Update PEM of private key after regenerating

Otherwise, leads to mismatched key + cert in storage
caddyserver · Jun 21, 2023 · dc8e4fa · dc8e4fa
1 parent dd8df32
commit dc8e4fa
Showing 1 changed file with 8 additions and 3 deletions.
diff --git a/config.go b/config.go
@@ -715,9 +715,6 @@ func (cfg *Config) storageHasCertResourcesAnyIssuer(ctx context.Context, name st
 // and its assets in storage if successful. It DOES NOT update the in-memory
 // cache with the new certificate. The certificate will not be renewed if it
 // is not close to expiring unless force is true.
-//
-// Renewing a certificate is the same as obtaining a certificate, except that
-// the existing private key already in storage is reused.
 func (cfg *Config) RenewCertSync(ctx context.Context, name string, force bool) error {
 	return cfg.renewCert(ctx, name, force, true)
 }
@@ -809,6 +806,14 @@ func (cfg *Config) renewCert(ctx context.Context, name string, force, interactiv
 			return err
 		}
 
+		// if we generated a new key, make sure to replace its PEM encoding too!
+		if !cfg.ReusePrivateKeys {
+			certRes.PrivateKeyPEM, err = PEMEncodePrivateKey(privateKey)
+			if err != nil {
+				return err
+			}
+		}
+
 		csr, err := cfg.generateCSR(privateKey, []string{name})
 		if err != nil {
 			return err