You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently if one of ln -sf at the end of sign_domain fails, it will leave the file in inconsistent state when some of certificate links points to newer files while other to older files. If the webserver is restarted at that moment, it may ends up with wrong non-working ssl config.
A possible workaround is to create a directory like links.$timestamp, place symlinks there. Then have a symlink like links pointing to links.$timestamp. Then make privkey.pem etc. to point to links/privkey.pem which in turn will point to prevkey.timestamp.pem. This way only single link links will need to be updated to pint to the new links.$timestamp and that is atomic.
A variation of that is to place all generated files into cert.$timestamp directory and have a symlink like current that points to this directory. This is simpler, but is not compatible with current setups.
The text was updated successfully, but these errors were encountered:
Currently if one of ln -sf at the end of sign_domain fails, it will leave the file in inconsistent state when some of certificate links points to newer files while other to older files. If the webserver is restarted at that moment, it may ends up with wrong non-working ssl config.
A possible workaround is to create a directory like
links.$timestamp
, place symlinks there. Then have a symlink likelinks
pointing tolinks.$timestamp
. Then makeprivkey.pem
etc. to point tolinks/privkey.pem
which in turn will point toprevkey.timestamp.pem
. This way only single linklinks
will need to be updated to pint to the newlinks.$timestamp
and that is atomic.A variation of that is to place all generated files into
cert.$timestamp
directory and have a symlink likecurrent
that points to this directory. This is simpler, but is not compatible with current setups.The text was updated successfully, but these errors were encountered: