Improve certificate renewal script with atomic file updates

- Write combined certificates to temporary file first - Verify file is not empty before moving to final location - Use atomic mv operation to prevent HAProxy from reading partial files - Add proper cleanup of temporary files on all error paths - Matches robust patterns from haproxy_manager.py 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-19 19:27:40 -08:00
parent 71f4b9ef05
commit adc20d6d0b
1 changed files with 21 additions and 3 deletions
--- a/scripts/renew-certificates.sh
+++ b/scripts/renew-certificates.sh
@@ -132,11 +132,29 @@ update_combined_certificates() {
        fi

        # Combine certificate and key into single file for HAProxy
-        if cat "$letsencrypt_cert" "$letsencrypt_key" > "$cert_path"; then
-            log_info "Updated combined certificate for $domain at $cert_path"
-            updated_count=$((updated_count + 1))
+        # HAProxy requires fullchain.pem followed by privkey.pem in a single file
+        # Write to temp file first, then move to ensure atomic update
+        local temp_cert="${cert_path}.tmp"
+        if cat "$letsencrypt_cert" "$letsencrypt_key" > "$temp_cert"; then
+            # Verify the combined file is not empty and contains valid data
+            if [ -s "$temp_cert" ]; then
+                # Atomically move to final location
+                if mv "$temp_cert" "$cert_path"; then
+                    log_info "Updated combined certificate for $domain at $cert_path"
+                    updated_count=$((updated_count + 1))
+                else
+                    log_error "Failed to move combined certificate for $domain to $cert_path"
+                    rm -f "$temp_cert"
+                    error_count=$((error_count + 1))
+                fi
+            else
+                log_error "Combined certificate file for $domain is empty"
+                rm -f "$temp_cert"
+                error_count=$((error_count + 1))
+            fi
        else
            log_error "Failed to combine certificate files for $domain"
+            rm -f "$temp_cert"
            error_count=$((error_count + 1))
        fi
    done <<< "$domains"