From 5b789d298b8d6d48d91601b335e1feeeb1374f14 Mon Sep 17 00:00:00 2001
From: Christian Hesse <mail@eworm.de>
Date: Sun, 23 Jul 2023 22:01:43 +0200
Subject: check-certificates: properly handle in place updates

This worked just kind of... The certification was updated, but script
aborted before the notification was sent.
---
 check-certificates.rsc | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

(limited to 'check-certificates.rsc')

diff --git a/check-certificates.rsc b/check-certificates.rsc
index db9007a..86e079a 100644
--- a/check-certificates.rsc
+++ b/check-certificates.rsc
@@ -122,17 +122,20 @@ $WaitFullyConnected;
       }
     }
 
-    :local CertNew [ /certificate/find where name~("^" . [ $EscapeForRegEx [ $UrlEncode $LastName ] ] . "\\.(p12|pem)_[0-9]+\$") \
-      (common-name=($CertVal->"common-name") or subject-alt-name~("(^|\\W)(DNS|IP):" . [ $EscapeForRegEx $LastName ] . "(\\W|\$)")) \
-      fingerprint!=[ :tostr ($CertVal->"fingerprint") ] expires-after>$CertRenewTime ];
-    :local CertNewVal [ /certificate/get $CertNew ];
+    :if ($CertVal->"fingerprint" != [ /certificate/get $Cert fingerprint ]) do={
+      $LogPrintExit2 debug $0 ("Certificate '" . $CertVal->"name" . "' was updated in place.") false;
+      :set CertVal [ /certificate/get $Cert ];
+    } else {
+      $LogPrintExit2 debug $0 ("Certificate '" . $CertVal->"name" . "' was not updated, but replaced.") false;
 
-    :if ([ $CertificateAvailable ([ $ParseKeyValueStore ($CertNewVal->"issuer") ]->"CN") ] = false) do={
-      $LogPrintExit2 warning $0 ("The certificate chain is not available!") false;
-    }
+      :local CertNew [ /certificate/find where name~("^" . [ $EscapeForRegEx [ $UrlEncode $LastName ] ] . "\\.(p12|pem)_[0-9]+\$") \
+        (common-name=($CertVal->"common-name") or subject-alt-name~("(^|\\W)(DNS|IP):" . [ $EscapeForRegEx $LastName ] . "(\\W|\$)")) \
+        fingerprint!=[ :tostr ($CertVal->"fingerprint") ] expires-after>$CertRenewTime ];
+      :local CertNewVal [ /certificate/get $CertNew ];
 
-    :if ($Cert != $CertNew) do={
-      $LogPrintExit2 debug $0 ("Certificate '" . $CertVal->"name" . "' was not updated, but replaced.") false;
+      :if ([ $CertificateAvailable ([ $ParseKeyValueStore ($CertNewVal->"issuer") ]->"CN") ] = false) do={
+        $LogPrintExit2 warning $0 ("The certificate chain is not available!") false;
+      }
 
       :if (($CertVal->"private-key") = true && ($CertVal->"private-key") != ($CertNewVal->"private-key")) do={
         /certificate/remove $CertNew;
-- 
cgit v1.2.3-54-g00ecf