From f8d8f22006803455285eba803e74271982d27f12 Mon Sep 17 00:00:00 2001 From: Chris Aumann Date: Tue, 14 Jun 2016 13:21:16 +0200 Subject: [PATCH 1/4] Add constant for x509PublicKey --- cmd/acme/cert.go | 2 +- cmd/acme/config.go | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/cmd/acme/cert.go b/cmd/acme/cert.go index d1643d9..75d8870 100644 --- a/cmd/acme/cert.go +++ b/cmd/acme/cert.go @@ -135,7 +135,7 @@ func runCert(args []string) { logf("cert url: %s", curl) var pemcert []byte for _, b := range cert { - b = pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: b}) + b = pem.EncodeToMemory(&pem.Block{Type: x509PublicKey, Bytes: b}) pemcert = append(pemcert, b...) } certPath := sameDir(certKeypath, cn+".crt") diff --git a/cmd/acme/config.go b/cmd/acme/config.go index c1e4179..1f508a9 100644 --- a/cmd/acme/config.go +++ b/cmd/acme/config.go @@ -39,6 +39,7 @@ const ( rsaPrivateKey = "RSA PRIVATE KEY" ecPrivateKey = "EC PRIVATE KEY" + x509PublicKey = "CERTIFICATE" ) // configDir is acme configuration dir. From f7b5958d82cf440d1ca1f4f693958a18198a8aac Mon Sep 17 00:00:00 2001 From: Chris Aumann Date: Tue, 14 Jun 2016 13:21:48 +0200 Subject: [PATCH 2/4] Add readCrt() function --- cmd/acme/config.go | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/cmd/acme/config.go b/cmd/acme/config.go index 1f508a9..1e668ef 100644 --- a/cmd/acme/config.go +++ b/cmd/acme/config.go @@ -123,6 +123,21 @@ func readKey(path string) (crypto.Signer, error) { } } +func readCrt(path string) (*x509.Certificate, error) { + b, err := ioutil.ReadFile(path) + if err != nil { + return nil, err + } + d, _ := pem.Decode(b) + if d == nil { + return nil, fmt.Errorf("no block found in %q", path) + } + if d.Type != x509PublicKey { + return nil, fmt.Errorf("%q is unsupported", d.Type) + } + return x509.ParseCertificate(d.Bytes) +} + // writeKey writes k to the specified path in PEM format. // If file does not exists, it will be created with 0600 mod. func writeKey(path string, k *ecdsa.PrivateKey) error { From fa41202815d91b30a8688983563723f24f86b787 Mon Sep 17 00:00:00 2001 From: Chris Aumann Date: Tue, 14 Jun 2016 13:22:06 +0200 Subject: [PATCH 3/4] Exit if certificate is present and not about to expire --- cmd/acme/cert.go | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/cmd/acme/cert.go b/cmd/acme/cert.go index 75d8870..6fde51d 100644 --- a/cmd/acme/cert.go +++ b/cmd/acme/cert.go @@ -93,6 +93,18 @@ func runCert(args []string) { fatalf("no key found for %s", uc.URI) } + // read crt if existent + certPath := sameDir(certKeypath, cn+".crt") + certCrt, err := readCrt(certPath) + if err == nil { + // do not re-issue certificate if it's not about to expire in less than one week + expiresIn := certCrt.NotAfter.Sub(time.Now()) + if expiresIn > 24*7*time.Hour { + errorf("cert is still valid for more than one week, not renewing") + exit() + } + } + // read or generate new cert key certKey, err := anyKey(certKeypath, true) if err != nil { @@ -138,7 +150,6 @@ func runCert(args []string) { b = pem.EncodeToMemory(&pem.Block{Type: x509PublicKey, Bytes: b}) pemcert = append(pemcert, b...) } - certPath := sameDir(certKeypath, cn+".crt") if err := ioutil.WriteFile(certPath, pemcert, 0644); err != nil { fatalf("write cert: %v", err) } From 97f04568e6e68bed483975ef507bf485572d1826 Mon Sep 17 00:00:00 2001 From: Chris Aumann Date: Wed, 31 Aug 2016 13:44:37 +0200 Subject: [PATCH 4/4] Renew certificate 3 weeks before expiry This seems to fit letsencrypt better, as it sends out certificate renew reminder emails ~19 days before expiry --- cmd/acme/cert.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cmd/acme/cert.go b/cmd/acme/cert.go index 6fde51d..e6c19b9 100644 --- a/cmd/acme/cert.go +++ b/cmd/acme/cert.go @@ -97,10 +97,10 @@ func runCert(args []string) { certPath := sameDir(certKeypath, cn+".crt") certCrt, err := readCrt(certPath) if err == nil { - // do not re-issue certificate if it's not about to expire in less than one week + // do not re-issue certificate if it's not about to expire in less than three weeks expiresIn := certCrt.NotAfter.Sub(time.Now()) - if expiresIn > 24*7*time.Hour { - errorf("cert is still valid for more than one week, not renewing") + if expiresIn > 24*7*3*time.Hour { + errorf("cert is still valid for more than a three weeks, not renewing") exit() } }