Removed option to reuse old private keys.

author Lukas Schauer <lukas@schauer.so>

Sun, 8 May 2016 13:51:11 +0000 (15:51 +0200)

committer Lukas Schauer <lukas@schauer.so>

Sun, 8 May 2016 13:57:15 +0000 (15:57 +0200)
author Lukas Schauer <lukas@schauer.so>
Sun, 8 May 2016 13:51:11 +0000 (15:51 +0200)
committer Lukas Schauer <lukas@schauer.so>
Sun, 8 May 2016 13:57:15 +0000 (15:57 +0200)
diff --git a/CHANGELOG b/CHANGELOG

index 694bbeb3101d9463272629f46e4e8cd2e455a363..6cc9201e20e37a28ac2b61eb4f37a35ee264df77 100644 (file)
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -6,6 +6,7 @@ This file contains a log of major changes in letsencrypt.sh
  - PRIVATE_KEY config parameter has been renamed to ACCOUNT_KEY to avoid confusion with certificate keys
  - deploy_cert hook now also has the certificates timestamp as standalone parameter
  - Temporary files are now identifiable (template: letsencrypt.sh-XXXXXX)
+- Private keys are no longer reused
  
  ### Added
  - Added documentation to repository
diff --git a/docs/examples/config.sh.example b/docs/examples/config.sh.example

index 9bb943dc766cc971be8997df04428171c640b1a9..3ccb75bcff415cf729476629dae677f9eede9c22 100644 (file)
--- a/docs/examples/config.sh.example
+++ b/docs/examples/config.sh.example
@@ -63,9 +63,6 @@
  # Minimum days before expiration to automatically renew certificate (default: 30)
  #RENEW_DAYS="30"
  
-# Regenerate private keys instead of just signing new certificates on renewal (default: no)
-#PRIVATE_KEY_RENEW="no"
-
  # Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1
  #KEY_ALGO=rsa
  
diff --git a/letsencrypt.sh b/letsencrypt.sh

index 99493d0ac0ef0e287ce8e0b46aa7ba352f4095bd..cf827cc662fab0b8415b347fa0762d3631e1666a 100755 (executable)
--- a/letsencrypt.sh
+++ b/letsencrypt.sh
@@ -71,7 +71,6 @@ load_config() {
    ACCOUNT_KEY_JSON=
    KEYSIZE="4096"
    WELLKNOWN=
-  PRIVATE_KEY_RENEW="no"
    KEY_ALGO=rsa
    OPENSSL_CNF="$(openssl version -d | cut -d\" -f2)/openssl.cnf"
    CONTACT_EMAIL=
@@ -503,16 +502,12 @@ sign_domain() {
      mkdir -p "${BASEDIR}/certs/${domain}"
    fi
  
-  privkey="privkey.pem"
-  # generate a new private key if we need or want one
-  if [[ ! -r "${BASEDIR}/certs/${domain}/privkey.pem" ]] || [[ "${PRIVATE_KEY_RENEW}" = "yes" ]]; then
-    echo " + Generating private key..."
-    privkey="privkey-${timestamp}.pem"
-    case "${KEY_ALGO}" in
-      rsa) _openssl genrsa -out "${BASEDIR}/certs/${domain}/privkey-${timestamp}.pem" "${KEYSIZE}";;
-      prime256v1|secp384r1) _openssl ecparam -genkey -name "${KEY_ALGO}" -out "${BASEDIR}/certs/${domain}/privkey-${timestamp}.pem";;
-    esac
-  fi
+  echo " + Generating private key..."
+  privkey="privkey-${timestamp}.pem"
+  case "${KEY_ALGO}" in
+    rsa) _openssl genrsa -out "${BASEDIR}/certs/${domain}/privkey-${timestamp}.pem" "${KEYSIZE}";;
+    prime256v1|secp384r1) _openssl ecparam -genkey -name "${KEY_ALGO}" -out "${BASEDIR}/certs/${domain}/privkey-${timestamp}.pem";;
+  esac
  
    # Generate signing request config and the actual signing request
    echo " + Generating signing request..."
@@ -766,7 +761,7 @@ command_help() {
  command_env() {
    echo "# letsencrypt.sh configuration"
    load_config
-  typeset -p CA LICENSE CHALLENGETYPE HOOK HOOK_CHAIN RENEW_DAYS ACCOUNT_KEY ACCOUNT_KEY_JSON KEYSIZE WELLKNOWN PRIVATE_KEY_RENEW OPENSSL_CNF CONTACT_EMAIL LOCKFILE
+  typeset -p CA LICENSE CHALLENGETYPE HOOK HOOK_CHAIN RENEW_DAYS ACCOUNT_KEY ACCOUNT_KEY_JSON KEYSIZE WELLKNOWN OPENSSL_CNF CONTACT_EMAIL LOCKFILE
  }
  
  # Main method (parses script arguments and calls command_* methods)
diff --git a/test.sh b/test.sh

index 2e633c9b627cb2c62e7ce262978c96060a380935..fac48fe5a193d4adbb753731e17304f5068bb1e7 100755 (executable)
--- a/test.sh
+++ b/test.sh
@@ -140,6 +140,7 @@ _TEST "Run in cron mode again, this time adding third domain, should force renew
  ./letsencrypt.sh --cron --domain "${TMP_URL}" --domain "${TMP2_URL}" --domain "${TMP3_URL}" > tmplog 2> errorlog || _FAIL "Script execution failed"
  _CHECK_LOG "Domain name(s) are not matching!"
  _CHECK_LOG "Forcing renew."
+_CHECK_LOG "Generating private key"
  _CHECK_LOG "Requesting challenge for ${TMP_URL}"
  _CHECK_LOG "Requesting challenge for ${TMP2_URL}"
  _CHECK_LOG "Requesting challenge for ${TMP3_URL}"
@@ -164,7 +165,7 @@ _TEST "Run in cron mode one last time, with domain in domains.txt and force-resi
  ./letsencrypt.sh --cron --force > tmplog 2> errorlog || _FAIL "Script execution failed"
  _CHECK_LOG "Checking domain name(s) of existing cert... unchanged."
  _CHECK_LOG "Ignoring because renew was forced!"
-_CHECK_NOT_LOG "Generating private key"
+_CHECK_LOG "Generating private key"
  _CHECK_LOG "Requesting challenge for ${TMP_URL}"
  _CHECK_LOG "Requesting challenge for ${TMP2_URL}"
  _CHECK_LOG "Requesting challenge for ${TMP3_URL}"
author	Lukas Schauer <lukas@schauer.so>
	Sun, 8 May 2016 13:51:11 +0000 (15:51 +0200)
committer	Lukas Schauer <lukas@schauer.so>
	Sun, 8 May 2016 13:57:15 +0000 (15:57 +0200)
CHANGELOG		patch \| blob \| blame \| history
docs/examples/config.sh.example		patch \| blob \| blame \| history
letsencrypt.sh		patch \| blob \| blame \| history
test.sh		patch \| blob \| blame \| history