dehydrated: Fix for bug13945 - not renewing certificates within period of 32 days before expiring
Commit Message
- Application of two commits that will end up as part of 0.7.3 eventually.
Fixes: bug13945
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
lfs/dehydrated | 6 ++--
...nt_workaround_for_openssl_regression.patch | 33 +++++++++++++++++++
..._flag_from_time-based_validity_check.patch | 23 +++++++++++++
3 files changed, 60 insertions(+), 2 deletions(-)
create mode 100644 src/patches/dehydrated-0.7.2_implement_workaround_for_openssl_regression.patch
create mode 100644 src/patches/dehydrated-0.7.2_remove_nout_flag_from_time-based_validity_check.patch
@@ -1,7 +1,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2025 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2007-2026 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -34,7 +34,7 @@ DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = dehydrated
-PAK_VER = 7
+PAK_VER = 8
DEPS =
@@ -81,6 +81,8 @@ $(subst %,%_BLAKE2,$(objects)) :
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
+ cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/dehydrated-0.7.2_implement_workaround_for_openssl_regression.patch
+ cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/dehydrated-0.7.2_remove_nout_flag_from_time-based_validity_check.patch
# Install the script
cd $(DIR_APP) && install -m 755 dehydrated \
new file mode 100644
@@ -0,0 +1,33 @@
+From 1dbbc64ce947af000b764e806429e3f87cb3a55e Mon Sep 17 00:00:00 2001
+From: Lukas Schauer <lukas@schauer.dev>
+Date: Fri, 24 Oct 2025 09:14:05 +0200
+Subject: [PATCH] implement workaround for openssl regression (fixes #981)
+
+The introduction of the `-multi` option to the x509 subcommand
+introduced a regression to the `-checkend` behaviour, preventing
+openssl to correctly indicate the certificate expiry status via
+its exit code.
+
+This commit introduces a (maybe temporary) workaround by instead
+checking the output string.
+---
+ dehydrated | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/dehydrated b/dehydrated
+index 28c4711..4867151 100755
+--- a/dehydrated
++++ b/dehydrated
+@@ -1952,7 +1952,7 @@ command_sign_domains() {
+ valid="$("${OPENSSL}" x509 -enddate -noout -in "${cert}" | cut -d= -f2- )"
+
+ printf " + Valid till %s " "${valid}"
+- if ("${OPENSSL}" x509 -checkend $((RENEW_DAYS * 86400)) -noout -in "${cert}" > /dev/null 2>&1); then
++ if ("${OPENSSL}" x509 -checkend $((RENEW_DAYS * 86400)) -noout -in "${cert}" 2>&1 | grep -q "will not expire"); then
+ printf "(Longer than %d days). " "${RENEW_DAYS}"
+ if [[ "${force_renew}" = "yes" ]]; then
+ echo "Ignoring because renew was forced!"
+--
+2.47.3
+
+
new file mode 100644
@@ -0,0 +1,23 @@
+From 2e6933464e1d68352e9f58e36373ac9f092ecebb Mon Sep 17 00:00:00 2001
+From: Lukas Schauer <lukas@schauer.dev>
+Date: Tue, 3 Feb 2026 22:01:15 +0100
+Subject: [PATCH] remove noout flag from time-based validity check
+
+---
+ dehydrated | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/dehydrated b/dehydrated
+index 48671513..beb54344 100755
+--- a/dehydrated
++++ b/dehydrated
+@@ -1952,7 +1952,7 @@ command_sign_domains() {
+ valid="$("${OPENSSL}" x509 -enddate -noout -in "${cert}" | cut -d= -f2- )"
+
+ printf " + Valid till %s " "${valid}"
+- if ("${OPENSSL}" x509 -checkend $((RENEW_DAYS * 86400)) -noout -in "${cert}" 2>&1 | grep -q "will not expire"); then
++ if ("${OPENSSL}" x509 -checkend $((RENEW_DAYS * 86400)) -in "${cert}" 2>&1 | grep -q "will not expire"); then
+ printf "(Longer than %d days). " "${RENEW_DAYS}"
+ if [[ "${force_renew}" = "yes" ]]; then
+ echo "Ignoring because renew was forced!"
+