From abccd21e7556c7967e1455ff41e4e17ee7bbf717 Mon Sep 17 00:00:00 2001
From: Lucas Savva <lucas@m1cr0man.com>
Date: Mon, 25 Nov 2024 23:29:35 +0000
Subject: [PATCH] feat: add --force-cert-domains flag to renew (#2355)

---
 cmd/cmd_renew.go | 24 ++++++++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/cmd/cmd_renew.go b/cmd/cmd_renew.go
index 1f9c08168..3cce35b45 100644
--- a/cmd/cmd_renew.go
+++ b/cmd/cmd_renew.go
@@ -26,6 +26,7 @@ const (
 	flgReuseKey               = "reuse-key"
 	flgRenewHook              = "renew-hook"
 	flgNoRandomSleep          = "no-random-sleep"
+	flgForceCertDomains       = "force-cert-domains"
 )
 
 const (
@@ -53,6 +54,9 @@ func createRenew() *cli.Command {
 			if !hasDomains && !hasCsr {
 				log.Fatal("Please specify --%s/-d (or --%s/-c if you already have a CSR)", flgDomains, flgCSR)
 			}
+			if ctx.Bool(flgForceCertDomains) && hasCsr {
+				log.Fatal("--%s only works with --%s/-d, --%s/-c doesn't support this option.", flgForceCertDomains, flgDomains, flgCSR)
+			}
 			return nil
 		},
 		Flags: []cli.Flag{
@@ -110,6 +114,10 @@ func createRenew() *cli.Command {
 				Usage: "Do not add a random sleep before the renewal." +
 					" We do not recommend using this flag if you are doing your renewals in an automated way.",
 			},
+			&cli.BoolFlag{
+				Name:  flgForceCertDomains,
+				Usage: "Check and ensure that the cert's domain list matches those passed in the domains argument.",
+			},
 		},
 	}
 }
@@ -172,7 +180,12 @@ func renewForDomains(ctx *cli.Context, client *lego.Client, certsStorage *Certif
 		}
 	}
 
-	if ariRenewalTime == nil && !needRenewal(cert, domain, ctx.Int(flgDays)) {
+	forceDomains := ctx.Bool(flgForceCertDomains)
+
+	certDomains := certcrypto.ExtractDomains(cert)
+
+	if ariRenewalTime == nil && !needRenewal(cert, domain, ctx.Int(flgDays)) &&
+		(!forceDomains || slices.Equal(certDomains, domains)) {
 		return nil
 	}
 
@@ -180,8 +193,6 @@ func renewForDomains(ctx *cli.Context, client *lego.Client, certsStorage *Certif
 	timeLeft := cert.NotAfter.Sub(time.Now().UTC())
 	log.Infof("[%s] acme: Trying renewal with %d hours remaining", domain, int(timeLeft.Hours()))
 
-	certDomains := certcrypto.ExtractDomains(cert)
-
 	var privateKey crypto.PrivateKey
 	if ctx.Bool(flgReuseKey) {
 		keyBytes, errR := certsStorage.ReadFile(domain, keyExt)
@@ -207,8 +218,13 @@ func renewForDomains(ctx *cli.Context, client *lego.Client, certsStorage *Certif
 		time.Sleep(sleepTime)
 	}
 
+	renewalDomains := domains
+	if !forceDomains {
+		renewalDomains = merge(certDomains, domains)
+	}
+
 	request := certificate.ObtainRequest{
-		Domains:                        merge(certDomains, domains),
+		Domains:                        renewalDomains,
 		PrivateKey:                     privateKey,
 		MustStaple:                     ctx.Bool(flgMustStaple),
 		NotBefore:                      getTime(ctx, flgNotBefore),