don't overwrite certificate files

In a worst case scenario the new certificate is broken and we are left
without a working certificate (or need to restore one from our backup).

This way we only need to change the symlink to the known working cert

diff --git a/letsencrypt.sh b/letsencrypt.sh
index 9c36694c79aa89a2bdc29c6c23ff740847ff0425..e822df96cbc2da645c9ed365e32f379eb18f10ea 100755 (executable)
--- a/letsencrypt.sh
+++ b/letsencrypt.sh
@@ -153,11 +153,14 @@ sign_domain() {
     echo "  + Challenge is valid!"
   done
 
-  # Finally request certificate from the acme-server and store it in cert.pem
+  # Finally request certificate from the acme-server and store it in cert-${timestamp}.pem and link from cert.pem
   echo "  + Requesting certificate..."
+  timestamp="$(date +%s)"
   csr64="$(openssl req -in "certs/${domain}/cert.csr" -outform DER | urlbase64)"
   crt64="$(signed_request "${CA}/acme/new-cert" '{"resource": "new-cert", "csr": "'"${csr64}"'"}' | openssl base64 -e)"
-  printf -- '-----BEGIN CERTIFICATE-----\n%s\n-----END CERTIFICATE-----\n' "${crt64}" > "certs/${domain}/cert.pem"
+  printf -- '-----BEGIN CERTIFICATE-----\n%s\n-----END CERTIFICATE-----\n' "${crt64}" > "certs/${domain}/cert-${timestamp}.pem"
+  rm -f "certs/${domain}/cert.pem"
+  ln -s "cert-${timestamp}.pem" "certs/${domain}/cert.pem"
   echo "  + Done!"
 }