From: Lukas Schauer Date: Sun, 8 May 2016 13:51:11 +0000 (+0200) Subject: Removed option to reuse old private keys. X-Git-Url: https://git.street.me.uk/andy/dehydrated.git/commitdiff_plain/4dc99533195a91a2329fe9bee38fd9a628ef9c05 Removed option to reuse old private keys. I have no idea why I thought reusing the keys would be a good idea when I first started this... --- diff --git a/CHANGELOG b/CHANGELOG index 694bbeb..6cc9201 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -6,6 +6,7 @@ This file contains a log of major changes in letsencrypt.sh - PRIVATE_KEY config parameter has been renamed to ACCOUNT_KEY to avoid confusion with certificate keys - deploy_cert hook now also has the certificates timestamp as standalone parameter - Temporary files are now identifiable (template: letsencrypt.sh-XXXXXX) +- Private keys are no longer reused ### Added - Added documentation to repository diff --git a/docs/examples/config.sh.example b/docs/examples/config.sh.example index 9bb943d..3ccb75b 100644 --- a/docs/examples/config.sh.example +++ b/docs/examples/config.sh.example @@ -63,9 +63,6 @@ # Minimum days before expiration to automatically renew certificate (default: 30) #RENEW_DAYS="30" -# Regenerate private keys instead of just signing new certificates on renewal (default: no) -#PRIVATE_KEY_RENEW="no" - # Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1 #KEY_ALGO=rsa diff --git a/letsencrypt.sh b/letsencrypt.sh index 99493d0..cf827cc 100755 --- a/letsencrypt.sh +++ b/letsencrypt.sh @@ -71,7 +71,6 @@ load_config() { ACCOUNT_KEY_JSON= KEYSIZE="4096" WELLKNOWN= - PRIVATE_KEY_RENEW="no" KEY_ALGO=rsa OPENSSL_CNF="$(openssl version -d | cut -d\" -f2)/openssl.cnf" CONTACT_EMAIL= @@ -503,16 +502,12 @@ sign_domain() { mkdir -p "${BASEDIR}/certs/${domain}" fi - privkey="privkey.pem" - # generate a new private key if we need or want one - if [[ ! -r "${BASEDIR}/certs/${domain}/privkey.pem" ]] || [[ "${PRIVATE_KEY_RENEW}" = "yes" ]]; then - echo " + Generating private key..." - privkey="privkey-${timestamp}.pem" - case "${KEY_ALGO}" in - rsa) _openssl genrsa -out "${BASEDIR}/certs/${domain}/privkey-${timestamp}.pem" "${KEYSIZE}";; - prime256v1|secp384r1) _openssl ecparam -genkey -name "${KEY_ALGO}" -out "${BASEDIR}/certs/${domain}/privkey-${timestamp}.pem";; - esac - fi + echo " + Generating private key..." + privkey="privkey-${timestamp}.pem" + case "${KEY_ALGO}" in + rsa) _openssl genrsa -out "${BASEDIR}/certs/${domain}/privkey-${timestamp}.pem" "${KEYSIZE}";; + prime256v1|secp384r1) _openssl ecparam -genkey -name "${KEY_ALGO}" -out "${BASEDIR}/certs/${domain}/privkey-${timestamp}.pem";; + esac # Generate signing request config and the actual signing request echo " + Generating signing request..." @@ -766,7 +761,7 @@ command_help() { command_env() { echo "# letsencrypt.sh configuration" load_config - typeset -p CA LICENSE CHALLENGETYPE HOOK HOOK_CHAIN RENEW_DAYS ACCOUNT_KEY ACCOUNT_KEY_JSON KEYSIZE WELLKNOWN PRIVATE_KEY_RENEW OPENSSL_CNF CONTACT_EMAIL LOCKFILE + typeset -p CA LICENSE CHALLENGETYPE HOOK HOOK_CHAIN RENEW_DAYS ACCOUNT_KEY ACCOUNT_KEY_JSON KEYSIZE WELLKNOWN OPENSSL_CNF CONTACT_EMAIL LOCKFILE } # Main method (parses script arguments and calls command_* methods) diff --git a/test.sh b/test.sh index 2e633c9..fac48fe 100755 --- a/test.sh +++ b/test.sh @@ -140,6 +140,7 @@ _TEST "Run in cron mode again, this time adding third domain, should force renew ./letsencrypt.sh --cron --domain "${TMP_URL}" --domain "${TMP2_URL}" --domain "${TMP3_URL}" > tmplog 2> errorlog || _FAIL "Script execution failed" _CHECK_LOG "Domain name(s) are not matching!" _CHECK_LOG "Forcing renew." +_CHECK_LOG "Generating private key" _CHECK_LOG "Requesting challenge for ${TMP_URL}" _CHECK_LOG "Requesting challenge for ${TMP2_URL}" _CHECK_LOG "Requesting challenge for ${TMP3_URL}" @@ -164,7 +165,7 @@ _TEST "Run in cron mode one last time, with domain in domains.txt and force-resi ./letsencrypt.sh --cron --force > tmplog 2> errorlog || _FAIL "Script execution failed" _CHECK_LOG "Checking domain name(s) of existing cert... unchanged." _CHECK_LOG "Ignoring because renew was forced!" -_CHECK_NOT_LOG "Generating private key" +_CHECK_LOG "Generating private key" _CHECK_LOG "Requesting challenge for ${TMP_URL}" _CHECK_LOG "Requesting challenge for ${TMP2_URL}" _CHECK_LOG "Requesting challenge for ${TMP3_URL}"