From 84f6363da57ccc3a58fc72f60cf51ca70cea34f6 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Sun, 19 Feb 2017 13:36:11 +0100
Subject: new-cert: new CLI option "min-days"

---
 Changelog | 2 ++
 lacme     | 6 +++---
 lacme.md  | 7 +++++--
 3 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/Changelog b/Changelog
index a622a5d..accd89c 100644
--- a/Changelog
+++ b/Changelog
@@ -5,6 +5,8 @@ lacme (0.3) upstream;
   - Ensure lacme's config file descriptor is not passed to the accountd
     or webserver components.
   - new-cert: sort section names if not passed explicitely.
+  - new-cert: new CLI option "min-days" overriding the value found in
+    the configuration file.
 
  -- Guilhem Moulin <guilhem@guilhem.org>  Sun, 19 Feb 2017 13:08:41 +0100
 
diff --git a/lacme b/lacme
index f9b3530..75c1465 100755
--- a/lacme
+++ b/lacme
@@ -60,7 +60,7 @@ sub usage(;$$) {
     }
     exit $rv;
 }
-usage(1) unless GetOptions(\%OPTS, qw/config=s config-certs=s@ socket=s agreement-uri=s quiet|q debug help|h/);
+usage(1) unless GetOptions(\%OPTS, qw/config=s config-certs=s@ socket=s agreement-uri=s min-days=i quiet|q debug help|h/);
 usage(0) if $OPTS{help};
 
 $COMMAND = shift(@ARGV) // usage(1, "Missing command");
@@ -619,8 +619,8 @@ elsif ($COMMAND eq 'new-cert') {
 
         # skip certificates that expire at least $conf->{'min-days'} days in the future
         if (-f $conf->{$certtype} and defined (my $t = x509_enddate($conf->{$certtype}))) {
-            my $d = $conf->{'min-days'} // 10;
-            if ($d > 0 and $t - time > $d*86400) {
+            my $d = $OPTS{'min-days'} // $conf->{'min-days'} // 10;
+            if ($d >= 0 and $t - time > $d*86400) {
                 my $d = POSIX::strftime('%Y-%m-%d %H:%M:%S UTC', gmtime($t));
                 print STDERR "[$s] Valid until $d, skipping\n" unless $OPTS{quiet};
                 next;
diff --git a/lacme.md b/lacme.md
index f5b5559..aec2cd1 100644
--- a/lacme.md
+++ b/lacme.md
@@ -88,7 +88,7 @@ Commands
     When specified, the list of *CONTACT* information and the agreement
     *URI* are sent to the server to replace the existing values.
 
-`lacme` [`--config-certs=`*FILE*] `new-cert` [*SECTION* …]
+`lacme` [`--config-certs=`*FILE*] [`--min-days=`*INT*] `new-cert` [*SECTION* …]
 
 :   Read the certificate configuration *FILE* (see the **[certificate
     configuration file](#certificate-configuration-file)** section below
@@ -339,7 +339,10 @@ Valid options are:
 
 :   For an existing certificate, the minimum number of days before its
     expiration date the section is considered for re-issuance.
-    Default: `10`.
+    A negative value forces reissuance, while the number `0` limits
+    reissuance to expired certificates.
+    Default: the value of the CLI option `--min-days`, or `10` if there
+    is no such option.
 
 *CAfile*
 
-- 
cgit v1.2.3