diff --git a/acme-client.1 b/acme-client.1 index da11ab7..78e62a9 100644 --- a/acme-client.1 +++ b/acme-client.1 @@ -25,7 +25,7 @@ .\" Not used in OpenBSD. .Sh SYNOPSIS .Nm acme-client -.Op Fl bFmnNrsv +.Op Fl bEFmnNrsv .Op Fl a Ar agreement .Op Fl C Ar challengedir .Op Fl c Ar certdir @@ -87,6 +87,13 @@ is the current UNIX epoch. Any given backup effort will use the same epoch time for all three certificates. If there are no certificates in place, this does nothing. +.It Fl E +Expand +.Sx Certificates +to match the given Alternative names +.Pq Dq SAN +if these are missing from the existing certificate. This is useful if +you want to add additional subdomains to an existing certificate. .It Fl F Force updating the certificate signature even if it's too soon. .It Fl m diff --git a/extern.h b/extern.h index ada0063..6f8748b 100644 --- a/extern.h +++ b/extern.h @@ -183,7 +183,7 @@ int certproc(int, int); int chngproc(int, const char *, const char *); int dnsproc(int); int revokeproc(int, const char *, - int, int, const char *const *, size_t); + int, int, const char *const *, size_t, int); int fileproc(int, int, const char *); int keyproc(int, const char *, const char **, size_t, int); diff --git a/main.c b/main.c index 29e6d2d..f404843 100644 --- a/main.c +++ b/main.c @@ -66,7 +66,7 @@ main(int argc, char *argv[]) cert_fds[2], file_fds[2], dns_fds[2], rvk_fds[2]; pid_t pids[COMP__MAX]; - int c, rc, newacct, revoke, force, + int c, rc, newacct, revoke, force, expand, staging, multidir, newkey, backup, build_certdir, build_ssldir, build_acctdir; extern int verbose; @@ -75,13 +75,13 @@ main(int argc, char *argv[]) const char **alts; alts = NULL; - newacct = revoke = verbose = force = + newacct = revoke = verbose = force = expand = multidir = staging = newkey = backup = 0; certdir = keyfile = acctkey = chngdir = NULL; agreement = AGREEMENT; challenge = NULL; - while (-1 != (c = getopt(argc, argv, "bFmnNrsva:f:c:C:k:t:"))) + while (-1 != (c = getopt(argc, argv, "bEFmnNrsva:f:c:C:k:t:"))) switch (c) { case ('a'): agreement = optarg; @@ -99,6 +99,9 @@ main(int argc, char *argv[]) if (NULL == (chngdir = strdup(optarg))) err(EXIT_FAILURE, "strdup"); break; + case ('E'): + expand = 1; + break; case ('f'): free(acctkey); if (NULL == (acctkey = strdup(optarg))) @@ -451,7 +454,7 @@ main(int argc, char *argv[]) proccomp = COMP_REVOKE; c = revokeproc(rvk_fds[0], certdir, force, revoke, - (const char *const *)alts, altsz); + (const char *const *)alts, altsz, expand); free(alts); exit(c ? EXIT_SUCCESS : EXIT_FAILURE); } @@ -492,7 +495,7 @@ main(int argc, char *argv[]) (2 == c ? EXIT_SUCCESS : 2)); usage: fprintf(stderr, "usage: %s " - "[-bFmnNrsv] " + "[-bEFmnNrsv] " "[-a agreement] " "[-C challengedir] " "[-c certdir] " diff --git a/revokeproc.c b/revokeproc.c index 0ca74d0..3831a1e 100644 --- a/revokeproc.c +++ b/revokeproc.c @@ -100,7 +100,7 @@ X509expires(X509 *x) int revokeproc(int fd, const char *certdir, int force, int revoke, - const char *const *alts, size_t altsz) + const char *const *alts, size_t altsz, int expand) { int rc, cc, i, extsz, ssz; long lval; @@ -274,7 +274,8 @@ revokeproc(int fd, const char *certdir, int force, int revoke, continue; warnx("%s/%s: domain not listed: %s", certdir, CERT_PEM, alts[j]); - goto out; + if (expand == 0) + goto out; } /*