[git.ipfire.org] IPFire 2.x development tree branch, master, updated. 6b37324b0a6e2f99a44fdf71238632ebb0d32a82

public inbox for ipfire-scm@lists.ipfire.org
 help / color / mirror / Atom feed

* [git.ipfire.org] IPFire 2.x development tree branch, master, updated. 6b37324b0a6e2f99a44fdf71238632ebb0d32a82
@ 2026-02-24  8:29 Michael Tremer
  0 siblings, 0 replies; only message in thread
From: Michael Tremer @ 2026-02-24  8:29 UTC (permalink / raw)
  To: ipfire-scm

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".

The branch, master has been updated
       via  6b37324b0a6e2f99a44fdf71238632ebb0d32a82 (commit)
      from  dd2b2a07d2e7fe67016fae5e3cedc50764bb53ee (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 6b37324b0a6e2f99a44fdf71238632ebb0d32a82
Author: Adolf Belka <adolf.belka@ipfire.org>
Date:   Mon Feb 23 20:45:14 2026 +0100

    dehydrated: Fix for bug13945 - not renewing certificates within period of 32 days before expiring
    
    - Application of two commits that will end up as part of 0.7.3 eventually.
    
    Fixes: bug13945
    Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
    Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

-----------------------------------------------------------------------

Summary of changes:
 lfs/dehydrated                                     |  6 ++--
 ...plement_workaround_for_openssl_regression.patch | 33 ++++++++++++++++++++++
 ..._nout_flag_from_time-based_validity_check.patch | 23 +++++++++++++++
 3 files changed, 60 insertions(+), 2 deletions(-)
 create mode 100644 src/patches/dehydrated-0.7.2_implement_workaround_for_openssl_regression.patch
 create mode 100644 src/patches/dehydrated-0.7.2_remove_nout_flag_from_time-based_validity_check.patch

Difference in files:
diff --git a/lfs/dehydrated b/lfs/dehydrated
index ab2bf8acd..0c4004e18 100644
--- a/lfs/dehydrated
+++ b/lfs/dehydrated
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2025  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2026  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -34,7 +34,7 @@ DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = dehydrated
-PAK_VER    = 7
+PAK_VER    = 8
 
 DEPS       =
 
@@ -81,6 +81,8 @@ $(subst %,%_BLAKE2,$(objects)) :
 $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/dehydrated-0.7.2_implement_workaround_for_openssl_regression.patch
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/dehydrated-0.7.2_remove_nout_flag_from_time-based_validity_check.patch
 
 	# Install the script
 	cd $(DIR_APP) && install -m 755 dehydrated \
diff --git a/src/patches/dehydrated-0.7.2_implement_workaround_for_openssl_regression.patch b/src/patches/dehydrated-0.7.2_implement_workaround_for_openssl_regression.patch
new file mode 100644
index 000000000..9fb6a56ee
--- /dev/null
+++ b/src/patches/dehydrated-0.7.2_implement_workaround_for_openssl_regression.patch
@@ -0,0 +1,33 @@
+From 1dbbc64ce947af000b764e806429e3f87cb3a55e Mon Sep 17 00:00:00 2001
+From: Lukas Schauer <lukas@schauer.dev>
+Date: Fri, 24 Oct 2025 09:14:05 +0200
+Subject: [PATCH] implement workaround for openssl regression (fixes #981)
+
+The introduction of the `-multi` option to the x509 subcommand
+introduced a regression to the `-checkend` behaviour, preventing
+openssl to correctly indicate the certificate expiry status via
+its exit code.
+
+This commit introduces a (maybe temporary) workaround by instead
+checking the output string.
+---
+ dehydrated | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/dehydrated b/dehydrated
+index 28c4711..4867151 100755
+--- a/dehydrated
++++ b/dehydrated
+@@ -1952,7 +1952,7 @@ command_sign_domains() {
+       valid="$("${OPENSSL}" x509 -enddate -noout -in "${cert}" | cut -d= -f2- )"
+ 
+       printf " + Valid till %s " "${valid}"
+-      if ("${OPENSSL}" x509 -checkend $((RENEW_DAYS * 86400)) -noout -in "${cert}" > /dev/null 2>&1); then
++      if ("${OPENSSL}" x509 -checkend $((RENEW_DAYS * 86400)) -noout -in "${cert}" 2>&1 | grep -q "will not expire"); then
+         printf "(Longer than %d days). " "${RENEW_DAYS}"
+         if [[ "${force_renew}" = "yes" ]]; then
+           echo "Ignoring because renew was forced!"
+-- 
+2.47.3
+
+
diff --git a/src/patches/dehydrated-0.7.2_remove_nout_flag_from_time-based_validity_check.patch b/src/patches/dehydrated-0.7.2_remove_nout_flag_from_time-based_validity_check.patch
new file mode 100644
index 000000000..1a2876847
--- /dev/null
+++ b/src/patches/dehydrated-0.7.2_remove_nout_flag_from_time-based_validity_check.patch
@@ -0,0 +1,23 @@
+From 2e6933464e1d68352e9f58e36373ac9f092ecebb Mon Sep 17 00:00:00 2001
+From: Lukas Schauer <lukas@schauer.dev>
+Date: Tue, 3 Feb 2026 22:01:15 +0100
+Subject: [PATCH] remove noout flag from time-based validity check
+
+---
+ dehydrated | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/dehydrated b/dehydrated
+index 48671513..beb54344 100755
+--- a/dehydrated
++++ b/dehydrated
+@@ -1952,7 +1952,7 @@ command_sign_domains() {
+       valid="$("${OPENSSL}" x509 -enddate -noout -in "${cert}" | cut -d= -f2- )"
+ 
+       printf " + Valid till %s " "${valid}"
+-      if ("${OPENSSL}" x509 -checkend $((RENEW_DAYS * 86400)) -noout -in "${cert}" 2>&1 | grep -q "will not expire"); then
++      if ("${OPENSSL}" x509 -checkend $((RENEW_DAYS * 86400)) -in "${cert}" 2>&1 | grep -q "will not expire"); then
+         printf "(Longer than %d days). " "${RENEW_DAYS}"
+         if [[ "${force_renew}" = "yes" ]]; then
+           echo "Ignoring because renew was forced!"
+


hooks/post-receive
--
IPFire 2.x development tree


^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2026-02-24  8:29 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-02-24  8:29 [git.ipfire.org] IPFire 2.x development tree branch, master, updated. 6b37324b0a6e2f99a44fdf71238632ebb0d32a82 Michael Tremer

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox