From 6e3eeed0c2d9781e6599db57cf2945db3a5e686d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20Schr=C3=B6tter?= <cs@fnx.li>
Date: Wed, 16 Nov 2016 20:17:03 +0100
Subject: [PATCH 1/3] Implement RENEW_ALLOW=false to disable auto-renewal of
 certs.

This is very useful for destinations which are not online 24/7.
Or for keyfiles protected by passphrase for security considerations.
You can still use the great getssl toolset, just --force the renewal.
---
 getssl | 28 +++++++++++++++++-----------
 1 file changed, 17 insertions(+), 11 deletions(-)

diff --git a/getssl b/getssl
index 85a6038..354378e 100755
--- a/getssl
+++ b/getssl
@@ -156,10 +156,11 @@
 # 2016-11-08 Add and comment optional sshuserid for ssh ACL (1.80)
 # 2016-11-09 Add SKIP_HTTP_TOKEN_CHECK option (Issue #170) (1.81)
 # 2016-11-13 bug fix DOMAIN_KEY_CERT generation (1.82)
+# 2016-11-16 Implement RENEW_ALLOW=false to disable auto-renewal (1.83)
 # ----------------------------------------------------------------------------------------
 
 PROGNAME=${0##*/}
-VERSION="1.82"
+VERSION="1.83"
 
 # defaults
 CODE_LOCATION="https://raw.githubusercontent.com/srvrco/getssl/master/getssl"
@@ -1442,16 +1443,21 @@ fi
 # if there is an existing certificate file, check details.
 if [[ -s "$CERT_FILE" ]]; then
   debug "certificate $CERT_FILE exists"
-  enddate=$(openssl x509 -in "$CERT_FILE" -noout -enddate 2>/dev/null| cut -d= -f 2-)
-  debug "local cert is valid until $enddate"
-  if [[ "$enddate" != "-" ]]; then
-    enddate_s=$(date_epoc "$enddate")
-    if [[ $(date_renew) -lt "$enddate_s" ]] && [[ $_FORCE_RENEW -ne 1 ]]; then
-      info "certificate for $DOMAIN is still valid for more than $RENEW_ALLOW days (until $enddate)"
-      # everything is OK, so exit.
-      graceful_exit
-    else
-      debug "certificate  for $DOMAIN needs renewal"
+  if [[ "$RENEW_ALLOW" == "false" ]]; then
+    info "Auto-renewal disabled."
+    graceful_exit
+  else
+    enddate=$(openssl x509 -in "$CERT_FILE" -noout -enddate 2>/dev/null| cut -d= -f 2-)
+    debug "local cert is valid until $enddate"
+    if [[ "$enddate" != "-" ]]; then
+      enddate_s=$(date_epoc "$enddate")
+      if [[ $(date_renew) -lt "$enddate_s" ]] && [[ $_FORCE_RENEW -ne 1 ]]; then
+        info "certificate for $DOMAIN is still valid for more than $RENEW_ALLOW days (until $enddate)"
+        # everything is OK, so exit.
+        graceful_exit
+      else
+        debug "certificate  for $DOMAIN needs renewal"
+      fi
     fi
   fi
 fi

From 454c32aeed9397bb392984bd2b24f2701dab99e8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20Schr=C3=B6tter?= <cs@fnx.li>
Date: Wed, 16 Nov 2016 20:35:29 +0100
Subject: [PATCH 2/3] Bugfix for RENEW_ALLOW=false (--force ignored)

---
 getssl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/getssl b/getssl
index 354378e..4e24f2b 100755
--- a/getssl
+++ b/getssl
@@ -1443,7 +1443,7 @@ fi
 # if there is an existing certificate file, check details.
 if [[ -s "$CERT_FILE" ]]; then
   debug "certificate $CERT_FILE exists"
-  if [[ "$RENEW_ALLOW" == "false" ]]; then
+  if [[ "$RENEW_ALLOW" == "false" ]] && [[ $_FORCE_RENEW -ne 1 ]]; then
     info "Auto-renewal disabled."
     graceful_exit
   else

From d3b91d9229801adc671ddae6f8f9a7d7a58a99ff Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20Schr=C3=B6tter?= <cs@fnx.li>
Date: Thu, 17 Nov 2016 01:56:30 +0100
Subject: [PATCH 3/3] Final cleanup for RENEW_ALLOW=false

---
 getssl | 36 ++++++++++++++++++++----------------
 1 file changed, 20 insertions(+), 16 deletions(-)

diff --git a/getssl b/getssl
index 4e24f2b..897836d 100755
--- a/getssl
+++ b/getssl
@@ -666,7 +666,7 @@ get_signing_params() { # get signing parameters from key
         *) error_exit "invalid curve algorithm type $gsp_keytype";;
       esac
     fi
-    case "$crv" in  
+    case "$crv" in
       P-256) jwkalg="ES256" ; signalg="sha256" ;;
       P-384) jwkalg="ES384" ; signalg="sha384" ;;
       P-521) jwkalg="ES512" ; signalg="sha512" ;;
@@ -1443,22 +1443,26 @@ fi
 # if there is an existing certificate file, check details.
 if [[ -s "$CERT_FILE" ]]; then
   debug "certificate $CERT_FILE exists"
-  if [[ "$RENEW_ALLOW" == "false" ]] && [[ $_FORCE_RENEW -ne 1 ]]; then
-    info "Auto-renewal disabled."
-    graceful_exit
-  else
-    enddate=$(openssl x509 -in "$CERT_FILE" -noout -enddate 2>/dev/null| cut -d= -f 2-)
-    debug "local cert is valid until $enddate"
-    if [[ "$enddate" != "-" ]]; then
-      enddate_s=$(date_epoc "$enddate")
-      if [[ $(date_renew) -lt "$enddate_s" ]] && [[ $_FORCE_RENEW -ne 1 ]]; then
-        info "certificate for $DOMAIN is still valid for more than $RENEW_ALLOW days (until $enddate)"
-        # everything is OK, so exit.
-        graceful_exit
-      else
-        debug "certificate  for $DOMAIN needs renewal"
+  if [[ $_FORCE_RENEW -ne 1 ]]; then
+    if [[ "$RENEW_ALLOW" == "false" ]]; then
+      info "Auto-renewal for $DOMAIN disabled"
+      graceful_exit
+    else
+      enddate=$(openssl x509 -in "$CERT_FILE" -noout -enddate 2>/dev/null| cut -d= -f 2-)
+      debug "local cert is valid until $enddate"
+      if [[ "$enddate" != "-" ]]; then
+        enddate_s=$(date_epoc "$enddate")
+        if [[ $(date_renew) -lt "$enddate_s" ]]; then
+          info "certificate for $DOMAIN is still valid for more than $RENEW_ALLOW days (until $enddate)"
+          # everything is OK, so exit.
+          graceful_exit
+        else
+          debug "certificate  for $DOMAIN needs renewal"
+        fi
       fi
     fi
+  else
+    debug "Renewal for $DOMAIN forced"
   fi
 fi
 # end of .... if there is an existing certificate file, check details.
@@ -1727,7 +1731,7 @@ for d in $alldomains; do
         ftp -n <<- EOF
 				open $ftphost
 				user $ftpuser $ftppass
-				cd $ftplocn 
+				cd $ftplocn
 				delete ${token:?}
 				EOF
       else