Remove OCSP support.

bzed · bzed · commit cec1cfc0bf85 · 2024-12-12T12:39:34.000+01:00
See https://letsencrypt.org/2024/12/05/ending-ocsp/ for details.
diff --git a/README.md b/README.md
@@ -148,7 +148,7 @@ With the yaml snippet above you'd request the following certificates:
 
         # /usr/lib/nagios/plugins/check_statusfile /opt/dehydrated/monitoring.status
         dehydrated certificates: OK: 2, FAILED: 1
-        foo.example.com (from bar.example.com): OCSP update failed
+        foo.example.com (from bar.example.com): some error description
 
 
 ## Migrating from _bzed-letsencrypt_
diff --git a/REFERENCE.md b/REFERENCE.md
@@ -30,7 +30,7 @@
 * `dehydrated::certificate::deploy`: Deploy collected certificate and CA files.
 * `dehydrated::certificate::dh`: Create the DH params file.
 * `dehydrated::certificate::request`: Prepare everything to request a certifificate for our CSRs.
-* `dehydrated::certificate::transfer`: Transfer crt/ca/ocsp files.
+* `dehydrated::certificate::transfer`: Transfer crt/ca files.
 
 ### Resource types
 
diff --git a/files/dehydrated_job_runner.rb b/files/dehydrated_job_runner.rb
@@ -83,70 +83,6 @@ def update_ca_chain(crt_file, ca_file)
   [stdout, stderr, status]
 end
 
-def update_ocsp(ocsp_file, crt_file, ca_file)
-  crt = OpenSSL::X509::Certificate.new(File.read(crt_file))
-  ca = OpenSSL::X509::Certificate.new(File.read(ca_file))
-  digest = OpenSSL::Digest::SHA1.new
-  certificate_id = OpenSSL::OCSP::CertificateId.new(crt, ca, digest)
-  request = OpenSSL::OCSP::Request.new
-  request.add_certid certificate_id
-
-  # seems LE doesn't handle nonces.
-  # request.add_nonce
-
-  ocsp_uri = _get_authority_url(crt, 'OCSP')
-
-  ocsp_response = ''
-  limit = 10
-  while limit > 0
-    path = if ocsp_uri.path.empty?
-             '/'
-           else
-             ocsp_uri.path
-           end
-    response = Net::HTTP.start ocsp_uri.hostname, ocsp_uri.port do |http|
-      http.post(
-        path,
-        request.to_der,
-        'content-type' => 'application/ocsp-request',
-      )
-    end
-    case response
-    when Net::HTTPSuccess then
-      ocsp_response = response.body
-      status = 0
-      stdout = ''
-      stderr = response.message
-    when Net::HTTPRedirection then
-      ocsp_uri = URI(response['location'])
-      limit -= 1
-      status = response.code
-      stdout = response.body
-      stderr = response.message
-      next
-    else
-      status = 1
-      stdout = ''
-      stderr = response.class.name
-    end
-    break
-  end
-
-  if status.zero? && ocsp_response != ''
-    ocsp = OpenSSL::OCSP::Response.new ocsp_response
-    store = OpenSSL::X509::Store.new
-    store.add_cert(ca)
-
-    if ocsp.basic # && ocsp.basic().verify([], store)
-      File.write(ocsp_file, ocsp.to_der)
-    else
-      status = 1
-      stderr = stdout = 'OCSP verification failed'
-    end
-  end
-  [stdout, stderr, status.to_i]
-end
-
 def register_account(dehydrated_config)
   run_dehydrated(dehydrated_config, '--accept-terms --register')
 end
@@ -236,7 +172,6 @@ def handle_request(fqdn, dn, config)
   csr_content = config['csr_content']
   csr_file = File.join(request_base_dir, "#{base_filename}.csr")
   ca_file = File.join(request_base_dir, "#{base_filename}_ca.pem")
-  ocsp_file = "#{crt_file}.ocsp"
   subject_alternative_names = config['subject_alternative_names'].sort.uniq
   dehydrated_domain_validation_hook_script = config['dehydrated_domain_validation_hook_script']
   dehydrated_hook_script = config['dehydrated_hook_script']
@@ -253,6 +188,10 @@ def handle_request(fqdn, dn, config)
                         new_dn_config
                       end
 
+  # clean up OCSP files as they are not supported by letsencrypt anymore.
+  ocsp_file = "#{crt_file}.ocsp"
+  File.delete(ocsp_file) if File.exist?(ocsp_file)
+
   # register / update account
   # prior to 2024-04, the config did not contain the request_account_dir.  Fall back to the
   # previous method if we don't have request_account_dir in the config (yet?).
@@ -319,25 +258,12 @@ def handle_request(fqdn, dn, config)
     if status > 0 || !cert_still_valid(crt_file)
       return ['CSR signing failed', stdout, stderr, status] if status > 0
     end
-    # remove ocsp file after getting a new certificate
-    if status.zero? && File.exist?(ocsp_file)
-      File.delete(ocsp_file)
-    end
   end
 
   # track currently used config
   # we do this before the OCSP stuff as we have a valid cert already.
   File.write(dn_config_file, JSON.generate(new_dn_config))
 
-  if cert_still_valid(crt_file)
-    ocsp_uptodate = File.exist?(ocsp_file) &&
-                    (File.mtime(ocsp_file) + 24 * 60 * 60) > Time.now &&
-                    File.mtime(ocsp_file) > File.mtime(crt_file)
-    unless ocsp_uptodate
-      stdout, stderr, status = update_ocsp(ocsp_file, crt_file, ca_file)
-      return ['OCSP update failed', stdout, stderr, status] if status > 0
-    end
-  end
   old_env.each do |key, value|
     ENV[key] = value
   end
diff --git a/lib/facter/dehydrated_certificates.rb b/lib/facter/dehydrated_certificates.rb
@@ -3,14 +3,6 @@
 require 'openssl'
 require 'base64'
 
-def get_ocsp(ocsp)
-  if File.exist?(ocsp)
-    Base64.strict_encode64(File.read(ocsp))
-  else
-    nil
-  end
-end
-
 def get_file(filename)
   if File.exist?(filename)
     File.read(filename)
@@ -51,8 +43,6 @@ def handle_requests(config)
             ca_file = "#{request_base_dir}/#{base_filename}_ca.pem"
             requests[request_fqdn][dn]['ca'] = get_file(ca_file)
           end
-          ocsp_file = "#{crt_file}.ocsp"
-          requests[request_fqdn][dn]['ocsp'] = get_ocsp(ocsp_file)
         end
       end
     end
diff --git a/lib/puppet/functions/dehydrated/file.rb b/lib/puppet/functions/dehydrated/file.rb
@@ -17,11 +17,7 @@ def getfile(files, *more_files)
         raise(Puppet::ParseError, 'Files must be fully qualified')
       end
       next unless File.exist?(file)
-      ret = if %r{.*\.ocsp$}.match?(file)
-              Base64.strict_encode64(File.read(file))
-            else
-              File.read(file)
-            end
+      ret = File.read(file)
     end
     ret
   end
diff --git a/manifests/certificate/collect.pp b/manifests/certificate/collect.pp
@@ -31,10 +31,8 @@
     $dehydrated_requests_dir = $dehydrated::dehydrated_requests_dir
     $crt_file = "${request_base_dir}/${request_base_filename}.crt"
     $ca_file = "${request_base_dir}/${request_base_filename}_ca.pem"
-    $ocsp_file = "${crt_file}.ocsp"
 
     $crt = dehydrated::file($crt_file)
-    $ocsp = dehydrated::file($ocsp_file)
     $ca = dehydrated::file($ca_file)
   } else {
     # we are on a non-puppetmaster host
@@ -50,14 +48,6 @@
       } else {
         $crt = undef
       }
-      if (
-        'ocsp' in $config and
-        $config['ocsp'] =~ Stdlib::Base64
-      ) {
-        $ocsp = String(Binary($config['ocsp']))
-      } else {
-        $ocsp = undef
-      }
       if 'ca' in $config {
         $ca = $config['ca']
       } else {
@@ -66,7 +56,6 @@
     } else {
       notify { 'No dehydrated certificate config from facter :(' : }
       $crt = undef
-      $ocsp = undef
       $ca = undef
     }
   }
@@ -89,13 +78,4 @@
       request_base_filename => $request_base_filename,
     }
   }
-  if ($ocsp) {
-    @@dehydrated::certificate::transfer { "${name}-transfer-ocsp" :
-      file_type             => 'ocsp',
-      request_dn            => $request_dn,
-      request_fqdn          => $request_fqdn,
-      file_content          => $ocsp,
-      request_base_filename => $request_base_filename,
-    }
-  }
 }
diff --git a/manifests/certificate/transfer.pp b/manifests/certificate/transfer.pp
@@ -1,6 +1,6 @@
-# Used as exported ressource to ransfer crt/ca/ocsp files.
+# Used as exported ressource to ransfer crt/ca files.
 #
-# @summary Transfer crt/ca/ocsp files.
+# @summary Transfer crt/ca files.
 #
 # @example
 #   dehydrated::certificate::transfer { 'namevar':
@@ -13,7 +13,7 @@
 # @api private
 #
 define dehydrated::certificate::transfer (
-  Enum['crt', 'ca', 'ocsp'] $file_type,
+  Enum['crt', 'ca'] $file_type,
   Dehydrated::DN $request_dn,
   Stdlib::Fqdn $request_fqdn,
   String $request_base_filename,
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -252,16 +252,11 @@
 
     $transfer_data = puppetdb_query($transfer_query)
     $transfer_data.each |$transfer| {
-      if ($transfer['parameters.file_type'] == 'ocsp') {
-        $content = base64('decode', $transfer['parameters.file_content'])
-      } else {
-        $content = $transfer['parameters.file_content']
-      }
+      $content = $transfer['parameters.file_content']
 
       $filenames = {
         'ca'   => "${crt_dir}/${_base_filename}_ca.pem",
         'crt'  => "${crt_dir}/${_base_filename}.crt",
-        'ocsp' => "${crt_dir}/${_base_filename}.crt.ocsp",
       }
 
       $filename = $filenames[$transfer['parameters.file_type']]

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`		`-# Used as exported ressource to ransfer crt/ca/ocsp files.`
	`1`	`+# Used as exported ressource to ransfer crt/ca files.`
`2`	`2`	`#`
`3`		`-# @summary Transfer crt/ca/ocsp files.`
	`3`	`+# @summary Transfer crt/ca files.`
`4`	`4`	`#`
`5`	`5`	`# @example`
`6`	`6`	`# dehydrated::certificate::transfer { 'namevar':`
`@@ -13,7 +13,7 @@`
`13`	`13`	`# @api private`
`14`	`14`	`#`
`15`	`15`	`define dehydrated::certificate::transfer (`
`16`		`- Enum['crt', 'ca', 'ocsp'] $file_type,`
	`16`	`+ Enum['crt', 'ca'] $file_type,`
`17`	`17`	`Dehydrated::DN $request_dn,`
`18`	`18`	`Stdlib::Fqdn $request_fqdn,`
`19`	`19`	`String $request_base_filename,`