change openssl to use enddate for expiry date check

[andy/dehydrated.git] / letsencrypt.sh

diff --git a/letsencrypt.sh b/letsencrypt.sh
index 26d0b3343f20718050408f61b2fbb005f6794553..cec6ebc9ab7c34c6839c82cf8039766dd38cbb00 100755 (executable)
--- a/letsencrypt.sh
+++ b/letsencrypt.sh
@@ -11,6 +11,7 @@ HOOK_CHALLENGE=
 RENEW_DAYS="14"
 KEYSIZE="4096"
 WELLKNOWN=".acme-challenges"
+PRIVATE_KEY_RENEW=no
 
 if [[ -e "config.sh" ]]; then
   . ./config.sh
@@ -102,11 +103,19 @@ sign_domain() {
   altnames="${*}"
   echo "Signing domain ${1} (${*})..."
 
-  # If there is no existing certificate directory we need a new private key
+  # If there is no existing certificate directory => make it
   if [[ ! -e "certs/${domain}" ]]; then
+    echo "  + make directory certs/${domain} ..."
     mkdir -p "certs/${domain}"
+  fi
+
+  # generate a new private key if we need or want one
+  if [[ ! -f "certs/${domain}/privkey.pem" ]] || [[ "${PRIVATE_KEY_RENEW}" = "yes" ]]; then
     echo "  + Generating private key..."
-    openssl genrsa -out "certs/${domain}/privkey.pem" "${KEYSIZE}" 2> /dev/null > /dev/null
+    timestamp="$(date +%s)"
+    openssl genrsa -out "certs/${domain}/privkey-${timestamp}.pem" "${KEYSIZE}" 2> /dev/null > /dev/null
+    rm -f "certs/${domain}/privkey.pem"
+    ln -s "privkey-${timestamp}.pem" "certs/${domain}/privkey.pem"
   fi
 
   # Generate signing request config and the actual signing request
@@ -212,7 +221,8 @@ fi
     echo -n "Found existing cert for ${domain}. Expire date ..."
     set +e; openssl x509 -checkend $((${RENEW_DAYS} * 86400)) -noout -in "certs/${domain}/cert.pem"; expiring=$?; set -e
     if [[ ${expiring} -eq 0 ]]; then
-        echo " is not within ${RENEW_DAYS} days. Skipping"
+       valid=$(openssl x509 -enddate -noout -in "certs/${domain}/cert.pem" | cut -d= -f2- )
+       echo " ${valid} Skipping. (Valid longer than ${RENEW_DAYS} days.)"
         continue
     fi
     echo " is within ${RENEW_DAYS} days. Renewing..."