From 8781c65d8afb0ac187416f0a4732018d5a6ace00 Mon Sep 17 00:00:00 2001
From: William Lallemand <wlallemand@irq6.net>
Date: Sun, 28 Sep 2025 16:33:37 +0200
Subject: [PATCH] ADMIN: dump-certs: don't update the file if it's up to date

Compare the fingerprint of the leaf certificate to the previous file to
check if it needs to be updated or not

Also skip the check if no file is on the disk.
---
 admin/cli/haproxy-dump-certs | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/admin/cli/haproxy-dump-certs b/admin/cli/haproxy-dump-certs
index 592147e88..1b2c15739 100755
--- a/admin/cli/haproxy-dump-certs
+++ b/admin/cli/haproxy-dump-certs
@@ -60,6 +60,21 @@ read_certificate() {
 	return 0
 }
 
+cmp_certkey() {
+	prev=$1
+	new=$2
+
+	if [ ! -f "$prev" ]; then
+		return 1;
+	fi
+
+	if ! cmp -s <(openssl x509 -in "$prev" -noout -fingerprint -sha256) <(openssl x509 -in "$new" -noout -fingerprint -sha256); then
+		return 1
+	fi
+
+	return 0
+}
+
 dump_certificate() {
 	name=$1
 	crt_filename=$2
@@ -82,6 +97,11 @@ dump_certificate() {
 		return 1
 	fi
 
+	if cmp_certkey "${crt_filename}" "${crt_filename}.${tmp}"; then
+		echo "notice: ${crt_filename} is already up to date"
+		return 0
+	fi
+
 	# move the current certificates to ".old.timestamp"
 	mv "${crt_filename}" "${crt_filename}.${d}"
 	[ "${crt_filename}" != "${key_filename}" ] && mv "${key_filename}" "${key_filename}.${d}"