From 04910e15b6a4a3283c61d6eaf8a90147c9570f7c Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Wed, 26 Jan 2022 13:24:23 +0100
Subject: util.prosodyctl.cert: Look for certificates in a consistent order

Shortest first, then alphabetically, so that it prefers the base domain
over subdomains.

Fixes that it might otherwise pick a random sub-domain for filename on
each run, cluttering the certs directory and potentially tricking
Prosody into using an older certificate that might be about to expire.
---
 util/prosodyctl/cert.lua | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'util/prosodyctl/cert.lua')

diff --git a/util/prosodyctl/cert.lua b/util/prosodyctl/cert.lua
index 236fc99e..a60a9647 100644
--- a/util/prosodyctl/cert.lua
+++ b/util/prosodyctl/cert.lua
@@ -221,6 +221,15 @@ function cert_commands.import(arg)
 		cm.index_certs(dir, files_by_name);
 	end
 	local imported = {};
+	table.sort(hostnames, function (a, b)
+		-- Try to find base domain name before sub-domains, then alphabetically, so
+		-- that the order and choice of file name is deterministic.
+		if #a == #b then
+			return a < b;
+		else
+			return #a < #b;
+		end
+	end);
 	for _, host in ipairs(hostnames) do
 		local paths = cm.find_cert_in_index(files_by_name, host);
 		if paths and imported[paths.certificate] then
-- 
cgit v1.2.3