From 0ef348b5e722b15b8763367c14d2445fd56a7919 Mon Sep 17 00:00:00 2001
From: srvrco <andy@serverco.com>
Date: Tue, 3 Jan 2017 14:57:15 +0000
Subject: [PATCH] ignore expiry if upgrading from staging  to live server

---
 getssl | 42 ++++++++++--------------------------------
 1 file changed, 10 insertions(+), 32 deletions(-)

diff --git a/getssl b/getssl
index e67e891..823b13d 100755
--- a/getssl
+++ b/getssl
@@ -1248,8 +1248,7 @@ trap "signal_exit INT"  INT
 while [[ -n ${1+defined} ]]; do
   case $1 in
     -h | --help)
-      help_message
-      graceful_exit ;;
+      help_message; graceful_exit ;;
     -d | --debug)
      _USE_DEBUG=1 ;;
     -c | --create)
@@ -1464,6 +1463,7 @@ if [[ -s "$DOMAIN_DIR/getssl.cfg" ]]; then
   . "$DOMAIN_DIR/getssl.cfg"
 fi
 
+# check config files for typical errors.
 check_config
 
 # Obtain CA resource locations
@@ -1512,8 +1512,6 @@ else
 fi
 # end of converting SERVER_TYPE names to port numbers and additional data.
 
-
-
 # if check_remote is true then connect and obtain the current certificate (if not forcing renewal)
 if [[ "${CHECK_REMOTE}" == "true" ]] && [[ $_FORCE_RENEW -eq 0 ]]; then
   debug "getting certificate for $DOMAIN from remote server"
@@ -1587,8 +1585,6 @@ if [[ "${CHECK_REMOTE}" == "true" ]] && [[ $_FORCE_RENEW -eq 0 ]]; then
 fi
 # end of .... check_remote is true then connect and obtain the current certificate
 
-
-
 # if there is an existing certificate file, check details.
 if [[ -s "$CERT_FILE" ]]; then
   debug "certificate $CERT_FILE exists"
@@ -1597,9 +1593,14 @@ if [[ -s "$CERT_FILE" ]]; then
   if [[ "$enddate" != "-" ]]; then
     enddate_s=$(date_epoc "$enddate")
     if [[ $(date_renew) -lt "$enddate_s" ]] && [[ $_FORCE_RENEW -ne 1 ]]; then
-      info "certificate for $DOMAIN is still valid for more than $RENEW_ALLOW days (until $enddate)"
-      # everything is OK, so exit.
-      graceful_exit
+      issuer=$(openssl x509 -in "$CERT_FILE" -noout -issuer 2>/dev/null)
+      if [[ "$issuer" == *"Fake LE Intermediate"* ]] && [[ "$CA" == "https://acme-v01.api.letsencrypt.org" ]]; then
+        debug "upgradeing from fake cert to real"
+      else
+        info "certificate for $DOMAIN is still valid for more than $RENEW_ALLOW days (until $enddate)"
+        # everything is OK, so exit.
+        graceful_exit
+      fi
     else
       debug "certificate  for $DOMAIN needs renewal"
     fi
@@ -1621,7 +1622,6 @@ else
   create_key "$ACCOUNT_KEY_TYPE" "$ACCOUNT_KEY" "$ACCOUNT_KEY_LENGTH"
 fi
 
-
 # if not reusing priavte key, then remove the old keys
 if [[ "$REUSE_PRIVATE_KEY" != "true" ]]; then
   if [[ -s "$DOMAIN_DIR/${DOMAIN}.key" ]]; then
@@ -1640,8 +1640,6 @@ else
 fi
 # End of creating domain keys.
 
-
-
 #create SAN
 if [[ -z "$SANS" ]]; then
   SANLIST="subjectAltName=DNS:${DOMAIN}"
@@ -1660,7 +1658,6 @@ else
   create_csr "$DOMAIN_DIR/${DOMAIN}.ec.csr" "$DOMAIN_DIR/${DOMAIN}.ec.key"
 fi
 
-
 # use account key to register with CA
 # currently the code registers every time, and gets an "already registered" back if it has been.
 get_signing_params "$ACCOUNT_KEY"
@@ -1685,9 +1682,6 @@ else
 fi
 # end of registering account with CA
 
-
-
-
 # verify each domain
 info "Verify each domain"
 
@@ -1920,9 +1914,6 @@ fi
 # end of ... perform validation if via DNS challenge
 #end of varify each domain.
 
-
-
-
 # Verification has been completed for all SANS, so  request certificate.
 info "Verification completed, obtaining certificate."
 
@@ -1941,9 +1932,6 @@ cert_archive
 
 debug "Certificates obtained and archived locally, will now copy to specified locations"
 
-
-
-
 # copy certs to the correct location (creating concatenated files as required)
 
 copy_file_to_location "domain certificate" "$CERT_FILE" "$DOMAIN_CERT_LOCATION"
@@ -2011,15 +1999,9 @@ if [[ ! -z "$DOMAIN_PEM_LOCATION" ]]; then
 fi
 # end of copying certs.
 
-
-
-
 # Run reload command to restart apache / nginx or whatever system
 reload_service
 
-
-
-
 # deactivate authorizations
 if [[ "$DEACTIVATE_AUTH" == "true" ]]; then
   debug "in deactivate list is $deactivate_url_list"
@@ -2039,7 +2021,6 @@ if [[ "$DEACTIVATE_AUTH" == "true" ]]; then
 fi
 # end of deactivating authorizations
 
-
 # Check if the certificate is installed correctly
 if [[ ${CHECK_REMOTE} == "true" ]]; then
   sleep "$CHECK_REMOTE_WAIT"
@@ -2056,12 +2037,9 @@ if [[ ${CHECK_REMOTE} == "true" ]]; then
 fi
 # end of Check if the certificate is installed correctly
 
-
-
 # To have reached here, a certificate should have been successfully obtained.
 # Use echo rather than info so that 'quiet' is ignored.
 echo "certificate obtained for ${DOMAIN}"
 
-
 # gracefully exit ( tidying up temporary files etc).
 graceful_exit