On 2020/12/15 17:49, Florian Obser wrote:
>
>
> On 15 December 2020 14:56:41 CET, Stuart Henderson <s...@spacehopper.org>
> wrote:
> >On 2020/12/15 10:18, Solene Rapenne wrote:
> >> This is a small change to acme-client(1) because I find
> >> the explanation of -F flag not being obvious that you
> >> need it when you add/remove an alternative name in your
> >> domain config.
> >
> >This only works directly for adding. For removal you need to rm
> >the existing certificate.
>
> -F only handles forced renewals correctly.
> That it can be (ab)used to add subject alt names to a cert is an
> implementation detail.
>
> It would be nice if someoneā¢ would fix this properly by acme-client detecting
> that cert and config do not agree anymore.
like this perhaps?
if we don't want to do this automatically for some reason, then we should
at least extend beck's recent change so that -F handles names that are
_removed_ from config, not just added as he did.
Index: revokeproc.c
===================================================================
RCS file: /cvs/src/usr.sbin/acme-client/revokeproc.c,v
retrieving revision 1.16
diff -u -p -r1.16 revokeproc.c
--- revokeproc.c 18 Nov 2020 20:54:43 -0000 1.16
+++ revokeproc.c 23 Dec 2020 22:20:43 -0000
@@ -202,7 +202,9 @@ revokeproc(int fd, const char *certfile,
if (san == NULL) {
warnx("%s: does not have a SAN entry", certfile);
- goto out;
+ if (revocate)
+ goto out;
+ force = 2;
}
/* An array of buckets: the number of entries found. */
@@ -230,20 +232,29 @@ revokeproc(int fd, const char *certfile,
if (strcmp(tok, alts[j]) == 0)
break;
if (j == altsz) {
- warnx("%s: unknown SAN entry: %s", certfile, tok);
- goto out;
+ if (revocate) {
+ warnx("%s: unknown SAN entry: %s", certfile,
tok);
+ goto out;
+ }
+ force = 2;
}
if (found[j]++) {
- warnx("%s: duplicate SAN entry: %s", certfile, tok);
- goto out;
+ if (revocate) {
+ warnx("%s: duplicate SAN entry: %s", certfile,
tok);
+ goto out;
+ }
+ force = 2;
}
}
- for (j = 0; !force && j < altsz; j++) {
+ for (j = 0; j < altsz; j++) {
if (found[j])
continue;
- warnx("%s: domain not listed: %s", certfile, alts[j]);
- goto out;
+ if (revocate) {
+ warnx("%s: domain not listed: %s", certfile, alts[j]);
+ goto out;
+ }
+ force = 2;
}
/*
@@ -294,7 +305,8 @@ revokeproc(int fd, const char *certfile,
certfile, (long long)(t - time(NULL)) / 24 / 60 / 60);
if (rop == REVOKE_OK && force) {
- warnx("%s: forcing renewal", certfile);
+ warnx("%s: %sforcing renewal", certfile,
+ force == 2 ? "domain list changed, " : "");
rop = REVOKE_EXP;
}
Index: acme-client.1
===================================================================
RCS file: /cvs/src/usr.sbin/acme-client/acme-client.1,v
retrieving revision 1.38
diff -u -p -r1.38 acme-client.1
--- acme-client.1 19 Dec 2020 18:05:44 -0000 1.38
+++ acme-client.1 23 Dec 2020 22:20:43 -0000
@@ -67,10 +67,8 @@ location "/.well-known/acme-challenge/*"
The options are as follows:
.Bl -tag -width Ds
.It Fl F
-Force certificate renewal, even if it's too soon.
-This is required if new domain alternative names
-were added to
-.Xr acme-client.conf 5 .
+Force certificate renewal, even if it has more than 30 days
+validity.
.It Fl f Ar configfile
Specify an alternative configuration file.
.It Fl n
