Feature - if KEY_ALGO changed from algo of previously generated key - should ignore the 30 day renewal #546

New Issue

adam · 2025-12-29T01:27:05+01:00

adam commented

2025-12-29 01:27:05 +01:00

Originally created by @nneul on GitHub (Jul 31, 2021).

I had been running with defaults, updated, and unintentionally generated some EC keys. Changing to explicitly setting KEY_ALGO to rsa did not regenerate cert without a force.

It seems that if the requested configuration doesn't match the content of the most recent cert, it should be requesting a new cert regardless of expiration.

This is obviously a preference/design question, I could see argument going either way.

Originally created by @nneul on GitHub (Jul 31, 2021). I had been running with defaults, updated, and unintentionally generated some EC keys. Changing to explicitly setting KEY_ALGO to rsa did not regenerate cert without a force. It seems that if the requested configuration doesn't match the content of the most recent cert, it should be requesting a new cert regardless of expiration. This is obviously a preference/design question, I could see argument going either way.

adam commented

2025-12-29 01:27:06 +01:00

@nneul commented on GitHub (Jul 31, 2021):

Just to be clear - my install was fairly outdated - from sometime last year before you added the KEY_ALGO=secp384r1 default change.

@nneul commented on GitHub (Jul 31, 2021): Just to be clear - my install was fairly outdated - from sometime last year before you added the KEY_ALGO=secp384r1 default change.

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/dehydrated#546