From b7439a83d6060a1c2c4aee6510c174699f511dbf Mon Sep 17 00:00:00 2001
From: Markus Germeier <markus@germeier.com>
Date: Sun, 6 Dec 2015 14:33:00 +0100
Subject: [PATCH] don't overwrite certificate files

In a worst case scenario the new certificate is broken and we are left
without a working certificate (or need to restore one from our backup).

This way we only need to change the symlink to the known working cert
---
 letsencrypt.sh | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/letsencrypt.sh b/letsencrypt.sh
index 9c36694..e822df9 100755
--- a/letsencrypt.sh
+++ b/letsencrypt.sh
@@ -153,11 +153,14 @@ sign_domain() {
     echo "  + Challenge is valid!"
   done
 
-  # Finally request certificate from the acme-server and store it in cert.pem
+  # Finally request certificate from the acme-server and store it in cert-${timestamp}.pem and link from cert.pem
   echo "  + Requesting certificate..."
+  timestamp="$(date +%s)"
   csr64="$(openssl req -in "certs/${domain}/cert.csr" -outform DER | urlbase64)"
   crt64="$(signed_request "${CA}/acme/new-cert" '{"resource": "new-cert", "csr": "'"${csr64}"'"}' | openssl base64 -e)"
-  printf -- '-----BEGIN CERTIFICATE-----\n%s\n-----END CERTIFICATE-----\n' "${crt64}" > "certs/${domain}/cert.pem"
+  printf -- '-----BEGIN CERTIFICATE-----\n%s\n-----END CERTIFICATE-----\n' "${crt64}" > "certs/${domain}/cert-${timestamp}.pem"
+  rm -f "certs/${domain}/cert.pem"
+  ln -s "cert-${timestamp}.pem" "certs/${domain}/cert.pem"
   echo "  + Done!"
 }
 
-- 
2.47.2