don't overwrite certificate files

In a worst case scenario the new certificate is broken and we are left without a working certificate (or need to restore one from our backup). This way we only need to change the symlink to the known working cert

don't overwrite certificate files
In a worst case scenario the new certificate is broken and we are left without a working certificate (or need to restore one from our backup). This way we only need to change the symlink to the known working cert
b7439a83 · Markus Germeier · Lukas Schauer · 5a213f5f · b7439a83
Commit b7439a83 authored Dec 06, 2015 by Markus Germeier Committed by Lukas Schauer Dec 06, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 2 deletions

letsencrypt.sh letsencrypt.sh +5 -2

No files found.
--- a/letsencrypt.sh
+++ b/letsencrypt.sh
@@ -153,11 +153,14 @@ sign_domain() {
    echo "  + Challenge is valid!"
  done

-  # Finally request certificate from the acme-server and store it in cert.pem
+  # Finally request certificate from the acme-server and store it in cert-${timestamp}.pem and link from cert.pem
  echo "  + Requesting certificate..."
+  timestamp="$(date +%s)"
  csr64="$(openssl req -in "certs/${domain}/cert.csr" -outform DER | urlbase64)"
  crt64="$(signed_request "${CA}/acme/new-cert" '{"resource": "new-cert", "csr": "'"${csr64}"'"}' | openssl base64 -e)"
-  printf -- '-----BEGIN CERTIFICATE-----\n%s\n-----END CERTIFICATE-----\n' "${crt64}" > "certs/${domain}/cert.pem"
+  printf -- '-----BEGIN CERTIFICATE-----\n%s\n-----END CERTIFICATE-----\n' "${crt64}" > "certs/${domain}/cert-${timestamp}.pem"
+  rm -f "certs/${domain}/cert.pem"
+  ln -s "cert-${timestamp}.pem" "certs/${domain}/cert.pem"
  echo "  + Done!"
 }