Implement --rekey option

Closes #65. Closes #19.
kelunik · Apr 15, 2018 · 51acff5 · 51acff5
1 parent ea3e9dc
commit 51acff5
Show file tree

Hide file tree

Showing 5 changed files with 38 additions and 7 deletions.
diff --git a/.acme-client.yml.sample b/.acme-client.yml.sample
@@ -28,7 +28,10 @@ certificates:
     # user:  User running the web server. Challenge files are world readable,
     #        but some servers might require to be owner of files they serve.
     #
+    # rekey: Regenerate certificate key pairs even if a key pair already exists.
+    #
     - bits: 4096
+      rekey: true
       paths:
         /var/www/example:
             - example.org

diff --git a/doc/advanced-usage.md b/doc/advanced-usage.md
@@ -24,7 +24,7 @@ You can separate multiple domains (`-d`) with `,`, `:` or `;`. You can separate
 
 If you specify less paths than domains, the last one will be used for the remaining domains.
 
-Please note that Let's Encrypt has rate limits. Currently it's five certificates per domain per seven days. If you combine multiple subdomains in a single certificate, they count as just one certificate. If you just want to test things out, you can use their staging server, which has way higher rate limits by appending `--s letsencrypt:staging`.
+Please note that Let's Encrypt has rate limits. Currently it's five certificates per domain per seven days. If you combine multiple subdomains in a single certificate, they count as just one certificate. If you just want to test things out, you can use their staging server, which has way higher rate limits by appending `--server letsencrypt:staging`.
 
 ## Revoke a Certificate
 

diff --git a/doc/usage.md b/doc/usage.md
@@ -53,7 +53,10 @@ certificates:
     # user:  User running the web server. Challenge files are world readable,
     #        but some servers might require to be owner of files they serve.
     #
+    # rekey: Regenerate certificate key pairs even if a key pair already exists.
+    #
     - bits: 4096
+      rekey: true
       paths:
         /var/www/example:
             - example.org

diff --git a/src/Commands/Auto.php b/src/Commands/Auto.php
@@ -86,6 +86,13 @@ public function execute(Manager $args): Promise {
                 return self::EXIT_CONFIG_ERROR;
             }
 
+            foreach ($config['certificates'] as $certificateConfig) {
+                if (isset($certificateConfig['rekey']) && !\is_bool($certificateConfig['rekey'])) {
+                    $this->climate->error("Config file ({$configPath}) defines an invalid 'rekey' value.");
+                    return self::EXIT_CONFIG_ERROR;
+                }
+            }
+
             $concurrency = isset($config['challenge-concurrency']) ? (int) $config['challenge-concurrency'] : null;
 
             $process = new Process([
@@ -179,8 +186,7 @@ private function checkAndIssue(array $certificate, string $server, string $stora
         $domainPathMap = $this->toDomainPathMap($certificate['paths']);
         $domains = \array_keys($domainPathMap);
         $commonName = \reset($domains);
-
-        $process = new Process([
+        $processArgs = [
             PHP_BINARY,
             $GLOBALS['argv'][0],
             'check',
@@ -192,7 +198,13 @@ private function checkAndIssue(array $certificate, string $server, string $stora
             $commonName,
             '--names',
             \implode(',', $domains),
-        ]);
+        ];
+
+        if ($certificate['rekey'] ?? false) {
+            $processArgs[] = '--rekey';
+        }
+
+        $process = new Process($processArgs);
 
         $process->start();
         $exit = yield $process->join();

diff --git a/src/Commands/Issue.php b/src/Commands/Issue.php
@@ -97,14 +97,20 @@ public function execute(Manager $args): Promise {
                 throw new AcmeException('Issuance failed, not all challenges could be solved.');
             }
 
-            $path = 'certs/' . $keyFile . '/' . \reset($domains) . '/key.pem';
+            $keyPath = 'certs/' . $keyFile . '/' . \reset($domains) . '/key.pem';
             $bits = $args->get('bits');
 
+            $regenerateKey = $args->get('rekey');
+
             try {
-                $key = yield $keyStore->get($path);
+                $key = yield $keyStore->get($keyPath);
             } catch (KeyStoreException $e) {
+                $regenerateKey = true;
+            }
+
+            if ($regenerateKey) {
+                $this->climate->whisper('    Generating new key pair ...');
                 $key = (new RsaKeyGenerator($bits))->generateKey();
-                $key = yield $keyStore->put($path, $key);
             }
 
             $this->climate->br();
@@ -117,6 +123,8 @@ public function execute(Manager $args): Promise {
 
             $path = AcmeClient\normalizePath($args->get('storage')) . '/certs/' . $keyFile;
             $certificateStore = new CertificateStore($path);
+
+            yield $keyStore->put($keyPath, $key);
             yield $certificateStore->put($certificates);
 
             $this->climate->info('    Successfully issued certificate.');
@@ -232,6 +240,11 @@ public static function getDefinition(): array {
                 'defaultValue' => 10,
                 'castTo' => 'int',
             ],
+            'rekey' => [
+                'longPrefix' => 'rekey',
+                'description' => 'Regenerate the key pair even if a key pair already exists.',
+                'noValue' => true,
+            ],
         ];
     }
 }