From 0fee5cea3c6b14e0d612fb0ea28fa49967ce7e1a Mon Sep 17 00:00:00 2001
From: Christian Hesse <mail@eworm.de>
Date: Fri, 16 Jan 2026 13:35:05 +0100
Subject: [PATCH] check-certificates: move the warning below check for key

---
 check-certificates.rsc | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/check-certificates.rsc b/check-certificates.rsc
index 1dd61299..88f144a2 100644
--- a/check-certificates.rsc
+++ b/check-certificates.rsc
@@ -197,16 +197,16 @@
           fingerprint!=[ :tostr ($CertVal->"fingerprint") ] expires-after>$CertRenewTime ];
         :local CertNewVal [ /certificate/get $CertNew ];
 
-        :if ([ $CertificateAvailable ([ $ParseKeyValueStore ($CertNewVal->"issuer") ]->"CN") "fetch" ] = false) do={
-          $LogPrint warning $ScriptName ("The certificate chain is not available!");
-        }
-
         :if (($CertVal->"private-key") = true && ($CertVal->"private-key") != ($CertNewVal->"private-key")) do={
           /certificate/remove $CertNew;
           $LogPrint warning $ScriptName ("Old certificate '" . ($CertVal->"name") . "' has a private key, new certificate does not. Aborting renew.");
           :error false;
         }
 
+        :if ([ $CertificateAvailable ([ $ParseKeyValueStore ($CertNewVal->"issuer") ]->"CN") "fetch" ] = false) do={
+          $LogPrint warning $ScriptName ("The certificate chain is not available!");
+        }
+
         /ip/service/set certificate=($CertNewVal->"name") [ find where certificate=($CertVal->"name") ];
 
         /ip/ipsec/identity/set certificate=($CertNewVal->"name") [ find where certificate=($CertVal->"name") ];