starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-01-13 15:13:33 +01:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

Creating of *.pem of symlinks is not atomic #564

New Issue
Open
opened 2025-12-29 01:27:20 +01:00 by adam · 0 comments
adam commented 2025-12-29 01:27:20 +01:00
Owner
Copy Link

Originally created by @ibukanov on GitHub (Dec 26, 2021).

Currently if one of ln -sf at the end of sign_domain fails, it will leave the file in inconsistent state when some of certificate links points to newer files while other to older files. If the webserver is restarted at that moment, it may ends up with wrong non-working ssl config.

A possible workaround is to create a directory like links.$timestamp, place symlinks there. Then have a symlink like links pointing to links.$timestamp. Then make privkey.pem etc. to point to links/privkey.pem which in turn will point to prevkey.timestamp.pem. This way only single link links will need to be updated to pint to the new links.$timestamp and that is atomic.

A variation of that is to place all generated files into cert.$timestamp directory and have a symlink like current that points to this directory. This is simpler, but is not compatible with current setups.

Originally created by @ibukanov on GitHub (Dec 26, 2021). Currently if one of ln -sf at the end of sign_domain fails, it will leave the file in inconsistent state when some of certificate links points to newer files while other to older files. If the webserver is restarted at that moment, it may ends up with wrong non-working ssl config. A possible workaround is to create a directory like `links.$timestamp`, place symlinks there. Then have a symlink like `links` pointing to `links.$timestamp`. Then make `privkey.pem` etc. to point to `links/privkey.pem` which in turn will point to `prevkey.timestamp.pem`. This way only single link `links` will need to be updated to pint to the new `links.$timestamp` and that is atomic. A variation of that is to place all generated files into `cert.$timestamp` directory and have a symlink like `current` that points to this directory. This is simpler, but is not compatible with current setups.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Complicated
bug
enhancement
help wanted
pull-request
Mirrored from GitHub Pull Request
 suggestions wanted
testing
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/dehydrated#564
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?