Merge pull request #4078 from cboylan/fix-key-length-check

Fix Le_Keylength checks during renewals
3 years ago · 0a0838b616
1 changed files with 10 additions and 1 deletions
--- a/acme.sh
+++ b/acme.sh
@ -4406,7 +4406,13 @@ issue() {
  if [ -f "$CSR_PATH" ] && [ ! -f "$CERT_KEY_PATH" ]; then
    _info "Signing from existing CSR."
  else
+    # When renewing from an old version, the empty Le_Keylength means 2048.
+    # Note, do not use DEFAULT_DOMAIN_KEY_LENGTH as that value may change over
+    # time but an empty value implies 2048 specifically.
    _key=$(_readdomainconf Le_Keylength)
+    if [ -z "$_key" ]; then
+      _key=2048
+    fi
    _debug "Read key length:$_key"
    if [ ! -f "$CERT_KEY_PATH" ] || [ "$_key_length" != "$_key" ] || [ "$Le_ForceNewDomainKey" = "1" ]; then
      if ! createDomainKey "$_main_domain" "$_key_length"; then
@ -5319,7 +5325,10 @@ renew() {
  Le_PostHook="$(_readdomainconf Le_PostHook)"
  Le_RenewHook="$(_readdomainconf Le_RenewHook)"
  Le_Preferred_Chain="$(_readdomainconf Le_Preferred_Chain)"
-  #when renew from an old version, the empty Le_Keylength means 2048
+  # When renewing from an old version, the empty Le_Keylength means 2048.
+  # Note, do not use DEFAULT_DOMAIN_KEY_LENGTH as that value may change over
+  # time but an empty value implies 2048 specifically.
+  Le_Keylength="$(_readdomainconf Le_Keylength)"
  if [ -z "$Le_Keylength" ]; then
    Le_Keylength=2048
  fi