From 805eb9791eb1c8a14ef70ea7c444ab08358db253 Mon Sep 17 00:00:00 2001
From: Ivan Mahonin <bw@coolbug.org>
Date: Aug 24 2025 11:48:55 +0000
Subject: concatenated keys


---

diff --git a/example.com.cron-task.sh b/example.com.cron-task.sh
index 7777a3e..5a8d4ba 100755
--- a/example.com.cron-task.sh
+++ b/example.com.cron-task.sh
@@ -6,4 +6,4 @@ set -e
   "/etc/nginx/certs/example.com" \
   "/CN=example.com" \
   "subjectAltName=DNS:example.com,DNS:www.example.com" \
-  &>> "/var/log/acmeclient/example.com.log"
+  2>&1 | tee -a "/var/log/acmeclient/example.com.log"
diff --git a/generate-and-sign-cert.sh b/generate-and-sign-cert.sh
index 1d1d341..15f0896 100755
--- a/generate-and-sign-cert.sh
+++ b/generate-and-sign-cert.sh
@@ -10,7 +10,7 @@ SUBJ="$2"
 EXT="$3"
 RELOADCMD="$4"
 FORCE="$5"
-TMP_DIR="/tmp"
+TMP_DIR="/home/acmeclient/acmeclient-root/tmp"
 
 if [ -z "$CERTS_DIR" ] || [ -z "$SUBJ" ]; then
   echo "Usage:"
@@ -28,6 +28,7 @@ BASE_DIR=$(cd `dirname "$0"`; pwd)
 NAME=`date +%Y-%m-%d--%H-%M-%S--%N`
 PREFIX="$CERTS_DIR/$NAME"
 TMP_PREFIX="$TMP_DIR/$NAME"
+DEFUMASK="$(umask)"
 
 if openssl x509 -checkend 864000 -noout -in "$CERTS_DIR/public.crt"; then
   echo " -------------------------------------------- "
@@ -47,26 +48,26 @@ echo " begin $PREFIX "
 echo " -------------------------------------------- "
 
 mkdir -p "$CERTS_DIR"
+umask 0177
 openssl req -newkey rsa:4096 -sha512 -nodes \
   -keyout "$PREFIX.key" \
   -out "$PREFIX.csr" \
   -subj "$SUBJ" \
   -reqexts san \
   -config <(echo '[req]'; echo 'distinguished_name=req'; echo '[san]'; echo $EXT)
+umask "$DEFUMASK"
+chmod 644 "$PREFIX.csr"
 
+cp "$PREFIX.csr" "$TMP_PREFIX.csr"
+echo -n > "$TMP_PREFIX.crt"
+chmod 660 "$TMP_PREFIX.crt"
+chown root:$ACMEUSER "$TMP_PREFIX.crt"
 
-chmod 600 "$PREFIX.key"
-touch "$PREFIX.crt"
-chown "$ACMEUSER":"$ACMEUSER" "$PREFIX.crt"
-
-sudo -u "$ACMEUSER" "$BASE_DIR/sign-cert.py" "$PREFIX.csr" "$TMP_PREFIX.crt"
-cp "$TMP_PREFIX.crt" "$PREFIX.crt"
-rm "$TMP_PREFIX.crt"
-
-
-chown root:root "$PREFIX.crt"
+sudo -u "$ACMEUSER" "$BASE_DIR/sign-cert.py" "$TMP_PREFIX.csr" "$TMP_PREFIX.crt"
+rm "$TMP_PREFIX.csr"
+mv "$TMP_PREFIX.crt" "$PREFIX.crt"
 chmod 644 "$PREFIX.crt"
-
+chown root:root "$PREFIX.crt"
 
 echo "compare modulus"
 MODULUS_CRT=`openssl x509 -noout -modulus -in "$PREFIX.crt"`
@@ -80,12 +81,17 @@ echo "ok"
 echo "verify certificate"
 openssl verify -CAfile "$PREFIX.crt" "$PREFIX.crt"
 
+echo "concatenate key and cert"
+umask 0177
+cat "$PREFIX.key" "$PREFIX.crt" > "$PREFIX.pem"
+umask "$DEFUMASK"
+
 echo "update symlinks"
-chown :$WWWGROUP "$PREFIX.key"
-chmod g+r "$PREFIX.key"
-cd "$CERTS_DIR"
-ln -fs "$NAME.key" "private.key"
-ln -fs "$NAME.crt" "public.crt"
+chown :$WWWGROUP "$PREFIX.key" "$PREFIX.pem"
+chmod g+r "$PREFIX.key" "$PREFIX.pem"
+ln -frs "$PREFIX.key" "$CERTS_DIR/private.key"
+ln -frs "$PREFIX.pem" "$CERTS_DIR/private.pem"
+ln -frs "$PREFIX.crt" "$CERTS_DIR/public.crt"
 
 echo "reload services"