1. Forum
  2. Usenet
  3. LINUX.DEBIAN.DEVEL.RELEAS

  • Bug#1107165: marked as done (unblock: dehydrated/0.7.2-1) (2/4)

    From Debian Bug Tracking System@21:1/5 to All on Tue Jun 3 10:00:01 2025
    [continued from previous message]

    + fi
    + order_payload="${order_payload}"'}'
    + order_location="$(signed_request "${CA_NEW_ORDER}" "${order_payload}" 4>&1 | grep -i ^Location: | cut -d':' -f2- | tr -d ' \t\r\n')"
    result="$(signed_request "${order_location}" "" | jsonsh)"

    order_authorizations="$(echo "${result}" | get_json_array_values authorizations)"
    @@ -1268,25 +1330,30 @@

    # Finally request certificate from the acme-server and store it in cert-${timestamp}.pem and link from cert.pem
    echo " + Requesting certificate..."
    - csr64="$( <<<"${csr}" "${OPENSSL}" req -config "${OPENSSL_CNF}" -outform DER | urlbase64)"
    + csr64="$("${OPENSSL}" req -in "${csrfile}" -config "${OPENSSL_CNF}" -outform DER | urlbase64)"
    if [[ ${API} -eq 1 ]]; then
    crt64="$(signed_request "${CA_NEW_CERT}" '{"resource": "new-cert", "csr": "'"${csr64}"'"}' | "${OPENSSL}" base64 -e)"
    crt="$( printf -- '-----BEGIN CERTIFICATE-----\n%s\n-----END CERTIFICATE-----\n' "${crt64}" )"
    else
    result="$(signed_request "${finalize}" '{"csr": "'"${csr64}"'"}' | jsonsh)"
    + waited=0
    while :; do
    orderstatus="$(echo "${result}" | get_json_string_value status)"
    case "${orderstatus}"
    in
    "processing" | "pending")
    + if [ ${ORDER_TIMEOUT} -gt 0 ] && [ ${waited} -gt ${ORDER_TIMEOUT} ]; then
    + _exiterr "Timed out waiting for processing of order (still ${orderstatus})"
    + fi
    echo " + Order is ${orderstatus}..."
    sleep 2;
    + waited=$((waited+2))
    ;;
    "valid")
    break;
    ;;
    *)
    - _exiterr "Order in status ${orderstatus}"
    + _exiterr "Order has invalid/unknown status: ${orderstatus}"
    ;;
    esac
    result="$(signed_request "${order_location}" "" | jsonsh)"
    @@ -1510,7 +1577,7 @@

    crt_path="${certdir}/cert-${timestamp}.pem"
    # shellcheck disable=SC2086
    - sign_csr "$(< "${certdir}/cert-${timestamp}.csr")" ${altnames} 3>"${crt_path}"
    + sign_csr "${certdir}/cert-${timestamp}.csr" ${altnames} 3>"${crt_path}"

    # Create fullchain.pem
    echo " + Creating fullchain.pem..."
    @@ -1775,7 +1842,7 @@
    # All settings that are allowed here should also be stored and
    # restored in store_configvars() and reset_configvars()
    case "${config_var}" in
    - KEY_ALGO|OCSP_MUST_STAPLE|OCSP_FETCH|OCSP_DAYS|PRIVATE_KEY_RENEW|PRIVATE_KEY_ROLLOVER|KEYSIZE|CHALLENGETYPE|HOOK|PREFERRED_CHAIN|WELLKNOWN|HOOK_CHAIN|OPENSSL_CNF|RENEW_DAYS)
    + KEY_ALGO|OCSP_MUST_STAPLE|OCSP_FETCH|OCSP_DAYS|PRIVATE_KEY_RENEW|PRIVATE_KEY_ROLLOVER|KEYSIZE|CHALLENGETYPE|HOOK|PREFERRED_CHAIN|WELLKNOWN|HOOK_CHAIN|OPENSSL_CNF|RENEW_DAYS|ACME_PROFILE|ORDER_TIMEOUT)
    echo " + ${config_var} = ${config_value}"
    declare -- "${config_var}=${config_value}"
    ;;
    @@ -1792,16 +1859,18 @@
    skip="no"

    # Allow for external CSR generation
    - local csr=""
    + local csrfile=""
    if [[ -n "${HOOK}" ]]; then
    csr="$("${HOOK}" "generate_csr" "${domain}" "${certdir}" "${domain} ${morenames}")" || _exiterr 'generate_csr hook returned with non-zero exit code'
    if grep -qE "\-----BEGIN (NEW )?CERTIFICATE REQUEST-----" <<< "${csr}"; then
    - altnames="$(extract_altnames "${csr}")"
    + csrfile="$(_mktemp)"
    + cat > "${csrfile}" <<< "${csr}"
    + altnames="$(extract_altnames "${csrfile}")"
    domain="$(cut -d' ' -f1 <<< "${altnames}")"
    morenames="$(cut -s -d' ' -f2- <<< "${altnames}")"
    echo " + Using CSR from hook script (real names: ${altnames})"
    else
    - csr=""
    + csrfile=""
    fi
    fi

    @@ -1851,7 +1920,10 @@
    # Sign certificate for this domain
    if [[ ! "${skip}" = "yes" ]]; then
    update_ocsp="yes"
    - [[ -z "${csr}" ]] || printf "%s" "${csr}" > "${certdir}/cert-${timestamp}.csr"
    + if [[ -n "${csrfile}" ]]; then
    + cat "${csrfile}" > "${certdir}/cert-${timestamp}.csr"
    + rm "${csrfile}"
    + fi
    # shellcheck disable=SC2086
    if [[ "${PARAM_KEEP_GOING:-}" = "yes" ]]; then
    skip_exit_hook=yes
    @@ -1895,8 +1967,8 @@

    [[ -n "${HOOK}" ]] && ("${HOOK}" "exit_hook" || echo 'exit_hook returned with non-zero exit code!' >&2)
    if [[ "${AUTO_CLEANUP}" == "yes" ]]; then
    - echo "+ Running automatic cleanup"
    - command_cleanup noinit
    + echo " + Running automatic cleanup"
    + PARAM_CLEANUPDELETE="${AUTO_CLEANUP_DELETE:-no}" command_cleanup noinit | _sed 's/^/ + /g'
    fi

    exit "${exit_with_errorcode}"
    @@ -1912,19 +1984,18 @@
    exec 3>&1 1>&2

    # load csr
    - csrfile="${1}"
    + local csrfile="${1}"
    if [ ! -r "${csrfile}" ]; then
    _exiterr "Could not read certificate signing request ${csrfile}"
    fi
    - csr="$(cat "${csrfile}")"

    # extract names
    - altnames="$(extract_altnames "${csr}")"
    + altnames="$(extract_altnames "${csrfile}")"

    # gen cert
    certfile="$(_mktemp)"
    # shellcheck disable=SC2086
    - sign_csr "${csr}" ${altnames} 3> "${certfile}"
    + sign_csr "${csrfile}" ${altnames} 3> "${certfile}"

    # print cert
    echo "# CERT #" >&3
    @@ -2262,7 +2333,7 @@
    ;;

    # PARAM_Usage: --force (-x)
    - # PARAM_Description: Force renew of certificate even if it is longer valid than value in RENEW_DAYS
    + # PARAM_Description: Force certificate renewal even if it is not due to expire within RENEW_DAYS
    --force|-x)
    PARAM_FORCE="yes"
    ;;
    @@ -2364,6 +2435,23 @@
    check_parameters "${1:-}"
    PARAM_KEY_ALGO="${1}"
    ;;
    +
    + # PARAM_Usage: --acme-profile profile_name
    + # PARAM_Description: Use specified ACME profile
    + --acme-profile)
    + shift 1
    + check_parameters "${1:-}"
    + PARAM_ACME_PROFILE="${1}"
    + ;;
    +
    + # PARAM_Usage: --order-timeout seconds
    + # PARAM_Description: Amount of seconds to wait for processing of order until erroring out
    + --order-timeout)
    + shift 1
    + check_parameters "${1:-}"
    + PARAM_ORDER_TIMEOUT=${1}
    + ;;
    +
    *)
    echo "Unknown parameter detected: ${1}" >&2
    echo >&2
    diff -Nru dehydrated-0.7.1/docs/examples/config dehydrated-0.7.2/docs/examples/config
    --- dehydrated-0.7.1/docs/examples/config 2022-10-31 15:12:38.000000000 +0100
    +++ dehydrated-0.7.2/docs/examples/config 2025-05-18 01:34:32.000000000 +0200
    @@ -22,7 +22,7 @@
    #IP_VERSION=

    # URL to certificate authority or internal preset
    -# Presets: letsencrypt, letsencrypt-test, zerossl, buypass, buypass-test
    +# Presets: letsencrypt, letsencrypt-test, zerossl, buypass, buypass-test, google, google-test
    # default: letsencrypt
    #CA="letsencrypt"

    @@ -92,8 +92,8 @@
    # Chain clean_challenge|deploy_challenge arguments together into one hook call per certificate (default: no)
    #HOOK_CHAIN="no"

    -# Minimum days before expiration to automatically renew certificate (default: 30)
    -#RENEW_DAYS="30"
    +# Minimum days before expiration to automatically renew certificate (default: 32)
    +#RENEW_DAYS="32"

    # Regenerate private keys instead of just signing new certificates on renewal (default: yes)
    #PRIVATE_KEY_RENEW="yes"
    @@ -125,8 +125,17 @@
    # Automatic cleanup (default: no)
    #AUTO_CLEANUP="n