use traps and fix potentially wrong permissions
authorAndreas Bilke <abilke@cosy.sbg.ac.at>
Wed, 16 Nov 2016 11:07:35 +0000 (12:07 +0100)
committerAndreas Bilke <abilke@cosy.sbg.ac.at>
Wed, 16 Nov 2016 11:07:35 +0000 (12:07 +0100)
dns/rotate-ksk-end
dns/rotate-ksk-start
dns/rotate-zsk
letsencrypt-helper/refresh-acme-certificate
letsencrypt-helper/refresh-acme-certificate-standalone
misc/create-dhparams

index 1e3638b..4b2023f 100755 (executable)
@@ -58,5 +58,8 @@ fi
 # inactivate in one week, delete in two weeks
 $SETTIME -I +604800 -D +1209600 $KEYFILE
 
+# just to be sure that bind can read everything
+chown "bind:bind" "$KEYFILE"
+
 service bind9 reload
 
index f191ced..cce804a 100755 (executable)
@@ -71,3 +71,4 @@ service bind9 reload
 echo "Don't forget to send KSK to upstream and use rotate-ksk-stop"
 grep "DNSKEY" $KEYFILE
 $DSCREATE $KEYFILE
+
index 1717e15..23f8714 100755 (executable)
@@ -67,4 +67,7 @@ echo "Setting owner on generated key"
 chown "bind:bind" "$DNSSEC_KEYS/$KEYNAME.key"
 chown "bind:bind" "$DNSSEC_KEYS/$KEYNAME.private"
 
+# just to be sure
+chown "bind:bind" "$ACTIVEKEY"
+
 service bind9 reload
index 5f5afd0..b1cee9e 100755 (executable)
@@ -75,13 +75,13 @@ then
     exit 0
 fi
 
-
 TMP_SIGNED_CERT=`mktemp` || exit 1
+trap "rm -f $TMP_SIGNED_CERT" EXIT
+
 ACME_TINY_COMMAND="python $ACME_TINY_PROG --account-key $ACME_ACCOUNT_KEY --csr $CSR --acme-dir $ACME_DIR"
 echo "Starting acme-tiny client"
 su -c "$ACME_TINY_COMMAND" -s /bin/sh letsencrypt > $TMP_SIGNED_CERT
 cat $TMP_SIGNED_CERT $PUBLIC_KEY_DIR/letsencrypt-intermediate.pem > "$PUBLIC_KEY_DIR/$DOMAIN.intermediate.pem"
-rm $TMP_SIGNED_CERT
 
 if [ -d "$HOOKS_DIR" ];
 then
index bb0cebc..f320359 100755 (executable)
@@ -93,11 +93,12 @@ SERVER_COMMAND="$ACME_TINY_RESPONDER --web-root $ACME_DIR --port $SERVER_PORT"
 su -s /bin/bash -c "$SERVER_COMMAND" letsencrypt &
 
 TMP_SIGNED_CERT=`mktemp` || exit 1
+trap "rm -f $TMP_SIGNED_CERT" EXIT
+
 ACME_TINY_COMMAND="python $ACME_TINY_PROG --account-key $ACME_ACCOUNT_KEY --csr $CSR_DIR/$DOMAIN.csr --acme-dir $ACME_DIR"
 echo "Starting acme-tiny client"
 su -c "$ACME_TINY_COMMAND" -s /bin/sh letsencrypt > $TMP_SIGNED_CERT
 cat $TMP_SIGNED_CERT $PUBLIC_KEY_DIR/letsencrypt-intermediate.pem > "$PUBLIC_KEY_DIR/$DOMAIN.intermediate.pem"
-rm $TMP_SIGNED_CERT
 
 echo "Kill acme-http-responder"
 kill -TERM `pgrep -u letsencrypt`
index ce5671f..30b91ff 100755 (executable)
@@ -51,10 +51,10 @@ else
 fi
 
 TEMPFILE=$( mktemp )
+trap "rm -f $TEMPFILE" EXIT
 
 openssl dhparam -out $TEMPFILE $DH_SIZE
 cp $TEMPFILE $DH_PARAM_FILE
-rm $TEMPFILE
 
 systemctl restart $SERVICE