From af2bc7a94f1ca4534a2b0ff860adc616b94256ac Mon Sep 17 00:00:00 2001
From: Lukas Schauer <lukas@schauer.so>
Date: Tue, 10 May 2016 22:11:57 +0200
Subject: [PATCH] Revert "Removed option to reuse old private keys." (useful
 for HKPK, see #195)

This reverts commit 4dc99533195a91a2329fe9bee38fd9a628ef9c05.
---
 CHANGELOG                       |  1 -
 docs/examples/config.sh.example |  3 +++
 letsencrypt.sh                  | 19 ++++++++++++-------
 test.sh                         |  3 +--
 4 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 6cc9201..694bbeb 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -6,7 +6,6 @@ This file contains a log of major changes in letsencrypt.sh
 - PRIVATE_KEY config parameter has been renamed to ACCOUNT_KEY to avoid confusion with certificate keys
 - deploy_cert hook now also has the certificates timestamp as standalone parameter
 - Temporary files are now identifiable (template: letsencrypt.sh-XXXXXX)
-- Private keys are no longer reused
 
 ### Added
 - Added documentation to repository
diff --git a/docs/examples/config.sh.example b/docs/examples/config.sh.example
index 3ccb75b..9bb943d 100644
--- a/docs/examples/config.sh.example
+++ b/docs/examples/config.sh.example
@@ -63,6 +63,9 @@
 # Minimum days before expiration to automatically renew certificate (default: 30)
 #RENEW_DAYS="30"
 
+# Regenerate private keys instead of just signing new certificates on renewal (default: no)
+#PRIVATE_KEY_RENEW="no"
+
 # Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1
 #KEY_ALGO=rsa
 
diff --git a/letsencrypt.sh b/letsencrypt.sh
index cf827cc..99493d0 100755
--- a/letsencrypt.sh
+++ b/letsencrypt.sh
@@ -71,6 +71,7 @@ load_config() {
   ACCOUNT_KEY_JSON=
   KEYSIZE="4096"
   WELLKNOWN=
+  PRIVATE_KEY_RENEW="no"
   KEY_ALGO=rsa
   OPENSSL_CNF="$(openssl version -d | cut -d\" -f2)/openssl.cnf"
   CONTACT_EMAIL=
@@ -502,12 +503,16 @@ sign_domain() {
     mkdir -p "${BASEDIR}/certs/${domain}"
   fi
 
-  echo " + Generating private key..."
-  privkey="privkey-${timestamp}.pem"
-  case "${KEY_ALGO}" in
-    rsa) _openssl genrsa -out "${BASEDIR}/certs/${domain}/privkey-${timestamp}.pem" "${KEYSIZE}";;
-    prime256v1|secp384r1) _openssl ecparam -genkey -name "${KEY_ALGO}" -out "${BASEDIR}/certs/${domain}/privkey-${timestamp}.pem";;
-  esac
+  privkey="privkey.pem"
+  # generate a new private key if we need or want one
+  if [[ ! -r "${BASEDIR}/certs/${domain}/privkey.pem" ]] || [[ "${PRIVATE_KEY_RENEW}" = "yes" ]]; then
+    echo " + Generating private key..."
+    privkey="privkey-${timestamp}.pem"
+    case "${KEY_ALGO}" in
+      rsa) _openssl genrsa -out "${BASEDIR}/certs/${domain}/privkey-${timestamp}.pem" "${KEYSIZE}";;
+      prime256v1|secp384r1) _openssl ecparam -genkey -name "${KEY_ALGO}" -out "${BASEDIR}/certs/${domain}/privkey-${timestamp}.pem";;
+    esac
+  fi
 
   # Generate signing request config and the actual signing request
   echo " + Generating signing request..."
@@ -761,7 +766,7 @@ command_help() {
 command_env() {
   echo "# letsencrypt.sh configuration"
   load_config
-  typeset -p CA LICENSE CHALLENGETYPE HOOK HOOK_CHAIN RENEW_DAYS ACCOUNT_KEY ACCOUNT_KEY_JSON KEYSIZE WELLKNOWN OPENSSL_CNF CONTACT_EMAIL LOCKFILE
+  typeset -p CA LICENSE CHALLENGETYPE HOOK HOOK_CHAIN RENEW_DAYS ACCOUNT_KEY ACCOUNT_KEY_JSON KEYSIZE WELLKNOWN PRIVATE_KEY_RENEW OPENSSL_CNF CONTACT_EMAIL LOCKFILE
 }
 
 # Main method (parses script arguments and calls command_* methods)
diff --git a/test.sh b/test.sh
index fac48fe..2e633c9 100755
--- a/test.sh
+++ b/test.sh
@@ -140,7 +140,6 @@ _TEST "Run in cron mode again, this time adding third domain, should force renew
 ./letsencrypt.sh --cron --domain "${TMP_URL}" --domain "${TMP2_URL}" --domain "${TMP3_URL}" > tmplog 2> errorlog || _FAIL "Script execution failed"
 _CHECK_LOG "Domain name(s) are not matching!"
 _CHECK_LOG "Forcing renew."
-_CHECK_LOG "Generating private key"
 _CHECK_LOG "Requesting challenge for ${TMP_URL}"
 _CHECK_LOG "Requesting challenge for ${TMP2_URL}"
 _CHECK_LOG "Requesting challenge for ${TMP3_URL}"
@@ -165,7 +164,7 @@ _TEST "Run in cron mode one last time, with domain in domains.txt and force-resi
 ./letsencrypt.sh --cron --force > tmplog 2> errorlog || _FAIL "Script execution failed"
 _CHECK_LOG "Checking domain name(s) of existing cert... unchanged."
 _CHECK_LOG "Ignoring because renew was forced!"
-_CHECK_LOG "Generating private key"
+_CHECK_NOT_LOG "Generating private key"
 _CHECK_LOG "Requesting challenge for ${TMP_URL}"
 _CHECK_LOG "Requesting challenge for ${TMP2_URL}"
 _CHECK_LOG "Requesting challenge for ${TMP3_URL}"
-- 
2.39.5