From f4af28d7e526bd56a78225daf84d11cdf96bd611 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 22 Feb 2017 10:51:08 +0100 Subject: new-cert: create certificate files atomically. --- Changelog | 1 + lacme | 27 ++++++++++++++++++--------- 2 files changed, 19 insertions(+), 9 deletions(-) diff --git a/Changelog b/Changelog index 451eace..b23191f 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,7 @@ lacme (0.3) upstream; + When parsing config-cert files and directories (default "lacme-certs.conf lacme-certs.conf.d"), import the default section of files read earlier. + + new-cert: create certificate files atomically. - Ensure lacme's config file descriptor is not passed to the accountd or webserver components. - new-cert: sort section names if not passed explicitely. diff --git a/lacme b/lacme index b654c7d..a8c25fe 100755 --- a/lacme +++ b/lacme @@ -524,16 +524,25 @@ sub spawn($@) { sub install_cert($$@) { my $filename = shift; my $x509 = shift; - - open my $fh, '>', $filename or die "Can't open $filename: $!"; - print $fh $x509; - foreach (@_) { # append the chain - open my $fh2, '<', $_ or die "Can't open $_: $!"; - my $ca = do { local $/ = undef; $fh2->getline() }; - print $fh $ca; - close $fh2 or die "Can't close: $!"; + my @chain = @_; + + my $tmp = "$filename.new"; + open my $fh, '>', $tmp or die "Can't open $tmp: $!"; + eval { + $fh->print($x509) or die "Can't print: $!"; + foreach (@chain) { # append the chain + open my $fh2, '<', $_ or die "Can't open $_: $!"; + my $ca = do { local $/ = undef; $fh2->getline() }; + $fh2->close() or die "Can't close: $!"; + $fh->print($ca) or die "Can't print: $!"; + } + $fh->close() or die "Can't close: $!"; + }; + if ($@) { + unlink $tmp or warn "Can't unlink $tmp: $!"; + die $@; } - close $fh or die "Can't close: $!"; + rename($tmp, $filename) or die "Can't rename $tmp to $filename: $!"; } -- cgit v1.2.3