From patchwork Mon Feb 23 19:45:14 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 9533 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4fKWYB23jCz3wkB for ; Mon, 23 Feb 2026 19:45:34 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [IPv6:2001:678:b28::201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail02.haj.ipfire.org", Issuer "E7" (not verified)) by mail01.ipfire.org (Postfix) with ESMTPS id 4fKWYB0hk0z5jY for ; Mon, 23 Feb 2026 19:45:34 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4fKWY96y9Tz32L8 for ; Mon, 23 Feb 2026 19:45:33 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4fKWXy2TmWz2xMD for ; Mon, 23 Feb 2026 19:45:22 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4fKWXs3HCmz3N9; Mon, 23 Feb 2026 19:45:17 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1771875917; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=U1gLM8MSC7M11m1+Lx6QYIi1FLaOWCWjiWb9IBB83QA=; b=S7Uy52t0AS2wT+miZhLciOr/sVvKnFLT/qnZzjq7b5rUKoTENe1LrSsnxUd6YIvIEaLGgp Km0z890d6kDphvDg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1771875917; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=U1gLM8MSC7M11m1+Lx6QYIi1FLaOWCWjiWb9IBB83QA=; b=bIYzfuNLALrPshSWcZpS/n9qLfyk1sXYJ/H92jK+hw6pdquPC7CSZCZi2bTX2jWNIBrpSG 1OSN6VGGWHZrAqz+17ByMsY7V9jMAHZ/D62TaWtlDuIS/52Pbgec3AIjdwqvkS20QdAcpo RUlSUBCDgo1Sce7hNgi9MCjmJO/tvCvIneplYWlWk9QfKDAUbdOFmt0ZSktuRazLwAQaja okoFScaNlhbjiSyP36VvFzyT98/6GlTzgOmgdzYVGu2Zjio/Lkzh3WPWtHD01GL7imDhpX 2tupcCNx3DsYAVBdSCrVmJPhos2ygqo6rileQ9Vt1xLUZ94acpz9Q6PGmkBw4A== From: Adolf Belka To: development@lists.ipfire.org Cc: Adolf Belka Subject: [PATCH] dehydrated: Fix for bug13945 - not renewing certificates within period of 32 days before expiring Date: Mon, 23 Feb 2026 20:45:14 +0100 Message-ID: <20260223194514.4146891-1-adolf.belka@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 - Application of two commits that will end up as part of 0.7.3 eventually. Fixes: bug13945 Signed-off-by: Adolf Belka --- lfs/dehydrated | 6 ++-- ...nt_workaround_for_openssl_regression.patch | 33 +++++++++++++++++++ ..._flag_from_time-based_validity_check.patch | 23 +++++++++++++ 3 files changed, 60 insertions(+), 2 deletions(-) create mode 100644 src/patches/dehydrated-0.7.2_implement_workaround_for_openssl_regression.patch create mode 100644 src/patches/dehydrated-0.7.2_remove_nout_flag_from_time-based_validity_check.patch diff --git a/lfs/dehydrated b/lfs/dehydrated index ab2bf8acd..0c4004e18 100644 --- a/lfs/dehydrated +++ b/lfs/dehydrated @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2025 IPFire Team # +# Copyright (C) 2007-2026 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -34,7 +34,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = dehydrated -PAK_VER = 7 +PAK_VER = 8 DEPS = @@ -81,6 +81,8 @@ $(subst %,%_BLAKE2,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/dehydrated-0.7.2_implement_workaround_for_openssl_regression.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/dehydrated-0.7.2_remove_nout_flag_from_time-based_validity_check.patch # Install the script cd $(DIR_APP) && install -m 755 dehydrated \ diff --git a/src/patches/dehydrated-0.7.2_implement_workaround_for_openssl_regression.patch b/src/patches/dehydrated-0.7.2_implement_workaround_for_openssl_regression.patch new file mode 100644 index 000000000..9fb6a56ee --- /dev/null +++ b/src/patches/dehydrated-0.7.2_implement_workaround_for_openssl_regression.patch @@ -0,0 +1,33 @@ +From 1dbbc64ce947af000b764e806429e3f87cb3a55e Mon Sep 17 00:00:00 2001 +From: Lukas Schauer +Date: Fri, 24 Oct 2025 09:14:05 +0200 +Subject: [PATCH] implement workaround for openssl regression (fixes #981) + +The introduction of the `-multi` option to the x509 subcommand +introduced a regression to the `-checkend` behaviour, preventing +openssl to correctly indicate the certificate expiry status via +its exit code. + +This commit introduces a (maybe temporary) workaround by instead +checking the output string. +--- + dehydrated | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/dehydrated b/dehydrated +index 28c4711..4867151 100755 +--- a/dehydrated ++++ b/dehydrated +@@ -1952,7 +1952,7 @@ command_sign_domains() { + valid="$("${OPENSSL}" x509 -enddate -noout -in "${cert}" | cut -d= -f2- )" + + printf " + Valid till %s " "${valid}" +- if ("${OPENSSL}" x509 -checkend $((RENEW_DAYS * 86400)) -noout -in "${cert}" > /dev/null 2>&1); then ++ if ("${OPENSSL}" x509 -checkend $((RENEW_DAYS * 86400)) -noout -in "${cert}" 2>&1 | grep -q "will not expire"); then + printf "(Longer than %d days). " "${RENEW_DAYS}" + if [[ "${force_renew}" = "yes" ]]; then + echo "Ignoring because renew was forced!" +-- +2.47.3 + + diff --git a/src/patches/dehydrated-0.7.2_remove_nout_flag_from_time-based_validity_check.patch b/src/patches/dehydrated-0.7.2_remove_nout_flag_from_time-based_validity_check.patch new file mode 100644 index 000000000..1a2876847 --- /dev/null +++ b/src/patches/dehydrated-0.7.2_remove_nout_flag_from_time-based_validity_check.patch @@ -0,0 +1,23 @@ +From 2e6933464e1d68352e9f58e36373ac9f092ecebb Mon Sep 17 00:00:00 2001 +From: Lukas Schauer +Date: Tue, 3 Feb 2026 22:01:15 +0100 +Subject: [PATCH] remove noout flag from time-based validity check + +--- + dehydrated | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/dehydrated b/dehydrated +index 48671513..beb54344 100755 +--- a/dehydrated ++++ b/dehydrated +@@ -1952,7 +1952,7 @@ command_sign_domains() { + valid="$("${OPENSSL}" x509 -enddate -noout -in "${cert}" | cut -d= -f2- )" + + printf " + Valid till %s " "${valid}" +- if ("${OPENSSL}" x509 -checkend $((RENEW_DAYS * 86400)) -noout -in "${cert}" 2>&1 | grep -q "will not expire"); then ++ if ("${OPENSSL}" x509 -checkend $((RENEW_DAYS * 86400)) -in "${cert}" 2>&1 | grep -q "will not expire"); then + printf "(Longer than %d days). " "${RENEW_DAYS}" + if [[ "${force_renew}" = "yes" ]]; then + echo "Ignoring because renew was forced!" +