From c319232b7b4b4fbf0c6b1279553e2e6efc521e07 Mon Sep 17 00:00:00 2001 From: Wilfried Teiken Date: Sat, 9 Dec 2023 12:32:38 -0500 Subject: [PATCH] Add a check for a change of key between CSR and existing cert. --- dehydrated | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/dehydrated b/dehydrated index a15fb048..3fc89320 100755 --- a/dehydrated +++ b/dehydrated @@ -1824,6 +1824,25 @@ command_sign_domains() { fi fi + # Check pubkey of existing certificate aginst pubkey in csr. + if [[ -e "${cert}" && -n "${csr}" && "${force_renew}" = "no" ]]; then + printf " + Checking public key of existing cert..." + + hash_cert="$(${OPENSSL} x509 -in "${cert}" -pubkey -noout|${OPENSSL} pkey -pubin -outform DER|"${OPENSSL}" dgst -sha256|awk '{ print $2 }')" + hash_csr="$(echo "${csr}"|${OPENSSL} req -pubkey -noout 2>/dev/null|${OPENSSL} pkey -pubin -outform DER|"${OPENSSL}" dgst -sha256|awk '{ print $2 }')" + + if [[ "${hash_cert}" = "${hash_csr}" ]]; then + echo " unchanged." + else + echo " changed!" + echo " + Key is not matching!" + echo " + Key hash for old certificate: ${hash_cert}" + echo " + Key hash for csr: ${hash_csr}" + echo " + Forcing renew." + force_renew="yes" + fi + fi + # Check expire date of existing certificate if [[ -e "${cert}" ]]; then echo " + Checking expire date of existing cert..."