diff options
| author | Stuart Henderson <sthen@cvs.openbsd.org> | 2021-01-02 19:04:22 +0000 |
|---|---|---|
| committer | Stuart Henderson <sthen@cvs.openbsd.org> | 2021-01-02 19:04:22 +0000 |
| commit | 197e852286862c57d0ab7f787e8c8b1a2523216d (patch) | |
| tree | bcbbd52bee62bb95e93147263f5d5383941579c6 /usr.sbin/acme-client | |
| parent | 0e504f9954cc1116e3b529101c9a9e4eae9b54af (diff) | |
If acme-client detects an added or removed SAN in the config file
compared to the existing certificate on disk, automatically request a
new certificate without requiring -F.
(Previously the code using -F only coped with added SANs; if one was
removed in config then the certificate needed manual removal vefore
acme-client would work).
Name checks for -r (revocation) are kept as-is for now.
Diffstat (limited to 'usr.sbin/acme-client')
| -rw-r--r-- | usr.sbin/acme-client/acme-client.1 | 10 | ||||
| -rw-r--r-- | usr.sbin/acme-client/revokeproc.c | 32 |
2 files changed, 26 insertions, 16 deletions
diff --git a/usr.sbin/acme-client/acme-client.1 b/usr.sbin/acme-client/acme-client.1 index 985ddb2db25..bf75ed651d6 100644 --- a/usr.sbin/acme-client/acme-client.1 +++ b/usr.sbin/acme-client/acme-client.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: acme-client.1,v 1.38 2020/12/19 18:05:44 tb Exp $ +.\" $OpenBSD: acme-client.1,v 1.39 2021/01/02 19:04:21 sthen Exp $ .\" .\" Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv> .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 19 2020 $ +.Dd $Mdocdate: January 2 2021 $ .Dt ACME-CLIENT 1 .Os .Sh NAME @@ -67,10 +67,8 @@ location "/.well-known/acme-challenge/*" { The options are as follows: .Bl -tag -width Ds .It Fl F -Force certificate renewal, even if it's too soon. -This is required if new domain alternative names -were added to -.Xr acme-client.conf 5 . +Force certificate renewal, even if it has more than 30 days +validity. .It Fl f Ar configfile Specify an alternative configuration file. .It Fl n diff --git a/usr.sbin/acme-client/revokeproc.c b/usr.sbin/acme-client/revokeproc.c index c596683e2e6..e3cab0cd5a2 100644 --- a/usr.sbin/acme-client/revokeproc.c +++ b/usr.sbin/acme-client/revokeproc.c @@ -1,4 +1,4 @@ -/* $Id: revokeproc.c,v 1.16 2020/11/18 20:54:43 beck Exp $ */ +/* $Id: revokeproc.c,v 1.17 2021/01/02 19:04:21 sthen Exp $ */ /* * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -202,7 +202,9 @@ revokeproc(int fd, const char *certfile, int force, if (san == NULL) { warnx("%s: does not have a SAN entry", certfile); - goto out; + if (revocate) + goto out; + force = 2; } /* An array of buckets: the number of entries found. */ @@ -230,20 +232,29 @@ revokeproc(int fd, const char *certfile, int force, if (strcmp(tok, alts[j]) == 0) break; if (j == altsz) { - warnx("%s: unknown SAN entry: %s", certfile, tok); - goto out; + if (revocate) { + warnx("%s: unknown SAN entry: %s", certfile, tok); + goto out; + } + force = 2; } if (found[j]++) { - warnx("%s: duplicate SAN entry: %s", certfile, tok); - goto out; + if (revocate) { + warnx("%s: duplicate SAN entry: %s", certfile, tok); + goto out; + } + force = 2; } } - for (j = 0; !force && j < altsz; j++) { + for (j = 0; j < altsz; j++) { if (found[j]) continue; - warnx("%s: domain not listed: %s", certfile, alts[j]); - goto out; + if (revocate) { + warnx("%s: domain not listed: %s", certfile, alts[j]); + goto out; + } + force = 2; } /* @@ -294,7 +305,8 @@ revokeproc(int fd, const char *certfile, int force, certfile, (long long)(t - time(NULL)) / 24 / 60 / 60); if (rop == REVOKE_OK && force) { - warnx("%s: forcing renewal", certfile); + warnx("%s: %sforcing renewal", certfile, + force == 2 ? "domain list changed, " : ""); rop = REVOKE_EXP; } |