- PRIVATE_KEY config parameter has been renamed to ACCOUNT_KEY to avoid confusion with certificate keys
- deploy_cert hook now also has the certificates timestamp as standalone parameter
- Temporary files are now identifiable (template: letsencrypt.sh-XXXXXX)
-- Private keys are no longer reused
### Added
- Added documentation to repository
# Minimum days before expiration to automatically renew certificate (default: 30)
#RENEW_DAYS="30"
+# Regenerate private keys instead of just signing new certificates on renewal (default: no)
+#PRIVATE_KEY_RENEW="no"
+
# Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1
#KEY_ALGO=rsa
ACCOUNT_KEY_JSON=
KEYSIZE="4096"
WELLKNOWN=
+ PRIVATE_KEY_RENEW="no"
KEY_ALGO=rsa
OPENSSL_CNF="$(openssl version -d | cut -d\" -f2)/openssl.cnf"
CONTACT_EMAIL=
mkdir -p "${BASEDIR}/certs/${domain}"
fi
- echo " + Generating private key..."
- privkey="privkey-${timestamp}.pem"
- case "${KEY_ALGO}" in
- rsa) _openssl genrsa -out "${BASEDIR}/certs/${domain}/privkey-${timestamp}.pem" "${KEYSIZE}";;
- prime256v1|secp384r1) _openssl ecparam -genkey -name "${KEY_ALGO}" -out "${BASEDIR}/certs/${domain}/privkey-${timestamp}.pem";;
- esac
+ privkey="privkey.pem"
+ # generate a new private key if we need or want one
+ if [[ ! -r "${BASEDIR}/certs/${domain}/privkey.pem" ]] || [[ "${PRIVATE_KEY_RENEW}" = "yes" ]]; then
+ echo " + Generating private key..."
+ privkey="privkey-${timestamp}.pem"
+ case "${KEY_ALGO}" in
+ rsa) _openssl genrsa -out "${BASEDIR}/certs/${domain}/privkey-${timestamp}.pem" "${KEYSIZE}";;
+ prime256v1|secp384r1) _openssl ecparam -genkey -name "${KEY_ALGO}" -out "${BASEDIR}/certs/${domain}/privkey-${timestamp}.pem";;
+ esac
+ fi
# Generate signing request config and the actual signing request
echo " + Generating signing request..."
command_env() {
echo "# letsencrypt.sh configuration"
load_config
- typeset -p CA LICENSE CHALLENGETYPE HOOK HOOK_CHAIN RENEW_DAYS ACCOUNT_KEY ACCOUNT_KEY_JSON KEYSIZE WELLKNOWN OPENSSL_CNF CONTACT_EMAIL LOCKFILE
+ typeset -p CA LICENSE CHALLENGETYPE HOOK HOOK_CHAIN RENEW_DAYS ACCOUNT_KEY ACCOUNT_KEY_JSON KEYSIZE WELLKNOWN PRIVATE_KEY_RENEW OPENSSL_CNF CONTACT_EMAIL LOCKFILE
}
# Main method (parses script arguments and calls command_* methods)
./letsencrypt.sh --cron --domain "${TMP_URL}" --domain "${TMP2_URL}" --domain "${TMP3_URL}" > tmplog 2> errorlog || _FAIL "Script execution failed"
_CHECK_LOG "Domain name(s) are not matching!"
_CHECK_LOG "Forcing renew."
-_CHECK_LOG "Generating private key"
_CHECK_LOG "Requesting challenge for ${TMP_URL}"
_CHECK_LOG "Requesting challenge for ${TMP2_URL}"
_CHECK_LOG "Requesting challenge for ${TMP3_URL}"
./letsencrypt.sh --cron --force > tmplog 2> errorlog || _FAIL "Script execution failed"
_CHECK_LOG "Checking domain name(s) of existing cert... unchanged."
_CHECK_LOG "Ignoring because renew was forced!"
-_CHECK_LOG "Generating private key"
+_CHECK_NOT_LOG "Generating private key"
_CHECK_LOG "Requesting challenge for ${TMP_URL}"
_CHECK_LOG "Requesting challenge for ${TMP2_URL}"
_CHECK_LOG "Requesting challenge for ${TMP3_URL}"
projects / andy / dehydrated.git / commitdiff