danimo/dry-run

## dry-run
diff --git a/dehydrated b/dehydrated
index 6c59db5..e1d1775 100755
--- a/dehydrated
+++ b/dehydrated
@@ -506,6 +506,7 @@ load_config() {
   [[ -n "${PARAM_KEY_ALGO:-}" ]] && KEY_ALGO="${PARAM_KEY_ALGO}"
   [[ -n "${PARAM_OCSP_MUST_STAPLE:-}" ]] && OCSP_MUST_STAPLE="${PARAM_OCSP_MUST_STAPLE}"
   [[ -n "${PARAM_IP_VERSION:-}" ]] && IP_VERSION="${PARAM_IP_VERSION}"
+  [[ -n "${PARAM_DRY_RUN:-}" ]] && DRY_RUN="${PARAM_DRY_RUN}"

   if [ ! "${1:-}" = "noverify" ]; then
     verify_config
@@ -1637,48 +1638,51 @@ command_sign_domains() {
     local update_ocsp
     update_ocsp="no"

-    # Sign certificate for this domain
-    if [[ ! "${skip}" = "yes" ]]; then
-      update_ocsp="yes"
-      [[ -z "${csr}" ]] || printf "%s" "${csr}" > "${certdir}/cert-${timestamp}.csr"
-      if [[ "${PARAM_KEEP_GOING:-}" = "yes" ]]; then
-        skip_exit_hook=yes
-        sign_domain "${certdir}" ${timestamp} ${domain} ${morenames} &
-        wait $! || exit_with_errorcode=1
-        skip_exit_hook=no
-      else
-        sign_domain "${certdir}" ${timestamp} ${domain} ${morenames}
+    # Do not renew on dry-run
+    if [[ ! "${DRY_RUN}" = "yes" ]]; then
+      # Sign certificate for this domain
+      if [[ ! "${skip}" = "yes" ]]; then
+        update_ocsp="yes"
+        [[ -z "${csr}" ]] || printf "%s" "${csr}" > "${certdir}/cert-${timestamp}.csr"
+        if [[ "${PARAM_KEEP_GOING:-}" = "yes" ]]; then
+          skip_exit_hook=yes
+          sign_domain "${certdir}" ${timestamp} ${domain} ${morenames} &
+          wait $! || exit_with_errorcode=1
+          skip_exit_hook=no
+        else
+          sign_domain "${certdir}" ${timestamp} ${domain} ${morenames}
+        fi
       fi
-    fi

-    if [[ "${OCSP_FETCH}" = "yes" ]]; then
-      local ocsp_url
-      ocsp_url="$(get_ocsp_url "${cert}")"
+      if [[ "${OCSP_FETCH}" = "yes" ]]; then
+        local ocsp_url
+        ocsp_url="$(get_ocsp_url "${cert}")"

-      if [[ ! -e "${certdir}/ocsp.der" ]]; then
-        update_ocsp="yes"
-      elif ! ("${OPENSSL}" ocsp -no_nonce -issuer "${chain}" -verify_other "${chain}" -cert "${cert}" -respin "${certdir}/ocsp.der" -status_age $((OCSP_DAYS*24*3600)) 2>&1 | grep -q "${cert}: good"); then
-        update_ocsp="yes"
-      fi
+        if [[ ! -e "${certdir}/ocsp.der" ]]; then
+          update_ocsp="yes"
+        elif ! ("${OPENSSL}" ocsp -no_nonce -issuer "${chain}" -verify_other "${chain}" -cert "${cert}" -respin "${certdir}/ocsp.der" -status_age $((OCSP_DAYS*24*3600)) 2>&1 | grep -q "${cert}: good"); then
+          update_ocsp="yes"
+        fi

-      if [[ "${update_ocsp}" = "yes" ]]; then
-        echo " + Updating OCSP stapling file"
-        ocsp_timestamp="$(date +%s)"
-        if grep -qE "^(0|(1\.0))\." <<< "$(${OPENSSL} version | awk '{print $2}')"; then
-          ocsp_log="$("${OPENSSL}" ocsp -no_nonce -issuer "${chain}" -verify_other "${chain}" -cert "${cert}" -respout "${certdir}/ocsp-${ocsp_timestamp}.der" -url "${ocsp_url}" -header "HOST" "$(echo "${ocsp_url}" | _sed -e 's/^http(s?):\/\///' -e 's/\/.*$//g')" 2>&1)" || _exiterr "Error while fetching OCSP information: ${ocsp_log}"
+        if [[ "${update_ocsp}" = "yes" ]]; then
+          echo " + Updating OCSP stapling file"
+          ocsp_timestamp="$(date +%s)"
+          if grep -qE "^(0|(1\.0))\." <<< "$(${OPENSSL} version | awk '{print $2}')"; then
+            ocsp_log="$("${OPENSSL}" ocsp -no_nonce -issuer "${chain}" -verify_other "${chain}" -cert "${cert}" -respout "${certdir}/ocsp-${ocsp_timestamp}.der" -url "${ocsp_url}" -header "HOST" "$(echo "${ocsp_url}" | _sed -e 's/^http(s?):\/\///' -e 's/\/.*$//g')" 2>&1)" || _exiterr "Error while fetching OCSP information: ${ocsp_log}"
+          else
+            ocsp_log="$("${OPENSSL}" ocsp -no_nonce -issuer "${chain}" -verify_other "${chain}" -cert "${cert}" -respout "${certdir}/ocsp-${ocsp_timestamp}.der" -url "${ocsp_url}" 2>&1)" || _exiterr "Error while fetching OCSP information: ${ocsp_log}"
+          fi
+          ln -sf "ocsp-${ocsp_timestamp}.der" "${certdir}/ocsp.der"
+          [[ -n "${HOOK}" ]] && (altnames="${domain} ${morenames}" "${HOOK}" "deploy_ocsp" "${domain}" "${certdir}/ocsp.der" "${ocsp_timestamp}" || _exiterr 'deploy_ocsp hook returned with non-zero exit code')
         else
-          ocsp_log="$("${OPENSSL}" ocsp -no_nonce -issuer "${chain}" -verify_other "${chain}" -cert "${cert}" -respout "${certdir}/ocsp-${ocsp_timestamp}.der" -url "${ocsp_url}" 2>&1)" || _exiterr "Error while fetching OCSP information: ${ocsp_log}"
+          echo " + OCSP stapling file is still valid (skipping update)"
         fi
-        ln -sf "ocsp-${ocsp_timestamp}.der" "${certdir}/ocsp.der"
-        [[ -n "${HOOK}" ]] && (altnames="${domain} ${morenames}" "${HOOK}" "deploy_ocsp" "${domain}" "${certdir}/ocsp.der" "${ocsp_timestamp}" || _exiterr 'deploy_ocsp hook returned with non-zero exit code')
-      else
-        echo " + OCSP stapling file is still valid (skipping update)"
       fi
     fi
   done
   reset_configvars

-  # remove temporary domains.txt file if used
+    # remove temporary domains.txt file if used
   [[ -n "${PARAM_DOMAIN:-}" ]] && rm -f "${DOMAINS_TXT}"

   [[ -n "${HOOK}" ]] && ("${HOOK}" "exit_hook" || echo 'exit_hook returned with non-zero exit code!' >&2)
@@ -1763,19 +1767,23 @@ command_revoke() {
   fi
   [[ -f "${cert}" ]] || _exiterr "Could not find certificate ${cert}"

-  echo "Revoking ${cert}"
-
-  cert64="$("${OPENSSL}" x509 -in "${cert}" -inform PEM -outform DER | urlbase64)"
-  if [[ ${API} -eq 1 ]]; then
-    response="$(signed_request "${CA_REVOKE_CERT}" '{"resource": "revoke-cert", "certificate": "'"${cert64}"'"}' | clean_json)"
+  if [[ "${DRY_RUN}" == "yes" ]]; then
+    echo "Would revoke ${cert}"
   else
-    response="$(signed_request "${CA_REVOKE_CERT}" '{"certificate": "'"${cert64}"'"}' | clean_json)"
+    echo "Revoking ${cert}"
+
+    cert64="$("${OPENSSL}" x509 -in "${cert}" -inform PEM -outform DER | urlbase64)"
+    if [[ ${API} -eq 1 ]]; then
+      response="$(signed_request "${CA_REVOKE_CERT}" '{"resource": "revoke-cert", "certificate": "'"${cert64}"'"}' | clean_json)"
+    else
+      response="$(signed_request "${CA_REVOKE_CERT}" '{"certificate": "'"${cert64}"'"}' | clean_json)"
+    fi
+    # if there is a problem with our revoke request _request (via signed_request) will report this and "exit 1" out
+    # so if we are here, it is safe to assume the request was successful
+    echo " + Done."
+    echo " + Renaming certificate to ${cert}-revoked"
+    mv -f "${cert}" "${cert}-revoked"
   fi
-  # if there is a problem with our revoke request _request (via signed_request) will report this and "exit 1" out
-  # so if we are here, it is safe to assume the request was successful
-  echo " + Done."
-  echo " + Renaming certificate to ${cert}-revoked"
-  mv -f "${cert}" "${cert}-revoked"
 }

 # Usage: --deactivate
@@ -1846,8 +1854,12 @@ command_cleanup() {
         # Check if current file is in use, if unused move to archive directory
         filename="$(basename "${file}")"
         if [[ ! "${filename}" = "${current}" ]]; then
-          echo "Moving unused file to archive directory: ${certname}/${filename}"
-          mv "${certdir}/${filename}" "${archivedir}/${filename}"
+          if [[ "${DRY_RUN}" = "yes" ]]; then
+            echo "Would move unused file to archive directory: ${certname}/${filename}"
+          else
+            echo "Moving unused file to archive directory: ${certname}/${filename}"
+            mv "${certdir}/${filename}" "${archivedir}/${filename}"
+          fi
         fi
       done
     done
@@ -2100,6 +2112,13 @@ main() {
         PARAM_KEY_ALGO="${1}"
         ;;

+      # PARAM_Usage: --dry-run
+      # PARAM_Description: Show which actions would be performed without executing them
+      --dry-run)
+        shift 1
+        PARAM_DRY_RUN="yes"
+        ;;
+
       *)
         echo "Unknown parameter detected: ${1}" >&2
         echo >&2
	diff --git a/dehydrated b/dehydrated
	index 6c59db5..e1d1775 100755
	--- a/dehydrated
	+++ b/dehydrated
	@@ -506,6 +506,7 @@ load_config() {
	[[ -n "${PARAM_KEY_ALGO:-}" ]] && KEY_ALGO="${PARAM_KEY_ALGO}"
	[[ -n "${PARAM_OCSP_MUST_STAPLE:-}" ]] && OCSP_MUST_STAPLE="${PARAM_OCSP_MUST_STAPLE}"
	[[ -n "${PARAM_IP_VERSION:-}" ]] && IP_VERSION="${PARAM_IP_VERSION}"
	+ [[ -n "${PARAM_DRY_RUN:-}" ]] && DRY_RUN="${PARAM_DRY_RUN}"

	if [ ! "${1:-}" = "noverify" ]; then
	verify_config
	@@ -1637,48 +1638,51 @@ command_sign_domains() {
	local update_ocsp
	update_ocsp="no"

	- # Sign certificate for this domain
	- if [[ ! "${skip}" = "yes" ]]; then
	- update_ocsp="yes"
	- [[ -z "${csr}" ]] \|\| printf "%s" "${csr}" > "${certdir}/cert-${timestamp}.csr"
	- if [[ "${PARAM_KEEP_GOING:-}" = "yes" ]]; then
	- skip_exit_hook=yes
	- sign_domain "${certdir}" ${timestamp} ${domain} ${morenames} &
	- wait $! \|\| exit_with_errorcode=1
	- skip_exit_hook=no
	- else
	- sign_domain "${certdir}" ${timestamp} ${domain} ${morenames}
	+ # Do not renew on dry-run
	+ if [[ ! "${DRY_RUN}" = "yes" ]]; then
	+ # Sign certificate for this domain
	+ if [[ ! "${skip}" = "yes" ]]; then
	+ update_ocsp="yes"
	+ [[ -z "${csr}" ]] \|\| printf "%s" "${csr}" > "${certdir}/cert-${timestamp}.csr"
	+ if [[ "${PARAM_KEEP_GOING:-}" = "yes" ]]; then
	+ skip_exit_hook=yes
	+ sign_domain "${certdir}" ${timestamp} ${domain} ${morenames} &
	+ wait $! \|\| exit_with_errorcode=1
	+ skip_exit_hook=no
	+ else
	+ sign_domain "${certdir}" ${timestamp} ${domain} ${morenames}
	+ fi
	fi
	- fi

	- if [[ "${OCSP_FETCH}" = "yes" ]]; then
	- local ocsp_url
	- ocsp_url="$(get_ocsp_url "${cert}")"
	+ if [[ "${OCSP_FETCH}" = "yes" ]]; then
	+ local ocsp_url
	+ ocsp_url="$(get_ocsp_url "${cert}")"

	- if [[ ! -e "${certdir}/ocsp.der" ]]; then
	- update_ocsp="yes"
	- elif ! ("${OPENSSL}" ocsp -no_nonce -issuer "${chain}" -verify_other "${chain}" -cert "${cert}" -respin "${certdir}/ocsp.der" -status_age $((OCSP_DAYS243600)) 2>&1 \| grep -q "${cert}: good"); then
	- update_ocsp="yes"
	- fi
	+ if [[ ! -e "${certdir}/ocsp.der" ]]; then
	+ update_ocsp="yes"
	+ elif ! ("${OPENSSL}" ocsp -no_nonce -issuer "${chain}" -verify_other "${chain}" -cert "${cert}" -respin "${certdir}/ocsp.der" -status_age $((OCSP_DAYS243600)) 2>&1 \| grep -q "${cert}: good"); then
	+ update_ocsp="yes"
	+ fi

	- if [[ "${update_ocsp}" = "yes" ]]; then
	- echo " + Updating OCSP stapling file"
	- ocsp_timestamp="$(date +%s)"
	- if grep -qE "^(0\|(1\.0))\." <<< "$(${OPENSSL} version \| awk '{print $2}')"; then
	- ocsp_log="$("${OPENSSL}" ocsp -no_nonce -issuer "${chain}" -verify_other "${chain}" -cert "${cert}" -respout "${certdir}/ocsp-${ocsp_timestamp}.der" -url "${ocsp_url}" -header "HOST" "$(echo "${ocsp_url}" \| _sed -e 's/^http(s?):\/\///' -e 's/\/.*$//g')" 2>&1)" \|\| _exiterr "Error while fetching OCSP information: ${ocsp_log}"
	+ if [[ "${update_ocsp}" = "yes" ]]; then
	+ echo " + Updating OCSP stapling file"
	+ ocsp_timestamp="$(date +%s)"
	+ if grep -qE "^(0\|(1\.0))\." <<< "$(${OPENSSL} version \| awk '{print $2}')"; then
	+ ocsp_log="$("${OPENSSL}" ocsp -no_nonce -issuer "${chain}" -verify_other "${chain}" -cert "${cert}" -respout "${certdir}/ocsp-${ocsp_timestamp}.der" -url "${ocsp_url}" -header "HOST" "$(echo "${ocsp_url}" \| _sed -e 's/^http(s?):\/\///' -e 's/\/.*$//g')" 2>&1)" \|\| _exiterr "Error while fetching OCSP information: ${ocsp_log}"
	+ else
	+ ocsp_log="$("${OPENSSL}" ocsp -no_nonce -issuer "${chain}" -verify_other "${chain}" -cert "${cert}" -respout "${certdir}/ocsp-${ocsp_timestamp}.der" -url "${ocsp_url}" 2>&1)" \|\| _exiterr "Error while fetching OCSP information: ${ocsp_log}"
	+ fi
	+ ln -sf "ocsp-${ocsp_timestamp}.der" "${certdir}/ocsp.der"
	+ [[ -n "${HOOK}" ]] && (altnames="${domain} ${morenames}" "${HOOK}" "deploy_ocsp" "${domain}" "${certdir}/ocsp.der" "${ocsp_timestamp}" \|\| _exiterr 'deploy_ocsp hook returned with non-zero exit code')
	else
	- ocsp_log="$("${OPENSSL}" ocsp -no_nonce -issuer "${chain}" -verify_other "${chain}" -cert "${cert}" -respout "${certdir}/ocsp-${ocsp_timestamp}.der" -url "${ocsp_url}" 2>&1)" \|\| _exiterr "Error while fetching OCSP information: ${ocsp_log}"
	+ echo " + OCSP stapling file is still valid (skipping update)"
	fi
	- ln -sf "ocsp-${ocsp_timestamp}.der" "${certdir}/ocsp.der"
	- [[ -n "${HOOK}" ]] && (altnames="${domain} ${morenames}" "${HOOK}" "deploy_ocsp" "${domain}" "${certdir}/ocsp.der" "${ocsp_timestamp}" \|\| _exiterr 'deploy_ocsp hook returned with non-zero exit code')
	- else
	- echo " + OCSP stapling file is still valid (skipping update)"
	fi
	fi
	done
	reset_configvars

	- # remove temporary domains.txt file if used
	+ # remove temporary domains.txt file if used
	[[ -n "${PARAM_DOMAIN:-}" ]] && rm -f "${DOMAINS_TXT}"

	[[ -n "${HOOK}" ]] && ("${HOOK}" "exit_hook" \|\| echo 'exit_hook returned with non-zero exit code!' >&2)
	@@ -1763,19 +1767,23 @@ command_revoke() {
	fi
	[[ -f "${cert}" ]] \|\| _exiterr "Could not find certificate ${cert}"

	- echo "Revoking ${cert}"
	-
	- cert64="$("${OPENSSL}" x509 -in "${cert}" -inform PEM -outform DER \| urlbase64)"
	- if [[ ${API} -eq 1 ]]; then
	- response="$(signed_request "${CA_REVOKE_CERT}" '{"resource": "revoke-cert", "certificate": "'"${cert64}"'"}' \| clean_json)"
	+ if [[ "${DRY_RUN}" == "yes" ]]; then
	+ echo "Would revoke ${cert}"
	else
	- response="$(signed_request "${CA_REVOKE_CERT}" '{"certificate": "'"${cert64}"'"}' \| clean_json)"
	+ echo "Revoking ${cert}"
	+
	+ cert64="$("${OPENSSL}" x509 -in "${cert}" -inform PEM -outform DER \| urlbase64)"
	+ if [[ ${API} -eq 1 ]]; then
	+ response="$(signed_request "${CA_REVOKE_CERT}" '{"resource": "revoke-cert", "certificate": "'"${cert64}"'"}' \| clean_json)"
	+ else
	+ response="$(signed_request "${CA_REVOKE_CERT}" '{"certificate": "'"${cert64}"'"}' \| clean_json)"
	+ fi
	+ # if there is a problem with our revoke request _request (via signed_request) will report this and "exit 1" out
	+ # so if we are here, it is safe to assume the request was successful
	+ echo " + Done."
	+ echo " + Renaming certificate to ${cert}-revoked"
	+ mv -f "${cert}" "${cert}-revoked"
	fi
	- # if there is a problem with our revoke request _request (via signed_request) will report this and "exit 1" out
	- # so if we are here, it is safe to assume the request was successful
	- echo " + Done."
	- echo " + Renaming certificate to ${cert}-revoked"
	- mv -f "${cert}" "${cert}-revoked"
	}

	# Usage: --deactivate
	@@ -1846,8 +1854,12 @@ command_cleanup() {
	# Check if current file is in use, if unused move to archive directory
	filename="$(basename "${file}")"
	if [[ ! "${filename}" = "${current}" ]]; then
	- echo "Moving unused file to archive directory: ${certname}/${filename}"
	- mv "${certdir}/${filename}" "${archivedir}/${filename}"
	+ if [[ "${DRY_RUN}" = "yes" ]]; then
	+ echo "Would move unused file to archive directory: ${certname}/${filename}"
	+ else
	+ echo "Moving unused file to archive directory: ${certname}/${filename}"
	+ mv "${certdir}/${filename}" "${archivedir}/${filename}"
	+ fi
	fi
	done
	done
	@@ -2100,6 +2112,13 @@ main() {
	PARAM_KEY_ALGO="${1}"
	;;

	+ # PARAM_Usage: --dry-run
	+ # PARAM_Description: Show which actions would be performed without executing them
	+ --dry-run)
	+ shift 1
	+ PARAM_DRY_RUN="yes"
	+ ;;
	+
	*)
	echo "Unknown parameter detected: ${1}" >&2
	echo >&2