From 2d097c928cddd9ae6c917fab9dfee2951e921a28 Mon Sep 17 00:00:00 2001
From: Markus Germeier <markus@germeier.com>
Date: Wed, 16 Dec 2015 21:36:23 +0100
Subject: [PATCH] force a renew if given domain name(s) don't match the domain
 name(s) of the existing cert

---
 letsencrypt.sh | 26 +++++++++++++++++++++++---
 test.sh        |  2 +-
 2 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/letsencrypt.sh b/letsencrypt.sh
index 8762663..4a13832 100755
--- a/letsencrypt.sh
+++ b/letsencrypt.sh
@@ -413,6 +413,8 @@ command_sign_domains() {
     morenames="$(printf '%s\n' "${line}" | cut -s -d' ' -f2-)"
     cert="${BASEDIR}/certs/${domain}/cert.pem"
 
+    force_renew="${PARAM_FORCE:-no}"
+
     if [[ -z "${morenames}" ]];then
       echo "Processing ${domain}"
     else
@@ -420,15 +422,33 @@ command_sign_domains() {
     fi
 
     if [[ -e "${cert}" ]]; then
-      echo " + Found existing cert..."
+      echo -n " + Checking domain name(s) of existing cert..."
+
+      certnames="$(openssl x509 -in "${cert}" -text -noout | grep DNS: | sed 's/DNS://g' | tr -d ' ' | tr ',' '\n' | sort -u | tr '\n' ' ' | sed 's/ $//')"
+      givennames="$(echo "${domain}" "${morenames}"| tr ' ' '\n' | sort -u | tr '\n' ' ' | sed 's/ $//' | sed 's/^ //')"
+
+      if [[ "${certnames}" = "${givennames}" ]]; then
+        echo " unchanged."
+      else
+        echo " changed!"
+        echo " + Domain name(s) are not matching!"
+        echo " + Names in old certificate: ${certnames}"
+        echo " + Configured names: ${givennames}"
+        echo " + Forcing renew."
+        force_renew="yes"
+      fi
+    fi
+
+    if [[ -e "${cert}" ]]; then
+      echo " + Checking expire date of existing cert..."
 
       valid="$(openssl x509 -enddate -noout -in "${cert}" | cut -d= -f2- )"
 
       echo -n " + Valid till ${valid} "
       if openssl x509 -checkend $((RENEW_DAYS * 86400)) -noout -in "${cert}"; then
         echo -n "(Longer than ${RENEW_DAYS} days). "
-        if [[ "${PARAM_FORCE:-}" = "yes" ]]; then
-          echo "Ignoring because --force was specified!"
+        if [[ "${force_renew}" = "yes" ]]; then
+          echo "Ignoring because renew was forced!"
         else
           echo "Skipping!"
           continue
diff --git a/test.sh b/test.sh
index b697f22..f5d3da2 100755
--- a/test.sh
+++ b/test.sh
@@ -138,7 +138,7 @@ _CHECK_ERRORLOG
 _TEST "Run in cron mode one last time, with domain in domains.txt and force-resign"
 echo "${TMP_URL}" >> domains.txt
 ./letsencrypt.sh --cron --force > tmplog 2> errorlog
-_CHECK_LOG "Ignoring because --force was specified"
+_CHECK_LOG "Ignoring because renew was forced!"
 _CHECK_NOT_LOG "Generating private key"
 _CHECK_LOG "Requesting challenge for ${TMP_URL}"
 _CHECK_LOG "Challenge is valid!"
-- 
2.39.5