[continued from previous message]

│ │ │ elif [[ -f "${CONFIG}" ]]; then
│ │ │ echo "# INFO: Using main config file ${CONFIG}"
│ │ │ @@ -477,14 +489,18 @@
│ │ │ CA="${CA_LETSENCRYPT_TEST}"
│ │ │ elif [ "${CA}" = "zerossl" ]; then
│ │ │ CA="${CA_ZEROSSL}"
│ │ │ elif [ "${CA}" = "buypass" ]; then
│ │ │ CA="${CA_BUYPASS}"
│ │ │ elif [ "${CA}" = "buypass-test" ]; then
│ │ │ CA="${CA_BUYPASS_TEST}"
│ │ │ + elif [ "${CA}" = "google" ]; then
│ │ │ + CA="${CA_GOOGLE}"
│ │ │ + elif [ "${CA}" = "google-test" ]; then
│ │ │ + CA="${CA_GOOGLE_TEST}"
│ │ │ fi
│ │ │
│ │ │ if [[ -z "${OLDCA}" ]] && [[ "${CA}" = "https://acme-v02.api.letsencrypt.org/directory" ]]; then
│ │ │ OLDCA="https://acme-v01.api.letsencrypt.org/directory"
│ │ │ fi
│ │ │
│ │ │ # Create new account directory or symlink to account directory from old CA
│ │ │ @@ -540,14 +556,16 @@
│ │ │ [[ -n "${PARAM_PREFERRED_CHAIN:-}" ]] && PREFERRED_CHAIN="${PARAM_PREFERRED_CHAIN}"
│ │ │ [[ -n "${PARAM_CERTDIR:-}" ]] && CERTDIR="${PARAM_CERTDIR}"
│ │ │ [[ -n "${PARAM_ALPNCERTDIR:-}" ]] && ALPNCERTDIR="${PARAM_ALPNCERTDIR}"
│ │ │ [[ -n "${PARAM_CHALLENGETYPE:-}" ]] && CHALLENGETYPE="${PARAM_CHALLENGETYPE}"
│ │ │ [[ -n "${PARAM_KEY_ALGO:-}" ]] && KEY_ALGO="${PARAM_KEY_ALGO}" │ │ │ [[ -n "${PARAM_OCSP_MUST_STAPLE:-}" ]] && OCSP_MUST_STAPLE="${PARAM_OCSP_MUST_STAPLE}"
│ │ │ [[ -n "${PARAM_IP_VERSION:-}" ]] && IP_VERSION="${PARAM_IP_VERSION}"
│ │ │ + [[ -n "${PARAM_ACME_PROFILE:-}" ]] && ACME_PROFILE="${PARAM_ACME_PROFILE}"
│ │ │ + [[ -n "${PARAM_ORDER_TIMEOUT:-}" ]] && ORDER_TIMEOUT="${PARAM_ORDER_TIMEOUT}"
│ │ │
│ │ │ if [ "${PARAM_FORCE_VALIDATION:-no}" = "yes" ] && [ "${PARAM_FORCE:-no}" = "no" ]; then
│ │ │ _exiterr "Argument --force-validation can only be used in combination with --force (-x)"
│ │ │ fi
│ │ │
│ │ │ if [ ! "${1:-}" = "noverify" ]; then
│ │ │ verify_config
│ │ │ @@ -583,22 +601,55 @@
│ │ │ CA_NEW_REG="$(printf "%s" "${CA_DIRECTORY}" | get_json_string_value new-reg)" &&
│ │ │ CA_TERMS="$(printf "%s" "${CA_DIRECTORY}" | get_json_string_value terms-of-service)" &&
│ │ │ CA_REQUIRES_EAB="false" &&
│ │ │ CA_REVOKE_CERT="$(printf "%s" "${CA_DIRECTORY}" | get_json_string_value revoke-cert)" ||
│ │ │ _exiterr "Problem retrieving ACME/CA-URLs, check if your configured CA points to the directory entrypoint."
│ │ │ # Since reg URI is missing from directory we will assume it is the same as CA_NEW_REG without the new part
│ │ │ CA_REG=${CA_NEW_REG/new-reg/reg}
│ │ │ +
│ │ │ + if [[ -n "${ACME_PROFILE}" ]]; then
│ │ │ + _exiterr "ACME profiles are not supported in ACME v1."
│ │ │ + fi
│ │ │ else
│ │ │ CA_NEW_ORDER="$(printf "%s" "${CA_DIRECTORY}" | get_json_string_value newOrder)" &&
│ │ │ CA_NEW_NONCE="$(printf "%s" "${CA_DIRECTORY}" | get_json_string_value newNonce)" &&
│ │ │ CA_NEW_ACCOUNT="$(printf "%s" "${CA_DIRECTORY}" | get_json_string_value newAccount)" &&
│ │ │ CA_TERMS="$(printf "%s" "${CA_DIRECTORY}" | get_json_string_value -p '"meta","termsOfService"')" &&
│ │ │ CA_REQUIRES_EAB="$(printf "%s" "${CA_DIRECTORY}" | get_json_bool_value -p '"meta","externalAccountRequired"' || echo false)" &&
│ │ │ CA_REVOKE_CERT="$(printf "%s" "${CA_DIRECTORY}" | get_json_string_value revokeCert)" ||
│ │ │ _exiterr "Problem retrieving ACME/CA-URLs, check if your configured CA points to the directory entrypoint."
│ │ │ +
│ │ │ + # Checking ACME profile
│ │ │ + if [[ -n "${ACME_PROFILE}" ]]; then
│ │ │ + # Extract available profiles from CA directory
│ │ │ + declare -A available_profiles=()
│ │ │ + while IFS=$'\t' read -r path value; do
│ │ │ + if [[ "${value}" =~ ^\"([^\"]+)\"$ ]]; then
│ │ │ + value=${BASH_REMATCH[1]}
│ │ │ + fi
│ │ │ + if [[ "${path}" =~ ^\[\"([^\"]+)\"\]$ ]]; then
│ │ │ + available_profiles[${BASH_REMATCH[1]}]=$value
│ │ │ + fi
│ │ │ + done <<< "$(printf "%s" "${CA_DIRECTORY}" | get_json_dict_value -p '"meta","profiles"' 2>/dev/null)"
│ │ │ + if [[ ${#available_profiles[@]} -eq 0 ]]; then
│ │ │ + _exiterr "ACME profile not supported by this CA"
│ │ │ + fi
│ │ │ +
│ │ │ + # Check if the requested profile is available
│ │ │ + found_profile="no"
│ │ │ + for profile in "${!available_profiles[@]}"; do
│ │ │ + if [[ "${profile}" == "${ACME_PROFILE}" ]]; then
│ │ │ + found_profile="yes"
│ │ │ + break
│ │ │ + fi
│ │ │ + done
│ │ │ + if [[ "${found_profile}" == "no" ]]; then
│ │ │ + _exiterr "ACME profile '${ACME_PROFILE}' not found, available profiles:$(for key in "${!available_profiles[@]}"; do printf "\n %s: %s" "${key}" "${available_profiles[$key]}"; done)"
│ │ │ + fi
│ │ │ + fi
│ │ │ fi
│ │ │
│ │ │ # Export some environment variables to be used in hook script │ │ │ export WELLKNOWN BASEDIR CERTDIR ALPNCERTDIR CONFIG COMMAND
│ │ │
│ │ │ # Checking for private key ...
│ │ │ register_new_key="no"
│ │ │ @@ -699,14 +750,22 @@
│ │ │ echo "${zeroapi}"
│ │ │ FAILED=true
│ │ │ fi
│ │ │ fi
│ │ │ fi
│ │ │ fi
│ │ │
│ │ │ + # Google special sauce
│ │ │ + if [[ "${CA}" = "${CA_GOOGLE}" ]]; then
│ │ │ + if [[ -z "${CONTACT_EMAIL}" ]] || [[ -z "${EAB_KID:-}" ]] || [[ -z "${EAB_HMAC_KEY:-}" ]]; then
│ │ │ + echo "Google requires contact email, EAB_KID and EAB_HMAC_KEY to be manually configured (see https://cloud.google.com/certificate-manager/docs/public-ca-tutorial)"
│ │ │ + FAILED=true
│ │ │ + fi
│ │ │ + fi
│ │ │ +
│ │ │ # Check if external account is required
│ │ │ if [[ "${FAILED}" = "false" ]]; then
│ │ │ if [[ "${CA_REQUIRES_EAB}" = "true" ]]; then
│ │ │ if [[ -z "${EAB_KID:-}" ]] || [[ -z "${EAB_HMAC_KEY:-}" ]]; then
│ │ │ FAILED=true
│ │ │ echo "This CA requires an external account but no EAB_KID/EAB_HMAC_KEY has been configured"
│ │ │ fi
│ │ │ @@ -1005,21 +1064,21 @@
│ │ │ printf "%s" "${output}"
│ │ │ fi
│ │ │ }
│ │ │
│ │ │ # Extracts all subject names from a CSR
│ │ │ # Outputs either the CN, or the SANs, one per line
│ │ │ extract_altnames() {
│ │ │ - csr="${1}" # the CSR itself (not a file)
│ │ │ + csrfile="${1}" # path to CSR file
│ │ │
│ │ │ - if ! <<<"${csr}" "${OPENSSL}" req -verify -noout >/dev/null 2>&1; then
│ │ │ + if ! "${OPENSSL}" req -in "${csrfile}" -verify -noout >/dev/null; then
│ │ │ _exiterr "Certificate signing request isn't valid"
│ │ │ fi
│ │ │
│ │ │ - reqtext="$( <<<"${csr}" "${OPENSSL}" req -noout -text )"
│ │ │ + reqtext="$("${OPENSSL}" req -in "${csrfile}" -noout -text)"
│ │ │ if <<<"${reqtext}" grep -q '^[[:space:]]*X509v3 Subject Alternative Name:[[:space:]]*$'; then
│ │ │ # SANs used, extract these
│ │ │ altnames="$( <<<"${reqtext}" awk '/X509v3 Subject Alternative Name:/{print;getline;print;}' | tail -n1 )"
│ │ │ # split to one per line:
│ │ │ # shellcheck disable=SC1003
│ │ │ altnames="$( <<<"${altnames}" _sed -e 's/^[[:space:]]*//; s/, /\'$'\n''/g' )"
│ │ │ # we can only get DNS/IP: ones signed
│ │ │ @@ -1039,15 +1098,15 @@
│ │ │ # Get last issuer CN in certificate chain
│ │ │ get_last_cn() {
│ │ │ <<<"${1}" _sed 'H;/-----BEGIN CERTIFICATE-----/h;$!d;x' | "${OPENSSL}" x509 -noout -issuer | head -n1 | _sed -e 's/.*[ /]CN ?= ?([^/,]*).*/\1/'
│ │ │ }
│ │ │
│ │ │ # Create certificate for domain(s) and outputs it FD 3
│ │ │ sign_csr() {
│ │ │ - csr="${1}" # the CSR itself (not a file)
│ │ │ + csrfile="${1}" # path to CSR file
│ │ │
│ │ │ if { true >&3; } 2>/dev/null; then
│ │ │ : # fd 3 looks OK
│ │ │ else
│ │ │ _exiterr "sign_csr: FD 3 not open"
│ │ │ fi
│ │ │
│ │ │ @@ -1078,15 +1137,20 @@
│ │ │ else
│ │ │ challenge_identifiers+="$(printf '{"type": "dns", "value": "%s"}, ' "${altname}")"
│ │ │ fi
│ │ │ done
│ │ │ challenge_identifiers="[${challenge_identifiers%, }]"
│ │ │
│ │ │ echo " + Requesting new certificate order from CA..."
│ │ │ - order_location="$(signed_request "${CA_NEW_ORDER}" '{"identifiers": '"${challenge_identifiers}"'}' 4>&1 | grep -i ^Location: | cut -d':' -f2- | tr -d ' \t\r\n')"
│ │ │ + local order_payload='{"identifiers": '"${challenge_identifiers}"
│ │ │ + if [[ -n "${ACME_PROFILE}" ]]; then
│ │ │ + order_payload="${order_payload}"',"profile":"'"${ACME_PROFILE}"'"'
│ │ │ + fi
│ │ │ + order_payload="${order_payload}"'}'
│ │ │ + order_location="$(signed_request "${CA_NEW_ORDER}" "${order_payload}" 4>&1 | grep -i ^Location: | cut -d':' -f2- | tr -d ' \t\r\n')"
│ │ │ result="$(signed_request "${order_location}" "" | jsonsh)"
│ │ │
│ │ │ order_authorizations="$(echo "${result}" | get_json_array_values authorizations)"
│ │ │ finalize="$(echo "${result}" | get_json_string_value finalize)"
│ │ │
│ │ │ local idx=0
│ │ │ for uri in ${order_authorizations}; do
│ │ │ @@ -1264,33 +1328,38 @@
│ │ │ echo " + Challenge validation has failed :("
│ │ │ _exiterr "Challenge is invalid! (returned: ${reqstatus}) (result: ${result})"
│ │ │ fi
│ │ │ fi
│ │ │
│ │ │ # Finally request certificate from the acme-server and store it in cert-${timestamp}.pem and link from cert.pem
│ │ │ echo " + Requesting certificate..."
│ │ │ - csr64="$( <<<"${csr}" "${OPENSSL}" req -config "${OPENSSL_CNF}" -outform DER | urlbase64)"
│ │ │ + csr64="$("${OPENSSL}" req -in "${csrfile}" -config "${OPENSSL_CNF}" -outform DER | urlbase64)"
│ │ │ if [[ ${API} -eq 1 ]]; then
│ │ │ crt64="$(signed_request "${CA_NEW_CERT}" '{"resource": "new-cert", "csr": "'"${csr64}"'"}' | "${OPENSSL}" base64 -e)"
│ │ │ crt="$( printf -- '-----BEGIN CERTIFICATE-----\n%s\n-----END CERTIFICATE-----\n' "${crt64}" )"
│ │ │ else
│ │ │ result="$(signed_request "${finalize}" '{"csr": "'"${csr64}"'"}' | jsonsh)"
│ │ │ + waited=0
│ │ │ while :; do
│ │ │ orderstatus="$(echo "${result}" | get_json_string_value status)"
│ │ │ case "${orderstatus}"
│ │ │ in
│ │ │ "processing" | "pending")
│ │ │ + if [ ${ORDER_TIMEOUT} -gt 0 ] && [ ${waited} -gt ${ORDER_TIMEOUT} ]; then
│ │ │ + _exiterr "Timed out waiting for processing of order (still ${orderstatus})"
│ │ │ + fi
│ │ │ echo " + Order is ${orderstatus}..."
│ │ │ sleep 2;
│ │ │ + waited=$((waited+2))
│ │ │ ;;
│ │ │ "valid")
│ │ │ break;
│ │ │ ;;
│ │ │ *)
│ │ │ - _exiterr "Order in status ${orderstatus}"
│ │ │ + _exiterr "Order has invalid/unknown status: ${orderstatus}"
│ │ │ ;;
│ │ │ esac
│ │ │ result="$(signed_request "${order_location}" "" | jsonsh)" │ │ │ done
│ │ │
│ │ │ resheaders="$(_mktemp)"
│ │ │ certificate="$(echo "${result}" | get_json_string_value certificate)"
│ │ │ @@ -1506,15 +1575,15 @@
│ │ │ fi
│ │ │ "${OPENSSL}" req -new -sha256 -key "${certdir}/${privkey}" -out "${certdir}/cert-${timestamp}.csr" -subj "${SUBJ}" -reqexts SAN -config "${tmp_openssl_cnf}"
│ │ │ rm -f "${tmp_openssl_cnf}"
│ │ │ fi
│ │ │
│ │ │ crt_path="${certdir}/cert-${timestamp}.pem"
│ │ │ # shellcheck disable=SC2086
│ │ │ - sign_csr "$(< "${certdir}/cert-${timestamp}.csr")" ${altnames} 3>"${crt_path}"
│ │ │ + sign_csr "${certdir}/cert-${timestamp}.csr" ${altnames} 3>"${crt_path}"
│ │ │
│ │ │ # Create fullchain.pem
│ │ │ echo " + Creating fullchain.pem..."
│ │ │ if [[ ${API} -eq 1 ]]; then
│ │ │ cat "${crt_path}" > "${certdir}/fullchain-${timestamp}.pem" │ │ │ local issuer_hash
│ │ │ issuer_hash="$(get_issuer_hash "${crt_path}")"
│ │ │ @@ -1771,15 +1840,15 @@
│ │ │ rm "${aftervars}"
│ │ │ ); do
│ │ │ config_var="$(echo "${cfgline:1}" | cut -d'=' -f1)"
│ │ │ config_value="$(echo "${cfgline:1}" | cut -d'=' -f2- | tr -d "'")"
│ │ │ # All settings that are allowed here should also be stored and │ │ │ # restored in store_configvars() and reset_configvars()
│ │ │ case "${config_var}" in
│ │ │ - KEY_ALGO|OCSP_MUST_STAPLE|OCSP_FETCH|OCSP_DAYS|PRIVATE_KEY_RENEW|PRIVATE_KEY_ROLLOVER|KEYSIZE|CHALLENGETYPE|HOOK|PREFERRED_CHAIN|WELLKNOWN|HOOK_CHAIN|OPENSSL_CNF|RENEW_DAYS)
│ │ │ + KEY_ALGO|OCSP_MUST_STAPLE|OCSP_FETCH|OCSP_DAYS|PRIVATE_KEY_RENEW|PRIVATE_KEY_ROLLOVER|KEYSIZE|CHALLENGETYPE|HOOK|PREFERRED_CHAIN|WELLKNOWN|HOOK_CHAIN|OPENSSL_CNF|RENEW_DAYS|ACME_PROFILE|ORDER_TIMEOUT)
│ │ │ echo " + ${config_var} = ${config_value}"
│ │ │ declare -- "${config_var}=${config_value}"
│ │ │ ;;
│ │ │ _) ;;
│ │ │ *) echo " ! Setting ${config_var} on a per-certificate base is not (yet) supported" >&2
│ │ │ esac
│ │ │ done
│ │ │ @@ -1788,24 +1857,26 @@
│ │ │ verify_config
│ │ │ hookscript_bricker_hook
│ │ │ export WELLKNOWN CHALLENGETYPE KEY_ALGO PRIVATE_KEY_ROLLOVER │ │ │
│ │ │ skip="no"
│ │ │
│ │ │ # Allow for external CSR generation
│ │ │ - local csr=""
│ │ │ + local csrfile=""
│ │ │ if [[ -n "${HOOK}" ]]; then
│ │ │ csr="$("${HOOK}" "generate_csr" "${domain}" "${certdir}" "${domain} ${morenames}")" || _exiterr 'generate_csr hook returned with non-zero exit code'
│ │ │ if grep -qE "\-----BEGIN (NEW )?CERTIFICATE REQUEST-----" <<< "${csr}"; then
│ │ │ - altnames="$(extract_altnames "${csr}")"
│ │ │ + csrfile="$(_mktemp)"
│ │ │ + cat > "${csrfile}" <<< "${csr}"
│ │ │ + altnames="$(extract_altnames "${csrfile}")"
│ │ │ domain="$(cut -d' ' -f1 <<< "${altnames}")"
│ │ │ morenames="$(cut -s -d' ' -f2- <<< "${altnames}")"
│ │ │ echo " + Using CSR from hook script (real names: ${altnames})"
│ │ │ else
│ │ │ - csr=""
│ │ │ + csrfile=""
│ │ │ fi
│ │ │ fi
│ │ │
│ │ │ # Check domain names of existing certificate
│ │ │ if [[ -e "${cert}" && "${force_renew}" = "no" ]]; then
│ │ │ printf " + Checking domain name(s) of existing cert..."
│ │ │
│ │ │ @@ -1847,15 +1918,18 @@
│ │ │
│ │ │ local update_ocsp
│ │ │ update_ocsp="no"
│ │ │
│ │ │ # Sign certificate for this domain
│ │ │ if [[ ! "${skip}" = "yes" ]]; then
│ │ │ update_ocsp="yes"
│ │ │ - [[ -z "${csr}" ]] || printf "%s" "${csr}" > "${certdir}/cert-${timestamp}.csr"
│ │ │ + if [[ -n "${csrfile}" ]]; then
│ │ │ + cat "${csrfile}" > "${certdir}/cert-${timestamp}.csr"
│ │ │ + rm "${csrfile}"
│ │ │ + fi
│ │ │ # shellcheck disable=SC2086
│ │ │ if [[ "${PARAM_KEEP_GOING:-}" = "yes" ]]; then
│ │ │ skip_exit_hook=yes
│ │ │ sign_domain "${certdir}" "${timestamp}" "${domain}" ${morenames} &
│ │ │ wait $! || exit_with_errorcode=1
│ │ │ skip_exit_hook=no
│ │ │ else
│ │ │ @@ -1891,16 +1965,16 @@
│ │ │ reset_configvars
│ │ │
│ │ │ # remove temporary domains.txt file if used
│ │ │ [[ -n "${PARAM_DOMAIN:-}" ]] && rm -f "${DOMAINS_TXT}"
│ │ │
│ │ │ [[ -n "${HOOK}" ]] && ("${HOOK}" "exit_hook" || echo 'exit_hook returned with non-zero exit code!' >&2)
│ │ │ if [[ "${AUTO_CLEANUP}" == "yes" ]]; then
│ │ │ - echo "+ Running automatic cleanup"
│ │ │ - command_cleanup noinit
│ │ │ + echo " + Running automatic cleanup"
│ │ │ + PARAM_CLEANUPDELETE="${AUTO_CLEANUP_DELETE:-no}" command_cleanup noinit | _sed 's/^/ + /g'
│ │ │ fi
│ │ │
│ │ │ exit "${exit_with_errorcode}"
│ │ │ }
│ │ │
│ │ │ # Usage: --signcsr (-s) path/to/csr.pem
│ │ │ # Description: Sign a given CSR, output CRT on stdout (advanced usage)
│ │ │ @@ -1908,27 +1982,26 @@
│ │ │ init_system
│ │ │
│ │ │ # redirect stdout to stderr
│ │ │ # leave stdout over at fd 3 to output the cert
│ │ │ exec 3>&1 1>&2
│ │ │
│ │ │ # load csr
│ │ │ - csrfile="${1}"
│ │ │ + local csrfile="${1}"
│ │ │ if [ ! -r "${csrfile}" ]; then
│ │ │ _exiterr "Could not read certificate signing request ${csrfile}"
│ │ │ fi
│ │ │ - csr="$(cat "${csrfile}")"
│ │ │
│ │ │ # extract names
│ │ │ - altnames="$(extract_altnames "${csr}")"
│ │ │ + altnames="$(extract_altnames "${csrfile}")"
│ │ │
│ │ │ # gen cert
│ │ │ certfile="$(_mktemp)"
│ │ │ # shellcheck disable=SC2086
│ │ │ - sign_csr "${csr}" ${altnames} 3> "${certfile}"
│ │ │ + sign_csr "${csrfile}" ${altnames} 3> "${certfile}"
│ │ │
│ │ │ # print cert
│ │ │ echo "# CERT #" >&3
│ │ │ cat "${certfile}" >&3
│ │ │ echo >&3
│ │ │
│ │ │ # print chain
│ │ │ @@ -2360,14 +2433,31 @@
│ │ │ # PARAM_Usage: --algo (-a) rsa|prime256v1|secp384r1
│ │ │ # PARAM_Description: Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1
│ │ │ --algo|-a)
│ │ │ shift 1
│ │ │ check_parameters "${1:-}"
│ │ │ PARAM_KEY_ALGO="${1}"
│ │ │ ;;
│ │ │ +
│ │ │ + # PARAM_Usage: --acme-profile profile_name
│ │ │ + # PARAM_Description: Use specified ACME profile
│ │ │ + --acme-profile)
│ │ │ + shift 1
│ │ │ + check_parameters "${1:-}"
│ │ │ + PARAM_ACME_PROFILE="${1}"
│ │ │ + ;;
│ │ │ +
│ │ │ + # PARAM_Usage: --order-timeout seconds
│ │ │ + # PARAM_Description: Amount of seconds to wait for processing of order until erroring out
│ │ │ + --order-timeout)
│ │ │ + shift 1
│ │ │ + check_parameters "${1:-}"
│ │ │ + PARAM_ORDER_TIMEOUT=${1}
│ │ │ + ;;
│ │ │ +
│ │ │ *)
│ │ │ echo "Unknown parameter detected: ${1}" >&2
│ │ │ echo >&2
│ │ │ command_help >&2
│ │ │ exit 1
│ │ │ ;;
│ │ │ esac
│ │ ├── ./usr/share/doc/dehydrated/README.md.gz
│ │ │ ├── README.md
│ │ │ │ @@ -81,14 +81,16 @@
│ │ │ │ --config (-f) path/to/config Use specified config file │ │ │ │ --hook (-k) path/to/hook.sh Use specified script for hooks
│ │ │ │ --preferred-chain issuer-cn Use alternative certificate chain identified by issuer CN
│ │ │ │ --out (-o) certs/directory Output certificates into the specified directory
│ │ │ │ --alpn alpn-certs/directory Output alpn verification certificates into the specified directory
│ │ │ │ --challenge (-t) http-01|dns-01|tls-alpn-01 Which challenge should be used? Currently http-01, dns-01, and tls-alpn-01 are supported
│ │ │ │ --algo (-a) rsa|prime256v1|secp384r1 Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1
│ │ │ │ + --acme-profile profile_name Use specified ACME profile │ │ │ │ + --order-timeout seconds Amount of seconds to wait for processing of order until erroring out
│ │ │ │ ```
│ │ │ │
│ │ │ │ ## Chat
│ │ │ │
│ │ │ │ Dehydrated has an official IRC-channel `#dehydrated` on libera.chat that can be used for general discussion and suggestions.
│ │ │ │
│ │ │ │ The channel can also be accessed with Matrix using the official libera.chat bridge at `#dehydrated:libera.chat`.
│ │ ├── ./usr/share/doc/dehydrated/changelog.Debian.gz
│ │ │ ├── changelog.Debian
│ │ │ │ @@ -1,7 +1,17 @@
│ │ │ │ +dehydrated (0.7.2-1) unstable; urgency=medium
│ │ │ │ +
│ │ │ │ + * New upstream release 0.7.2.
│ │ │ │ + * Update copyright.
│ │ │ │ + * Drop all patches applied upstream.
│ │ │ │ + * Add patches from upstream after the 0.7.2 release.
│ │ │ │ + * Bump Standards-Version to 4.7.2, no changes needed.
│ │ │ │ +
│ │ │ │ + -- Mattia Rizzolo <[email protected]> Mon, 02 Jun 2025 16:50:35 +0200
│ │ │ │ +
│ │ │ │ dehydrated (0.7.1-1) unstable; urgency=medium
│ │ │ │
│ │ │ │ * New upstream release 0.7.1. Closes: #1023655
│ │ │ │ * Update watch file.
│ │ │ │ Thanks to Beat Bolli <[email protected]> for the patch
│ │ │ │ * Update copyright.
│ │ │ │ * Remove all patches applied upstream.
│ │ ├── ./usr/share/doc/dehydrated/changelog.gz
│ │ │ ├── changelog
│ │ │ │ @@ -1,10 +1,23 @@
│ │ │ │ # Change Log
│ │ │ │ This file contains a log of major changes in dehydrated
│ │ │ │
│ │ │ │ +## [0.7.2] - 2025-05-18
│ │ │ │ +## Added
│ │ │ │ +- Implemented support for certificate profile selection
│ │ │ │ +- Added a configuration parameter to allow for timeouts during order processing (`ORDER_TIMEOUT`, defaults to 0 = no timeout)
│ │ │ │ +- Allowed for automatic deletion of old files (`AUTO_CLEANUP_DELETE`, disabled by default)
│ │ │ │ +- Added CA presets for Google Trust Services (prod: google, test: google-test)
│ │ │ │ +
│ │ │ │ +## Changed
│ │ │ │ +- Renew certificates with 32 days remaining (instead of 30) to avoid issues with monthly cronjobs (`RENEW_DAYS=32`)
│ │ │ │ +
│ │ │ │ +## Fixed
│ │ │ │ +- Changed behaviour of `openssl req` stdin handling to fix compatibility with OpenSSL version 3.2+
│ │ │ │ +
│ │ │ │ ## [0.7.1] - 2022-10-31
│ │ │ │ ## Changed
│ │ │ │ - `--force` no longer forces domain name revalidation by default, a new argument `--force-validation` has been added for that
│ │ │ │ - Added support for EC secp521r1 algorithm (works with e.g. zerossl)
│ │ │ │ - `EC PARAMETERS` are no longer written to privkey.pem (didn't seem necessary and was causing issues with various software)
│ │ │ │
│ │ │ │ ## Fixed
│ │ ├── ./usr/share/doc/dehydrated/copyright
│ │ │ @@ -5,15 +5,15 @@
│ │ │
│ │ │ Files: *
│ │ │ Copyright: 2015-2021 Lukas Schauer
│ │ │ License: Expat
│ │ │
│ │ │ Files: debian/*
│ │ │ Copyright: 2016 Daniel Beyer <[email protected]>
│ │ │ - 2016-2024 Mattia Rizzolo <[email protected]>
│ │ │ + 2016-2025 Mattia Rizzolo <[email protected]>
│ │ │ License: Expat
│ │ │
│ │ │ License: Expat
│ │ │ Permission is hereby granted, free of charge, to any person obtaining a copy
│ │ │ of this software and associated documentation files (the "Software"), to deal
│ │ │ in the Software without restriction, including without limitation the rights
│ │ │ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
│ │ ├── ./usr/share/doc/dehydrated/docs/logo.png
│ │ │ ├── sng
│ │ │ │ @@ -16,37 +16,37 @@
│ │ │ │ }
│ │ │ │ bKGD {red: 255; green: 255; blue: 255;}
│ │ │ │ pHYs {xpixels: 5487; ypixels: 5487; per: meter;} # (139 dpi) │ │ │ │ private orNT {
│ │ │ │ base64 1;
│ │ │ │ }
│ │ │ │ tIME {
│ │ │ │ - # 27 Jul 2024 06:13:05 GMT
│ │ │ │ - year: 2024
│ │ │ │ - month: 7
│ │ │ │ - day: 27
│ │ │ │ - hour: 6
│ │ │ │ - minute: 13
│ │ │ │ - second: 5
│ │ │ │ + # 2 Jun 2025 14:50:35 GMT
│ │ │ │ + year: 2025
│ │ │ │ + month: 6
│ │ │ │ + day: 2
│ │ │ │ + hour: 14
│ │ │ │ + minute: 50
│ │ │ │ + second: 35
│ │ │ │ }
│ │ │ │ zTXt {
│ │ │ │ keyword: "Raw profile type icc";
│ │ │ │ text: "\nicc\n 672\n000002a06c636d73043000006d6e74725247422058595a2007e5000b0001001200080025\n616373704150504c0000000000000000000000000000000000000000000000000000f6d6\
n000100000000d32d6c636d73000000000000000000000000000000000000000000000000\n00000000000000000000000000000000000000000000000d646573630000012000000040\n63707274000001600000003677747074000001980000001463686164000001ac0000002c\
n7258595a000001d8000000146258595a000001ec000000146758595a0000020000000014\n725452430000021400000020675452430000021400000020625452430000021400000020\n6368726d0000023400000024646d6e640000025800000024646d64640000027c00000024\
n6d6c756300000000000000010000000c656e5553000000240000001c00470049004d0050\n0020006200750069006c0074002d0069006e002000730052004700426d6c756300000000\n000000010000000c656e55530000001a0000001c005000750062006c0069006300200044\
n006f006d00610069006e000058595a20000000000000f6d6000100000000d32d73663332\n0000000000010c42000005defffff325000007930000fd90fffffba1fffffda2000003dc\n0000c06e58595a200000000000006fa0000038f50000039058595a20000000000000249f\
n00000f840000b6c458595a2000000000000062970000b787000018d97061726100000000\n00030000000266660000f2a700000d59000013d000000a5b6368726d0000000000030000\n0000a3d70000547c00004ccd0000999a0000266700000f5c6d6c75630000000000000001\
n0000000c656e5553000000080000001c00470049004d00506d6c75630000000000000001\n0000000c656e5553000000080000001c0073005200470042\n";
│ │ │ │ }
│ │ │ │ zTXt {
│ │ │ │ keyword: "Raw profile type xmp";

[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)