Re: acme-client(1): backup certs

Sun, 03 Jan 2021 12:11:43 -0800 

ok

Florian Obser([email protected]) on 2021.01.02 17:23:11 +0100:
> 
> Create .1 backup files when acme-client is going to overwrite a
> certificate file.
> 
> This files are not terribly big and it's convenient to keep one
> previous file around for example if one adds or removes domains to the
> certificate and then wants to revoke the previous one.
> 
> (Note that it's kinda difficult to revoke the old certificate with
> acme-client currently. The whole revoke machinery needs to be
> overhauled. I have ideas...)
> 
> Comments, OKs?
> 
> diff --git acme-client.conf.5 acme-client.conf.5
> index 3c5fd1c2362..3fdd40a5eb0 100644
> --- acme-client.conf.5
> +++ acme-client.conf.5
> @@ -149,6 +149,11 @@ The filename of the certificate that will be issued.
>  This is optional if
>  .Ar domain full chain certificate
>  is specified.
> +A backup with name
> +.Ar file.1
> +is created if
> +.Ar file
> +exists.
>  .It Ic domain chain certificate Ar file
>  The filename in which to store the certificate chain
>  that will be returned by the certificate authority.
> @@ -156,6 +161,11 @@ It needs to be in the same directory as the
>  .Ar domain certificate
>  (or in a subdirectory) and can be specified as a relative or absolute path.
>  This setting is optional.
> +A backup with name
> +.Ar file.1
> +is created if
> +.Ar file
> +exists.
>  .It Ic domain full chain certificate Ar file
>  The filename in which to store the full certificate chain
>  that will be returned by the certificate authority.
> @@ -170,6 +180,11 @@ in one file, and is required by most browsers.
>  This is optional if
>  .Ar domain certificate
>  is specified.
> +A backup with name
> +.Ar file.1
> +is created if
> +.Ar file
> +exists.
>  .It Ic sign with Ar authority
>  The certificate authority (as declared above in the
>  .Sx AUTHORITIES
> diff --git fileproc.c fileproc.c
> index b7cdff5525d..cc3aa293712 100644
> --- fileproc.c
> +++ fileproc.c
> @@ -34,6 +34,19 @@ serialise(const char *real, const char *v, size_t vsz, 
> const char *v2, size_t v2
>       int       fd;
>       char     *tmp;
>  
> +     /* create backup hardlink */
> +     if (asprintf(&tmp, "%s.1", real) == -1) {
> +             warn("asprintf");
> +             return 0;
> +     }
> +     (void) unlink(tmp);
> +     if (link(real, tmp) == -1 && errno != ENOENT) {
> +             warn("link");
> +             free(tmp);
> +             return 0;
> +     }
> +     free(tmp);
> +
>       /*
>        * Write into backup location, overwriting.
>        * Then atomically do the rename.
> 
> -- 
> I'm not entirely sure you are real.
>

Reply via email to