From: Markus Germeier <markus@germeier.com>
Date: Sun, 6 Dec 2015 13:33:00 +0000 (+0100)
Subject: don't overwrite certificate files
X-Git-Tag: v0.1.0~207
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b7439a83d6060a1c2c4aee6510c174699f511dbf;p=thirdparty%2Fdehydrated.git

don't overwrite certificate files

In a worst case scenario the new certificate is broken and we are left
without a working certificate (or need to restore one from our backup).

This way we only need to change the symlink to the known working cert
---

diff --git a/letsencrypt.sh b/letsencrypt.sh
index 9c36694..e822df9 100755
--- a/letsencrypt.sh
+++ b/letsencrypt.sh
@@ -153,11 +153,14 @@ sign_domain() {
     echo "  + Challenge is valid!"
   done
 
-  # Finally request certificate from the acme-server and store it in cert.pem
+  # Finally request certificate from the acme-server and store it in cert-${timestamp}.pem and link from cert.pem
   echo "  + Requesting certificate..."
+  timestamp="$(date +%s)"
   csr64="$(openssl req -in "certs/${domain}/cert.csr" -outform DER | urlbase64)"
   crt64="$(signed_request "${CA}/acme/new-cert" '{"resource": "new-cert", "csr": "'"${csr64}"'"}' | openssl base64 -e)"
-  printf -- '-----BEGIN CERTIFICATE-----\n%s\n-----END CERTIFICATE-----\n' "${crt64}" > "certs/${domain}/cert.pem"
+  printf -- '-----BEGIN CERTIFICATE-----\n%s\n-----END CERTIFICATE-----\n' "${crt64}" > "certs/${domain}/cert-${timestamp}.pem"
+  rm -f "certs/${domain}/cert.pem"
+  ln -s "cert-${timestamp}.pem" "certs/${domain}/cert.pem"
   echo "  + Done!"
 }