starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-01-13 15:13:33 +01:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

allow ocsp fetching via proxy #548

New Issue
Open
opened 2025-12-29 01:27:06 +01:00 by adam · 1 comment
adam commented 2025-12-29 01:27:06 +01:00
Owner
Copy Link

Originally created by @bjacke on GitHub (Sep 16, 2021).

openssl ocsp does not honor http_proxy environment variable and there is no option to specify a proxy.

There is an easy way to use a http proxy though. A typical ocsp fetch command issued by dehydrated is this:

openssl ocsp -no_nonce -issuer /root/letsencrypt.sh/certs/www.example.com/chain.pem -verify_other /root/letsencrypt.sh/certs/www.example.com/chain.pem -cert /root/letsencrypt.sh/certs/www.example.com/cert.pem -respout /root/letsencrypt.sh/certs/www.example.com/ocsp-1631813042.der -url http://r3.o.lencr.org

You need to replace "-url http://r3.o.lencr.org" with "-host proxy.example.com:3128 -path http://r3.o.lencr.org".

As all the other programs used by dehydrated work fine with the http_proxy environment being set correctly, it would be good if dehydrated can modify the "openssl ocsp" call accordingly if the http_proxy variable is set.

Originally created by @bjacke on GitHub (Sep 16, 2021). openssl ocsp does not honor http_proxy environment variable and there is no option to specify a proxy. There is an easy way to use a http proxy though. A typical ocsp fetch command issued by dehydrated is this: openssl ocsp -no_nonce -issuer /root/letsencrypt.sh/certs/www.example.com/chain.pem -verify_other /root/letsencrypt.sh/certs/www.example.com/chain.pem -cert /root/letsencrypt.sh/certs/www.example.com/cert.pem -respout /root/letsencrypt.sh/certs/www.example.com/ocsp-1631813042.der -url http://r3.o.lencr.org You need to replace "-url http://r3.o.lencr.org" with "-host proxy.example.com:3128 -path http://r3.o.lencr.org". As all the other programs used by dehydrated work fine with the http_proxy environment being set correctly, it would be good if dehydrated can modify the "openssl ocsp" call accordingly if the http_proxy variable is set.
adam commented 2025-12-29 01:27:07 +01:00
Author
Owner
Copy Link

@NiceRath commented on GitHub (Jun 14, 2023):

Greetings.

We too are having this issue.

In the openssl-ocsp manpage it says:

   -host hostname:port, -path pathname
      If the -host option is present then the OCSP request is sent to the host hostname on port port. The -path option specifies the HTTP pathname to use or "/" by default.  This is equivalent to specifying -url with scheme http:// and the given hostname, port, and pathname.
   -proxy [http[s]://][userinfo@]host[:port][/path]
      The HTTP(S) proxy server to use for reaching the OCSP server unless -no_proxy applies, see below.  The proxy port defaults to 80 or 443 if the scheme is "https"; apart from that the optional "http://" or "https://" prefix is ignored, as well as any userinfo and path components.  Defaults to the environment variable "http_proxy" if set, else "HTTP_PROXY" in case no TLS is used, otherwise "https_proxy" if set, else "HTTPS_PROXY"

But neither 'HTTP_PROXY' nor 'http_proxy' are respected.

It would be great if the script would check for those environmental-variables and update the 'ocsp_log' call if they are set.

- Rath

@NiceRath commented on GitHub (Jun 14, 2023): Greetings. We too are having this issue. In the [openssl-ocsp manpage](https://www.openssl.org/docs/manmaster/man1/openssl-ocsp.html) it says: > -host hostname:port, -path pathname > If the -host option is present then the OCSP request is sent to the host hostname on port port. The -path option specifies the HTTP pathname to use or "/" by default. This is equivalent to specifying -url with scheme http:// and the given hostname, port, and pathname. > -proxy [http[s]://][userinfo@]host[:port][/path] > The HTTP(S) proxy server to use for reaching the OCSP server unless -no_proxy applies, see below. The proxy port defaults to 80 or 443 if the scheme is "https"; apart from that the optional "http://" or "https://" prefix is ignored, as well as any userinfo and path components. Defaults to the environment variable "http_proxy" if set, else "HTTP_PROXY" in case no TLS is used, otherwise "https_proxy" if set, else "HTTPS_PROXY" But neither 'HTTP_PROXY' nor 'http_proxy' are respected. It would be great if the script would check for those environmental-variables and update the 'ocsp_log' call if they are set. \- Rath
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Complicated
bug
enhancement
help wanted
pull-request
Mirrored from GitHub Pull Request
 suggestions wanted
testing
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/dehydrated#548
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?