From cdd025133a306cd8d3e81aa832ac056119d65f3a Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Wed, 24 Feb 2021 20:03:44 +0100
Subject: lacme: Don't write certificate(-chain) file on chown/chmod failure.

Otherwise we end up with files with mode 0644 owned by root:root, and
subsequent lacme(8) invocations will likely not renew them for a while.

This change also saves a chown(2) call.  And the new logic (chown resp.
chmod from root:root resp. 0600) is safe if we ever include private key
material in there too.
---
 Changelog | 1 +
 1 file changed, 1 insertion(+)

(limited to 'Changelog')

diff --git a/Changelog b/Changelog
index e047ac5..2a027f1 100644
--- a/Changelog
+++ b/Changelog
@@ -2,6 +2,7 @@ lacme (0.8.1) upstream;
 
  + lacme-accountd: improve log messages and refactor logging logic.
  + lacme-accountd: refuse to sign JWS with an invalid Protected Header.
+ + lacme: don't write certificate(-chain) file on chown/chmod failure.
  - lacme: in the [accountd] config, let lacme-accountd(1) do the
    %-expansion for 'config', not lacme(8) when building the command.
  - lacme-accountd: don't log debug messages unless --debug is set.
-- 
cgit v1.2.3