ADMIN: dump-certs: don't update the file if it's up to date

Compare the fingerprint of the leaf certificate to the previous file to
check if it needs to be updated or not

Also skip the check if no file is on the disk.

diff --git a/admin/cli/haproxy-dump-certs b/admin/cli/haproxy-dump-certs
index 592147e88b72064b8ab7b648f5ec15b697fe0adb..1b2c15739c8e6943adb4e68248c30c46385f8cca 100755 (executable)
--- a/admin/cli/haproxy-dump-certs
+++ b/admin/cli/haproxy-dump-certs
@@ -60,6 +60,21 @@ read_certificate() {
        return 0
 }
 
+cmp_certkey() {
+       prev=$1
+       new=$2
+
+       if [ ! -f "$prev" ]; then
+               return 1;
+       fi
+
+       if ! cmp -s <(openssl x509 -in "$prev" -noout -fingerprint -sha256) <(openssl x509 -in "$new" -noout -fingerprint -sha256); then
+               return 1
+       fi
+
+       return 0
+}
+
 dump_certificate() {
        name=$1
        crt_filename=$2
@@ -82,6 +97,11 @@ dump_certificate() {
                return 1
        fi
 
+       if cmp_certkey "${crt_filename}" "${crt_filename}.${tmp}"; then
+               echo "notice: ${crt_filename} is already up to date"
+               return 0
+       fi
+
        # move the current certificates to ".old.timestamp"
        mv "${crt_filename}" "${crt_filename}.${d}"
        [ "${crt_filename}" != "${key_filename}" ] && mv "${key_filename}" "${key_filename}.${d}"