From d926c84cdb1cc28ee29c6ec0a6f339587ce9b280 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Mon, 11 Jan 2021 00:05:58 +0100 Subject: check-certificates: do not renew if loosing private key --- check-certificates | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'check-certificates') diff --git a/check-certificates b/check-certificates index 89ca9eb..76df7f9 100644 --- a/check-certificates +++ b/check-certificates @@ -66,6 +66,11 @@ $WaitFullyConnected; :if ($Cert != $CertNew) do={ $LogPrintExit debug ("Certificate '" . $CertVal->"name" . "' was not updated, but replaced.") false; + :if (($CertVal->"private-key") = true && ($CertVal->"private-key") != ($CertNewVal->"private-key")) do={ + / certificate remove $CertNew; + $LogPrintExit warning ("Old certificate '" . ($CertVal->"name") . "' has a private key, new certificate does not. Aborting renew.") true; + } + / ip service set certificate=($CertNewVal->"name") [ find where certificate=($CertVal->"name") ]; :do { -- cgit v1.2.3-70-g09d2