From adc20d6d0bea607840b65c75a8317766079c87a7 Mon Sep 17 00:00:00 2001
From: jknapp <jknapp85@gmail.com>
Date: Wed, 19 Nov 2025 19:27:40 -0800
Subject: [PATCH] Improve certificate renewal script with atomic file updates
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Write combined certificates to temporary file first
- Verify file is not empty before moving to final location
- Use atomic mv operation to prevent HAProxy from reading partial files
- Add proper cleanup of temporary files on all error paths
- Matches robust patterns from haproxy_manager.py

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 scripts/renew-certificates.sh | 24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/scripts/renew-certificates.sh b/scripts/renew-certificates.sh
index 6331233..1bc41fc 100644
--- a/scripts/renew-certificates.sh
+++ b/scripts/renew-certificates.sh
@@ -132,11 +132,29 @@ update_combined_certificates() {
         fi
 
         # Combine certificate and key into single file for HAProxy
-        if cat "$letsencrypt_cert" "$letsencrypt_key" > "$cert_path"; then
-            log_info "Updated combined certificate for $domain at $cert_path"
-            updated_count=$((updated_count + 1))
+        # HAProxy requires fullchain.pem followed by privkey.pem in a single file
+        # Write to temp file first, then move to ensure atomic update
+        local temp_cert="${cert_path}.tmp"
+        if cat "$letsencrypt_cert" "$letsencrypt_key" > "$temp_cert"; then
+            # Verify the combined file is not empty and contains valid data
+            if [ -s "$temp_cert" ]; then
+                # Atomically move to final location
+                if mv "$temp_cert" "$cert_path"; then
+                    log_info "Updated combined certificate for $domain at $cert_path"
+                    updated_count=$((updated_count + 1))
+                else
+                    log_error "Failed to move combined certificate for $domain to $cert_path"
+                    rm -f "$temp_cert"
+                    error_count=$((error_count + 1))
+                fi
+            else
+                log_error "Combined certificate file for $domain is empty"
+                rm -f "$temp_cert"
+                error_count=$((error_count + 1))
+            fi
         else
             log_error "Failed to combine certificate files for $domain"
+            rm -f "$temp_cert"
             error_count=$((error_count + 1))
         fi
     done <<< "$domains"