diff --git a/webmin/config b/webmin/config index 8869b6351..f5633e845 100644 --- a/webmin/config +++ b/webmin/config @@ -6,4 +6,5 @@ cron_mode=0 osdn=1 warn_days=7 letsencrypt_dns_wait=10 -letsencrypt_algo=rsa \ No newline at end of file +letsencrypt_algo=rsa +letsencrypt_reuse=1 \ No newline at end of file diff --git a/webmin/config.info b/webmin/config.info index ec174ecb1..fc6c0c453 100644 --- a/webmin/config.info +++ b/webmin/config.info @@ -9,3 +9,4 @@ letsencrypt_algo=Encryption algorithm for Let's Encrypt private key,1,rsa-RSA,ec letsencrypt_dns_wait=Seconds to wait for Let's Encrypt DNS propagation,0,5 letsencrypt_before=Command to run before Let's Encrypt request,0,60 letsencrypt_after=Command to run after Let's Encrypt request,0,60 +letsencrypt_reuse=Re-use existing Let's Encrypt keys?,1,1-Yes,0-No diff --git a/webmin/letsencrypt-lib.pl b/webmin/letsencrypt-lib.pl index 8b6dd3b78..b630f64de 100755 --- a/webmin/letsencrypt-lib.pl +++ b/webmin/letsencrypt-lib.pl @@ -57,17 +57,20 @@ return &software::missing_install_link( } # request_letsencrypt_cert(domain|&domains, webroot, [email], [keysize], -# [request-mode], [use-staging], [account-email]) +# [request-mode], [use-staging], [account-email], +# [reuse-key]) # Attempt to request a cert using a generated key with the Let's Encrypt client # command, and write it to the given path. Returns a status flag, and either # an error message or the paths to cert, key and chain files. sub request_letsencrypt_cert { -my ($dom, $webroot, $email, $size, $mode, $staging, $account_email, $key_type) = @_; +my ($dom, $webroot, $email, $size, $mode, $staging, $account_email, + $key_type, $reuse_key) = @_; my @doms = ref($dom) ? @$dom : ($dom); $email ||= "root\@$doms[0]"; $mode ||= "web"; @doms = &unique(@doms); +$reuse_key = $config{'letsencrypt_reuse'} if (!defined($reuse_key)); my ($challenge, $wellknown, $challenge_new, $wellknown_new, $wildcard); # Wildcard mode? @@ -164,8 +167,9 @@ if ($letsencrypt_cmd) { &close_tempfile(TEMP); my $dir = $letsencrypt_cmd; my $cmd_ver = &get_certbot_major_version($letsencrypt_cmd); - my $old_flags; - my $new_flags; + my $old_flags = ""; + my $new_flags = ""; + my $reuse_flags = ""; $key_type ||= $config{'letsencrypt_algo'} || 'rsa'; if (&compare_version_numbers($cmd_ver, 1.11) < 0) { $old_flags = " --manual-public-ip-logging-ok"; @@ -173,24 +177,28 @@ if ($letsencrypt_cmd) { if (&compare_version_numbers($cmd_ver, 2.0) >= 0) { $new_flags = " --key-type ".quotemeta($key_type); } + if ($reuse_key) { + $reuse_flags = " --reuse-key"; + } $dir =~ s/\/[^\/]+$//; $size ||= 2048; my $out; if ($mode eq "web") { # Webserver based validation &clean_environment(); - $out = &backquote_command( + $out = &backquote_logged( "cd $dir && (echo A | $letsencrypt_cmd certonly". " -a webroot ". join("", map { " -d ".quotemeta($_) } @doms). " --webroot-path ".quotemeta($webroot). " --duplicate". " --force-renewal". - "$old_flags". + $reuse_flags. + $old_flags. " --non-interactive". " --agree-tos". " --config ".quotemeta($temp)."". - "$new_flags". + $new_flags. " --rsa-key-size ".quotemeta($size). " --cert-name ".quotemeta($doms[0]). ($staging ? " --test-cert" : ""). @@ -200,7 +208,7 @@ if ($letsencrypt_cmd) { elsif ($mode eq "dns") { # DNS based validation, via hook script &clean_environment(); - $out = &backquote_command( + $out = &backquote_logged( "cd $dir && (echo A | $letsencrypt_cmd certonly". " --manual". join("", map { " -d ".quotemeta($_) } @doms). @@ -209,11 +217,12 @@ if ($letsencrypt_cmd) { " --manual-cleanup-hook $cleanup_hook". " --duplicate". " --force-renewal". - "$old_flags". + $reuse_flags. + $old_flags. " --non-interactive". " --agree-tos". " --config ".quotemeta($temp)."". - "$new_flags". + $new_flags. " --rsa-key-size $size". " --cert-name ".quotemeta($doms[0]). ($staging ? " --test-cert" : "").