Browse Source

Fix Le_Keylength checks during renewals

When performing renewals acme.sh checks key length values to determine
if a new key should be created with createDomainKey(). However, older
acme.sh stored key length as an empty value if the default of 2048 was
desired. Now it is explicit and the explict check of 2048 against "" is
causing createDomainKey() to always be called with fails without
--force.

Fix this by converting the keylength value to 2048 if an empty string is
returned from the config file. acme.sh will then write out 2048 updating
old keys and configs to the explicit version.

Issue: 4077
pull/4078/head
Clark Boylan 3 years ago
parent
commit
b376dfa1e6
  1. 11
      acme.sh

11
acme.sh

@ -4406,7 +4406,13 @@ issue() {
if [ -f "$CSR_PATH" ] && [ ! -f "$CERT_KEY_PATH" ]; then if [ -f "$CSR_PATH" ] && [ ! -f "$CERT_KEY_PATH" ]; then
_info "Signing from existing CSR." _info "Signing from existing CSR."
else else
# When renewing from an old version, the empty Le_Keylength means 2048.
# Note, do not use DEFAULT_DOMAIN_KEY_LENGTH as that value may change over
# time but an empty value implies 2048 specifically.
_key=$(_readdomainconf Le_Keylength) _key=$(_readdomainconf Le_Keylength)
if [ -z "$_key" ]; then
_key=2048
fi
_debug "Read key length:$_key" _debug "Read key length:$_key"
if [ ! -f "$CERT_KEY_PATH" ] || [ "$_key_length" != "$_key" ] || [ "$Le_ForceNewDomainKey" = "1" ]; then if [ ! -f "$CERT_KEY_PATH" ] || [ "$_key_length" != "$_key" ] || [ "$Le_ForceNewDomainKey" = "1" ]; then
if ! createDomainKey "$_main_domain" "$_key_length"; then if ! createDomainKey "$_main_domain" "$_key_length"; then
@ -5319,7 +5325,10 @@ renew() {
Le_PostHook="$(_readdomainconf Le_PostHook)" Le_PostHook="$(_readdomainconf Le_PostHook)"
Le_RenewHook="$(_readdomainconf Le_RenewHook)" Le_RenewHook="$(_readdomainconf Le_RenewHook)"
Le_Preferred_Chain="$(_readdomainconf Le_Preferred_Chain)" Le_Preferred_Chain="$(_readdomainconf Le_Preferred_Chain)"
#when renew from an old version, the empty Le_Keylength means 2048
# When renewing from an old version, the empty Le_Keylength means 2048.
# Note, do not use DEFAULT_DOMAIN_KEY_LENGTH as that value may change over
# time but an empty value implies 2048 specifically.
Le_Keylength="$(_readdomainconf Le_Keylength)"
if [ -z "$Le_Keylength" ]; then if [ -z "$Le_Keylength" ]; then
Le_Keylength=2048 Le_Keylength=2048
fi fi

Loading…
Cancel
Save