diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2015-12-09 00:10:14 +0100 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2015-12-09 00:10:14 +0100 |
| commit | 594b65f8960c38fde1a8ffd567df852a69a670ff (patch) | |
| tree | 289a9fa5cc2b259d3cd511ed5acac699289a2362 /letsencrypt | |
| parent | f23e4e0d0cf48153dbc5134cf1bf1bb7189c3005 (diff) | |
Add an option --min-age.
Diffstat (limited to 'letsencrypt')
| -rwxr-xr-x | letsencrypt | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/letsencrypt b/letsencrypt index 5c10ea1..4c932e4 100755 --- a/letsencrypt +++ b/letsencrypt @@ -17,6 +17,7 @@ declare -l GENKEY declare RUNAS QUIET= DEBUG= declare SRVCRT= CHAIN= CSR SRVKEY +delcale -i MIN_AGE=0 declare -l HASH= declare SUBJECT=/ declare SAN= @@ -62,6 +63,8 @@ usage() { (default: "digitalSignature,keyEncipherment,keyCertSign") --chain Store not only the server certificate in the file specified with --output, but also the CA's + --min-age=SECONDS Don't do anything if the certificate specified by --output exists and its expiration + is more than SECONDS ahead. --output=FILE Where to store the issued (signed) X.509 certificate --notify=COMMAND Command to run upon success. (This option can be repeated.) @@ -97,6 +100,7 @@ while [ $# -gt 0 ]; do --debug) DEBUG=1;; --output=*) SRVCRT="${1#*=}";; + --min-age=*) MIN_AGE="${1#*=}";; --chain) CHAIN=1;; --csr=*) CSR="${1#*=}";; --key=*) SRVKEY="${1#*=}";; @@ -164,6 +168,12 @@ elif [ "$COMMAND" = 'new-cert' ]; then echo "Error: Missing --output" >&2 exit 1 fi + if [ -s "$SRVCRT" ] && \ + exp=$(openssl x509 -noout -enddate <"$SRVCRT" 2>/dev/null) && \ + [ $(( $(date -d "${exp#*=}" +%s) - $(date +%s))) -gt $MIN_AGE ]; then + [ ! "$DEBUG" ] || echo "Expiration date ($(date -d"${exp#*=}")) is too far away, come back later." >&2 + exit 0 + fi # Generate a Certificate Signing Request if need be if [ ${CSR+x} ]; then |