Fixes #52 - Ensure key/cert are in a consistent state despite errors (#53)

zsteinkamp · web-flow · commit d827cd660056 · 2024-03-25T11:55:13.000-07:00
* Fixes #52 - Ensure an error during cert renewal does not leave the system in a failure state * fixup CHANGELOG.md
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,5 @@
 # Changelog
 
-## 1.0.0 (Month Date, Year)
+## 1.0.0 (March 25, 2024)
 
-Initial release of the NGINX template repository.
+Initial release of njs-acme.
diff --git a/src/index.ts b/src/index.ts
@@ -88,6 +88,7 @@ async function clientAutoModeInternal(
   }
 
   const pkeyPath = joinPaths(prefix, commonName + KEY_SUFFIX)
+  const tempPkeyPath = pkeyPath + '.tmp'
   const csrPath = joinPaths(prefix, commonName + CERTIFICATE_REQ_SUFFIX)
   const certPath = joinPaths(prefix, commonName + CERTIFICATE_SUFFIX)
 
@@ -168,8 +169,8 @@ async function clientAutoModeInternal(
       csr.keys.privateKey
     )) as ArrayBuffer
     pkeyPem = toPEM(privKey, 'PRIVATE KEY')
-    fs.writeFileSync(pkeyPath, pkeyPem)
-    log.info(`Wrote private key to ${pkeyPath}`)
+    fs.writeFileSync(tempPkeyPath, pkeyPem)
+    log.info(`Wrote private key to ${tempPkeyPath}`)
 
     const challengePath = acmeChallengeDir(r)
 
@@ -204,6 +205,8 @@ async function clientAutoModeInternal(
     certInfo = await readCertificateInfo(certificatePem)
     fs.writeFileSync(certPath, certificatePem)
     log.info(`Wrote certificate to ${certPath}`)
+    fs.renameSync(tempPkeyPath, pkeyPath)
+    log.info(`Renamed ${tempPkeyPath} to ${pkeyPath}`)
 
     // Purge the cert/key in the shared dict zone if applicable
     purgeCachedCertKey(r)
