From: William Lallemand <wlallemand@irq6.net>
Date: Sun, 28 Sep 2025 14:33:37 +0000 (+0200)
Subject: ADMIN: dump-certs: don't update the file if it's up to date
X-Git-Tag: v3.3-dev9~24
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8781c65d8afb0ac187416f0a4732018d5a6ace00;p=thirdparty%2Fhaproxy.git

ADMIN: dump-certs: don't update the file if it's up to date

Compare the fingerprint of the leaf certificate to the previous file to
check if it needs to be updated or not

Also skip the check if no file is on the disk.
---

diff --git a/admin/cli/haproxy-dump-certs b/admin/cli/haproxy-dump-certs
index 592147e88..1b2c15739 100755
--- a/admin/cli/haproxy-dump-certs
+++ b/admin/cli/haproxy-dump-certs
@@ -60,6 +60,21 @@ read_certificate() {
 	return 0
 }
 
+cmp_certkey() {
+	prev=$1
+	new=$2
+
+	if [ ! -f "$prev" ]; then
+		return 1;
+	fi
+
+	if ! cmp -s <(openssl x509 -in "$prev" -noout -fingerprint -sha256) <(openssl x509 -in "$new" -noout -fingerprint -sha256); then
+		return 1
+	fi
+
+	return 0
+}
+
 dump_certificate() {
 	name=$1
 	crt_filename=$2
@@ -82,6 +97,11 @@ dump_certificate() {
 		return 1
 	fi
 
+	if cmp_certkey "${crt_filename}" "${crt_filename}.${tmp}"; then
+		echo "notice: ${crt_filename} is already up to date"
+		return 0
+	fi
+
 	# move the current certificates to ".old.timestamp"
 	mv "${crt_filename}" "${crt_filename}.${d}"
 	[ "${crt_filename}" != "${key_filename}" ] && mv "${key_filename}" "${key_filename}.${d}"