Skip to content

Commit c685c9e

Browse files
raforgraforg
committed
status/tlsa-check: Add check for reuse_key (and fix if necessary)
1 parent e8f3da7 commit c685c9e

File tree

1 file changed

+30
-1
lines changed

1 file changed

+30
-1
lines changed

danectl

Lines changed: 30 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -404,7 +404,9 @@ published in the DNS:
404404
405405
danectl tlsa-check example.org
406406
407-
If no cert-name is supplied, then all cert-names are checked.
407+
If no cert-name is supplied, then all cert-names are checked, and the
408+
--reuse-key status of each certificate lineage is checked, and restored if
409+
it is unset for any reason.
408410
409411
All TLSA records for the current and next keys must be published in the DNS
410412
before you configure your services to use the current key.
@@ -456,6 +458,9 @@ lineages that no longer exist in /etc/letsencrypt/live, this is also
456458
mentioned, and they are deleted. This indicates that the certificate lineage
457459
was previously deleted with certbot.
458460
461+
If any of the certificate lineages no longer have their --reuse-key status
462+
set for any reason, this is also mentioned, and it is restored.
463+
459464
You can also output SSHFP records for the local SSH server:
460465
461466
danectl sshfp example.org
@@ -935,6 +940,28 @@ status()
935940
done
936941
}
937942

943+
# Check/ensure that all certificate renewals will reuse the key
944+
945+
reuse_key_check()
946+
{
947+
for role in current next
948+
do
949+
for symlink in "$le/$role"/*
950+
do
951+
[ -h "$symlink" ] || continue
952+
[ -d "$symlink" ] || continue
953+
target="`readlink \"$symlink\"`"
954+
certname="${target##*/}"
955+
fname="$le/renewal/$certname.conf"
956+
[ -f "$fname" ] || continue
957+
grep -q "reuse_key = True" "$fname" && continue
958+
del_line "$fname" reuse_key
959+
add_line "$fname" "reuse_key = True"
960+
echo "$certname: Not reusing key on renewal (fixed)"
961+
done
962+
done | sort
963+
}
964+
938965
# Output the public key hash for the given role and cert-name
939966

940967
tlsa_hash()
@@ -1494,6 +1521,7 @@ case "$command" in
14941521
check_prerequisites
14951522
[ $# != 0 ] && check_both_certnames "$@"
14961523
for certname in ${*:-`all_certnames`}; do tlsa_check "$certname"; done
1524+
[ $# = 0 ] && reuse_key_check
14971525
;;
14981526

14991527
add-reload|reload-add|ar|ra)
@@ -1536,6 +1564,7 @@ case "$command" in
15361564
[ $# != 0 ] && usage 1 "Too many status arguments (expected no additional arguments)"
15371565
check_prerequisites
15381566
status "$@"
1567+
reuse_key_check
15391568
;;
15401569

15411570
sshfp|ssh)

0 commit comments

Comments
 (0)