RENEW_DAYS="14"
KEYSIZE="4096"
WELLKNOWN=".acme-challenges"
+PRIVATE_KEY_RENEW=no
if [[ -e "config.sh" ]]; then
. ./config.sh
altnames="${*}"
echo "Signing domain ${1} (${*})..."
- # If there is no existing certificate directory we need a new private key
+ # If there is no existing certificate directory => make it
if [[ ! -e "certs/${domain}" ]]; then
+ echo " + make directory certs/${domain} ..."
mkdir -p "certs/${domain}"
+ fi
+
+ # generate a new private key if we need or want one
+ if [[ ! -f "certs/${domain}/privkey.pem" ]] || [[ "${PRIVATE_KEY_RENEW}" = "yes" ]]; then
echo " + Generating private key..."
- openssl genrsa -out "certs/${domain}/privkey.pem" "${KEYSIZE}" 2> /dev/null > /dev/null
+ timestamp="$(date +%s)"
+ openssl genrsa -out "certs/${domain}/privkey-${timestamp}.pem" "${KEYSIZE}" 2> /dev/null > /dev/null
+ rm -f "certs/${domain}/privkey.pem"
+ ln -s "privkey-${timestamp}.pem" "certs/${domain}/privkey.pem"
fi
# Generate signing request config and the actual signing request
echo -n "Found existing cert for ${domain}. Expire date ..."
set +e; openssl x509 -checkend $((${RENEW_DAYS} * 86400)) -noout -in "certs/${domain}/cert.pem"; expiring=$?; set -e
if [[ ${expiring} -eq 0 ]]; then
- echo " is not within ${RENEW_DAYS} days. Skipping"
+ valid=$(openssl x509 -enddate -noout -in "certs/${domain}/cert.pem" | cut -d= -f2- )
+ echo " ${valid} Skipping. (Valid longer than ${RENEW_DAYS} days.)"
continue
fi
echo " is within ${RENEW_DAYS} days. Renewing..."