Reuse the existing let's encrypt key by default http://github.com/virtualmin/virtualmin-gpl/issues/414

webmin/config

@@ -6,4 +6,5 @@ cron_mode=0
 osdn=1
 warn_days=7
 letsencrypt_dns_wait=10
-letsencrypt_algo=rsa
+letsencrypt_algo=rsa
+letsencrypt_reuse=1

webmin/config.info

@@ -9,3 +9,4 @@ letsencrypt_algo=Encryption algorithm for Let's Encrypt private key,1,rsa-RSA,ec
 letsencrypt_dns_wait=Seconds to wait for Let's Encrypt DNS propagation,0,5
 letsencrypt_before=Command to run before Let's Encrypt request,0,60
 letsencrypt_after=Command to run after Let's Encrypt request,0,60
+letsencrypt_reuse=Re-use existing Let's Encrypt keys?,1,1-Yes,0-No

webmin/letsencrypt-lib.pl

@@ -57,17 +57,20 @@ return &software::missing_install_link(
 }
 
 # request_letsencrypt_cert(domain|&domains, webroot, [email], [keysize],
-# 			   [request-mode], [use-staging], [account-email])
+# 			   [request-mode], [use-staging], [account-email],
+# 			   [reuse-key])
 # Attempt to request a cert using a generated key with the Let's Encrypt client
 # command, and write it to the given path. Returns a status flag, and either
 # an error message or the paths to cert, key and chain files.
 sub request_letsencrypt_cert
 {
-my ($dom, $webroot, $email, $size, $mode, $staging, $account_email, $key_type) = @_;
+my ($dom, $webroot, $email, $size, $mode, $staging, $account_email,
+    $key_type, $reuse_key) = @_;
 my @doms = ref($dom) ? @$dom : ($dom);
 $email ||= "root\@$doms[0]";
 $mode ||= "web";
 @doms = &unique(@doms);
+$reuse_key = $config{'letsencrypt_reuse'} if (!defined($reuse_key));
 my ($challenge, $wellknown, $challenge_new, $wellknown_new, $wildcard);
 
 # Wildcard mode?
@@ -164,8 +167,9 @@ if ($letsencrypt_cmd) {
 	&close_tempfile(TEMP);
 	my $dir = $letsencrypt_cmd;
 	my $cmd_ver = &get_certbot_major_version($letsencrypt_cmd);
-	my $old_flags;
-	my $new_flags;
+	my $old_flags = "";
+	my $new_flags = "";
+	my $reuse_flags = "";
 	$key_type ||= $config{'letsencrypt_algo'} || 'rsa';
 	if (&compare_version_numbers($cmd_ver, 1.11) < 0) {
 		$old_flags = " --manual-public-ip-logging-ok";
@@ -173,24 +177,28 @@ if ($letsencrypt_cmd) {
 	if (&compare_version_numbers($cmd_ver, 2.0) >= 0) {
 		$new_flags = " --key-type ".quotemeta($key_type);
 		}
+	if ($reuse_key) {
+		$reuse_flags = " --reuse-key";
+		}
 	$dir =~ s/\/[^\/]+$//;
 	$size ||= 2048;
 	my $out;
 	if ($mode eq "web") {
 		# Webserver based validation
 		&clean_environment();
-		$out = &backquote_command(
+		$out = &backquote_logged(
 			"cd $dir && (echo A | $letsencrypt_cmd certonly".
 			" -a webroot ".
 			join("", map { " -d ".quotemeta($_) } @doms).
 			" --webroot-path ".quotemeta($webroot).
 			" --duplicate".
 			" --force-renewal".
-			"$old_flags".
+			$reuse_flags.
+			$old_flags.
 			" --non-interactive".
 			" --agree-tos".
 			" --config ".quotemeta($temp)."".
-			"$new_flags".
+			$new_flags.
 			" --rsa-key-size ".quotemeta($size).
 			" --cert-name ".quotemeta($doms[0]).
 			($staging ? " --test-cert" : "").
@@ -200,7 +208,7 @@ if ($letsencrypt_cmd) {
 	elsif ($mode eq "dns") {
 		# DNS based validation, via hook script
 		&clean_environment();
-		$out = &backquote_command(
+		$out = &backquote_logged(
 			"cd $dir && (echo A | $letsencrypt_cmd certonly".
 			" --manual".
 			join("", map { " -d ".quotemeta($_) } @doms).
@@ -209,11 +217,12 @@ if ($letsencrypt_cmd) {
 			" --manual-cleanup-hook $cleanup_hook".
 			" --duplicate".
 			" --force-renewal".
-			"$old_flags".
+			$reuse_flags.
+			$old_flags.
 			" --non-interactive".
 			" --agree-tos".
 			" --config ".quotemeta($temp)."".
-			"$new_flags".
+			$new_flags.
 			" --rsa-key-size $size".
 			" --cert-name ".quotemeta($doms[0]).
 			($staging ? " --test-cert" : "").