diff options
| -rw-r--r-- | usr.sbin/acme-client/acme-client.1 | 10 | ||||
| -rw-r--r-- | usr.sbin/acme-client/revokeproc.c | 32 |
2 files changed, 26 insertions, 16 deletions
diff --git a/usr.sbin/acme-client/acme-client.1 b/usr.sbin/acme-client/acme-client.1 index 985ddb2db25..bf75ed651d6 100644 --- a/usr.sbin/acme-client/acme-client.1 +++ b/usr.sbin/acme-client/acme-client.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: acme-client.1,v 1.38 2020/12/19 18:05:44 tb Exp $ +.\" $OpenBSD: acme-client.1,v 1.39 2021/01/02 19:04:21 sthen Exp $ .\" .\" Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv> .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 19 2020 $ +.Dd $Mdocdate: January 2 2021 $ .Dt ACME-CLIENT 1 .Os .Sh NAME @@ -67,10 +67,8 @@ location "/.well-known/acme-challenge/*" { The options are as follows: .Bl -tag -width Ds .It Fl F -Force certificate renewal, even if it's too soon. -This is required if new domain alternative names -were added to -.Xr acme-client.conf 5 . +Force certificate renewal, even if it has more than 30 days +validity. .It Fl f Ar configfile Specify an alternative configuration file. .It Fl n diff --git a/usr.sbin/acme-client/revokeproc.c b/usr.sbin/acme-client/revokeproc.c index c596683e2e6..e3cab0cd5a2 100644 --- a/usr.sbin/acme-client/revokeproc.c +++ b/usr.sbin/acme-client/revokeproc.c @@ -1,4 +1,4 @@ -/* $Id: revokeproc.c,v 1.16 2020/11/18 20:54:43 beck Exp $ */ +/* $Id: revokeproc.c,v 1.17 2021/01/02 19:04:21 sthen Exp $ */ /* * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -202,7 +202,9 @@ revokeproc(int fd, const char *certfile, int force, if (san == NULL) { warnx("%s: does not have a SAN entry", certfile); - goto out; + if (revocate) + goto out; + force = 2; } /* An array of buckets: the number of entries found. */ @@ -230,20 +232,29 @@ revokeproc(int fd, const char *certfile, int force, if (strcmp(tok, alts[j]) == 0) break; if (j == altsz) { - warnx("%s: unknown SAN entry: %s", certfile, tok); - goto out; + if (revocate) { + warnx("%s: unknown SAN entry: %s", certfile, tok); + goto out; + } + force = 2; } if (found[j]++) { - warnx("%s: duplicate SAN entry: %s", certfile, tok); - goto out; + if (revocate) { + warnx("%s: duplicate SAN entry: %s", certfile, tok); + goto out; + } + force = 2; } } - for (j = 0; !force && j < altsz; j++) { + for (j = 0; j < altsz; j++) { if (found[j]) continue; - warnx("%s: domain not listed: %s", certfile, alts[j]); - goto out; + if (revocate) { + warnx("%s: domain not listed: %s", certfile, alts[j]); + goto out; + } + force = 2; } /* @@ -294,7 +305,8 @@ revokeproc(int fd, const char *certfile, int force, certfile, (long long)(t - time(NULL)) / 24 / 60 / 60); if (rop == REVOKE_OK && force) { - warnx("%s: forcing renewal", certfile); + warnx("%s: %sforcing renewal", certfile, + force == 2 ? "domain list changed, " : ""); rop = REVOKE_EXP; } |