From: Lukas Schauer <lukas2511@users.noreply.github.com>
Date: Sun, 6 Dec 2015 15:47:58 +0000 (+0100)
Subject: Merge pull request #12 from germeier/newkeys
X-Git-Url: https://git.street.me.uk/andy/dehydrated.git/commitdiff_plain/ae8e5c8e17ca1487ade53b40714a5e869ff58b78?hp=-c

Merge pull request #12 from germeier/newkeys

generate a new private key for each csr if the user wishes so
---

ae8e5c8e17ca1487ade53b40714a5e869ff58b78
diff --combined letsencrypt.sh
index 26d0b33,cc000d1..2f6e0f2
--- a/letsencrypt.sh
+++ b/letsencrypt.sh
@@@ -11,6 -11,7 +11,7 @@@ HOOK_CHALLENGE
  RENEW_DAYS="14"
  KEYSIZE="4096"
  WELLKNOWN=".acme-challenges"
+ PRIVATE_KEY_RENEW=no
  
  if [[ -e "config.sh" ]]; then
    . ./config.sh
@@@ -51,27 -52,22 +52,27 @@@ hex2bin() 
  }
  
  _request() {
 -  temperr="$(mktemp)"
 +  tempcont="$(mktemp)"
 +
    if [[ "${1}" = "head" ]]; then
 -    curl -sSf -I "${2}" 2> "${temperr}"
 +    statuscode="$(curl -s -w "%{http_code}" -o "${tempcont}" "${2}" -I)"
    elif [[ "${1}" = "get" ]]; then
 -    curl -sSf "${2}" 2> "${temperr}"
 +    statuscode="$(curl -s -w "%{http_code}" -o "${tempcont}" "${2}")"
    elif [[ "${1}" = "post" ]]; then
 -    curl -sSf "${2}" -d "${3}" 2> "${temperr}"
 +    statuscode="$(curl -s -w "%{http_code}" -o "${tempcont}" "${2}" -d "${3}")"
    fi
  
 -  if [[ -s "${temperr}" ]]; then
 -    echo "  + ERROR: An error occured while sending ${1}-request to ${2} ($(<"${temperr}"))" >&2
 -    rm -f "${temperr}"
 +  if [[ ! "${statuscode:0:1}" = "2" ]]; then
 +    echo "  + ERROR: An error occured while sending ${1}-request to ${2} (Status ${statuscode})" >&2
 +    echo >&2
 +    echo "Details:" >&2
 +    echo "$(<"${tempcont}"))" >&2
 +    rm -f "${tempcont}"
      exit 1
    fi
  
 -  rm -f "${temperr}"
 +  cat  "${tempcont}"
 +  rm -f "${tempcont}"
  }
  
  signed_request() {
@@@ -102,11 -98,19 +103,19 @@@ sign_domain() 
    altnames="${*}"
    echo "Signing domain ${1} (${*})..."
  
-   # If there is no existing certificate directory we need a new private key
+   # If there is no existing certificate directory => make it
    if [[ ! -e "certs/${domain}" ]]; then
+     echo "  + make directory certs/${domain} ..."
      mkdir -p "certs/${domain}"
+   fi
+ 
+   # generate a new private key if we need or want one
+   if [[ ! -f "certs/${domain}/privkey.pem" ]] || [[ "${PRIVATE_KEY_RENEW}" = "yes" ]]; then
      echo "  + Generating private key..."
-     openssl genrsa -out "certs/${domain}/privkey.pem" "${KEYSIZE}" 2> /dev/null > /dev/null
+     timestamp="$(date +%s)"
+     openssl genrsa -out "certs/${domain}/privkey-${timestamp}.pem" "${KEYSIZE}" 2> /dev/null > /dev/null
+     rm -f "certs/${domain}/privkey.pem"
+     ln -s "privkey-${timestamp}.pem" "certs/${domain}/privkey.pem"
    fi
  
    # Generate signing request config and the actual signing request