- Application of two commits that will end up as part of 0.7.3 eventually. Fixes: bug13945 Signed-off-by: Adolf Belka <[email protected]> --- lfs/dehydrated | 6 ++-- ...nt_workaround_for_openssl_regression.patch | 33 +++++++++++++++++++ ..._flag_from_time-based_validity_check.patch | 23 +++++++++++++ 3 files changed, 60 insertions(+), 2 deletions(-) create mode 100644 src/patches/dehydrated-0.7.2_implement_workaround_for_openssl_regression.patch create mode 100644 src/patches/dehydrated-0.7.2_remove_nout_flag_from_time-based_validity_check.patch
diff --git a/lfs/dehydrated b/lfs/dehydrated index ab2bf8acd..0c4004e18 100644 --- a/lfs/dehydrated +++ b/lfs/dehydrated @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2025 IPFire Team <[email protected]> # +# Copyright (C) 2007-2026 IPFire Team <[email protected]> # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -34,7 +34,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = dehydrated -PAK_VER = 7 +PAK_VER = 8 DEPS = @@ -81,6 +81,8 @@ $(subst %,%_BLAKE2,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/dehydrated-0.7.2_implement_workaround_for_openssl_regression.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/dehydrated-0.7.2_remove_nout_flag_from_time-based_validity_check.patch # Install the script cd $(DIR_APP) && install -m 755 dehydrated \ diff --git a/src/patches/dehydrated-0.7.2_implement_workaround_for_openssl_regression.patch b/src/patches/dehydrated-0.7.2_implement_workaround_for_openssl_regression.patch new file mode 100644 index 000000000..9fb6a56ee --- /dev/null +++ b/src/patches/dehydrated-0.7.2_implement_workaround_for_openssl_regression.patch @@ -0,0 +1,33 @@ +From 1dbbc64ce947af000b764e806429e3f87cb3a55e Mon Sep 17 00:00:00 2001 +From: Lukas Schauer <[email protected]> +Date: Fri, 24 Oct 2025 09:14:05 +0200 +Subject: [PATCH] implement workaround for openssl regression (fixes #981) + +The introduction of the `-multi` option to the x509 subcommand +introduced a regression to the `-checkend` behaviour, preventing +openssl to correctly indicate the certificate expiry status via +its exit code. + +This commit introduces a (maybe temporary) workaround by instead +checking the output string. +--- + dehydrated | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/dehydrated b/dehydrated +index 28c4711..4867151 100755 +--- a/dehydrated ++++ b/dehydrated +@@ -1952,7 +1952,7 @@ command_sign_domains() { + valid="$("${OPENSSL}" x509 -enddate -noout -in "${cert}" | cut -d= -f2- )" + + printf " + Valid till %s " "${valid}" +- if ("${OPENSSL}" x509 -checkend $((RENEW_DAYS * 86400)) -noout -in "${cert}" > /dev/null 2>&1); then ++ if ("${OPENSSL}" x509 -checkend $((RENEW_DAYS * 86400)) -noout -in "${cert}" 2>&1 | grep -q "will not expire"); then + printf "(Longer than %d days). " "${RENEW_DAYS}" + if [[ "${force_renew}" = "yes" ]]; then + echo "Ignoring because renew was forced!" +-- +2.47.3 + + diff --git a/src/patches/dehydrated-0.7.2_remove_nout_flag_from_time-based_validity_check.patch b/src/patches/dehydrated-0.7.2_remove_nout_flag_from_time-based_validity_check.patch new file mode 100644 index 000000000..1a2876847 --- /dev/null +++ b/src/patches/dehydrated-0.7.2_remove_nout_flag_from_time-based_validity_check.patch @@ -0,0 +1,23 @@ +From 2e6933464e1d68352e9f58e36373ac9f092ecebb Mon Sep 17 00:00:00 2001 +From: Lukas Schauer <[email protected]> +Date: Tue, 3 Feb 2026 22:01:15 +0100 +Subject: [PATCH] remove noout flag from time-based validity check + +--- + dehydrated | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/dehydrated b/dehydrated +index 48671513..beb54344 100755 +--- a/dehydrated ++++ b/dehydrated +@@ -1952,7 +1952,7 @@ command_sign_domains() { + valid="$("${OPENSSL}" x509 -enddate -noout -in "${cert}" | cut -d= -f2- )" + + printf " + Valid till %s " "${valid}" +- if ("${OPENSSL}" x509 -checkend $((RENEW_DAYS * 86400)) -noout -in "${cert}" 2>&1 | grep -q "will not expire"); then ++ if ("${OPENSSL}" x509 -checkend $((RENEW_DAYS * 86400)) -in "${cert}" 2>&1 | grep -q "will not expire"); then + printf "(Longer than %d days). " "${RENEW_DAYS}" + if [[ "${force_renew}" = "yes" ]]; then + echo "Ignoring because renew was forced!" + -- 2.53.0
