update symlinks after signing the certificate

diff --git a/letsencrypt.sh b/letsencrypt.sh
index 4c2b6e1065abf85e18cde5a1eaa591dc94897092..0f98ee6b1f6b20d6bcf83488d119facc50ce135a 100755 (executable)
--- a/letsencrypt.sh
+++ b/letsencrypt.sh
@@ -120,12 +120,12 @@ sign_domain() {
     mkdir -p "${BASEDIR}/certs/${domain}"
   fi
 
+  privkey="privkey.pem"
   # generate a new private key if we need or want one
   if [[ ! -f "${BASEDIR}/certs/${domain}/privkey.pem" ]] || [[ "${PRIVATE_KEY_RENEW}" = "yes" ]]; then
     echo " + Generating private key..."
+    privkey="privkey-${timestamp}.pem"
     openssl genrsa -out "${BASEDIR}/certs/${domain}/privkey-${timestamp}.pem" "${KEYSIZE}" 2> /dev/null > /dev/null
-    rm -f "${BASEDIR}/certs/${domain}/privkey.pem"
-    ln -s "privkey-${timestamp}.pem" "${BASEDIR}/certs/${domain}/privkey.pem"
   fi
 
   # Generate signing request config and the actual signing request
@@ -135,9 +135,7 @@ sign_domain() {
   done
   SAN="${SAN%%, }"
   echo " + Generating signing request..."
-  openssl req -new -sha256 -key "${BASEDIR}/certs/${domain}/privkey.pem" -out "${BASEDIR}/certs/${domain}/cert-${timestamp}.csr" -subj "/CN=${domain}/" -reqexts SAN -config <(cat "${OPENSSL_CNF}" <(printf "[SAN]\nsubjectAltName=%s" "${SAN}")) > /dev/null
-  rm -f "${BASEDIR}/certs/${domain}/cert.csr"
-  ln -s "cert-${timestamp}.csr" "${BASEDIR}/certs/${domain}/cert.csr"
+  openssl req -new -sha256 -key "${BASEDIR}/certs/${domain}/${privkey}" -out "${BASEDIR}/certs/${domain}/cert-${timestamp}.csr" -subj "/CN=${domain}/" -reqexts SAN -config <(cat "${OPENSSL_CNF}" <(printf "[SAN]\nsubjectAltName=%s" "${SAN}")) > /dev/null
 
   # Request and respond to challenges
   for altname in $altnames; do
@@ -192,11 +190,9 @@ sign_domain() {
 
   # Finally request certificate from the acme-server and store it in cert-${timestamp}.pem and link from cert.pem
   echo " + Requesting certificate..."
-  csr64="$(openssl req -in "${BASEDIR}/certs/${domain}/cert.csr" -outform DER | urlbase64)"
+  csr64="$(openssl req -in "${BASEDIR}/certs/${domain}/cert-${timestamp}.csr" -outform DER | urlbase64)"
   crt64="$(signed_request "${CA}/acme/new-cert" '{"resource": "new-cert", "csr": "'"${csr64}"'"}' | openssl base64 -e)"
   printf -- '-----BEGIN CERTIFICATE-----\n%s\n-----END CERTIFICATE-----\n' "${crt64}" > "${BASEDIR}/certs/${domain}/cert-${timestamp}.pem"
-  rm -f "${BASEDIR}/certs/${domain}/cert.pem"
-  ln -s "cert-${timestamp}.pem" "${BASEDIR}/certs/${domain}/cert.pem"
 
   # Create fullchain.pem
   if [[ -e "${BASEDIR}/certs/${ROOTCERT}" ]] || [[ -e "${SCRIPTDIR}/certs/${ROOTCERT}" ]]; then
@@ -211,6 +207,18 @@ sign_domain() {
     ln -s "fullchain-${timestamp}.pem" "${BASEDIR}/certs/${domain}/fullchain.pem"
   fi
 
+  # Update remaining symlinks
+  if [ ! "${privkey}" = "privkey.pem" ]; then
+    rm -f "${BASEDIR}/certs/${domain}/privkey.pem"
+    ln -s "privkey-${timestamp}.pem" "${BASEDIR}/certs/${domain}/privkey.pem"
+  fi
+
+  rm -f "${BASEDIR}/certs/${domain}/cert.csr"
+  ln -s "cert-${timestamp}.csr" "${BASEDIR}/certs/${domain}/cert.csr"
+
+  rm -f "${BASEDIR}/certs/${domain}/cert.pem"
+  ln -s "cert-${timestamp}.pem" "${BASEDIR}/certs/${domain}/cert.pem"
+
   echo " + Done!"
 }