From 1e67b444632ef97ffc8c25e171fc9f1c079a3bc7 Mon Sep 17 00:00:00 2001
From: Thomas Lamprecht <t.lamprecht@proxmox.com>
Date: Wed, 19 Aug 2020 18:52:00 +0200
Subject: [PATCH] api: ACME revoke: do not abort if CA is just expired

Else, a user would need to renew it first before being able to revoke
it, which does not make much sense..

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
 PVE/API2/ACME.pm | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/PVE/API2/ACME.pm b/PVE/API2/ACME.pm
index 33890dac..393e6b01 100644
--- a/PVE/API2/ACME.pm
+++ b/PVE/API2/ACME.pm
@@ -357,7 +357,11 @@ __PACKAGE__->register_method ({
 	    $acme->load();
 
 	    print "Revoking old certificate\n";
-	    $acme->revoke_certificate($cert);
+	    eval { $acme->revoke_certificate($cert) };
+	    if (my $err = $@) {
+		# is there a better check?
+		die "Revoke request to CA failed: $err" if $err !~ /"Certificate is expired"/;
+	    }
 
 	    my $code = sub {
 		print "Deleting certificate files\n";