01:00
Owner
Copy Link

Originally created by @NotActuallyTerry on GitHub (Mar 17, 2018).

With OCSP_FETCH="yes", the code responsible for fetching the OCSP response is run after the deploy_cert & unchanged_cert hooks are called. This makes it impossible to update the stapling files for haproxy & other webservers that require the file to be named in a specific way.

Perhaps one way of solving it could be calling a new hook ocsp_update whenever the response is updated:
[[ -n "${HOOK}" ]] && "${HOOK}" "ocsp_update" "${domain}" "${certdir}/ocsp.der"

Originally created by @NotActuallyTerry on GitHub (Mar 17, 2018). With `OCSP_FETCH="yes"`, the code responsible for fetching the OCSP response is run after the deploy_cert & unchanged_cert hooks are called. This makes it impossible to update the stapling files for haproxy & other webservers that require the file to be named in a specific way. Perhaps one way of solving it could be calling a new hook `ocsp_update` whenever the response is updated: `[[ -n "${HOOK}" ]] && "${HOOK}" "ocsp_update" "${domain}" "${certdir}/ocsp.der"`
adam closed this issue 2025-12-29 01:22:18 +01:00
adam commented 2025-12-29 01:22:19 +01:00
Author
Owner
Copy Link

@lukas2511 commented on GitHub (Apr 8, 2018):

I merged your pull-request but extended it in 8ba56a8048. Basically renamed the hook to deploy_ocsp (to be similar to deploy_cert) and exported altnames for use inside the hook. Thanks for the suggestion and the initial pull-request!

@lukas2511 commented on GitHub (Apr 8, 2018): I merged your pull-request but extended it in 8ba56a8048a15b8f80eb46fd9f95e2e98147f935. Basically renamed the hook to deploy_ocsp (to be similar to deploy_cert) and exported altnames for use inside the hook. Thanks for the suggestion and the initial pull-request!
adam commented 2025-12-29 01:22:20 +01:00
Author
Owner
Copy Link

@zhangyoufu commented on GitHub (May 15, 2020):

If I understand correctly, deploy_ocsp hook should be responsible for triggering cert/key/ocsp reload, and deploy_cert hook should not be used. Just in case a certificate was issued successfully, while fetching ocsp failed. A new cert should not be used in conjunction with old ocsp.der.

@zhangyoufu commented on GitHub (May 15, 2020): If I understand correctly, `deploy_ocsp` hook should be responsible for triggering cert/key/ocsp reload, and `deploy_cert` hook should not be used. Just in case a certificate was issued successfully, while fetching ocsp failed. A new cert should not be used in conjunction with old `ocsp.der`.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Complicated
bug
enhancement
help wanted
pull-request
Mirrored from GitHub Pull Request
 suggestions wanted
testing
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/dehydrated#312
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?