Creating of *.pem of symlinks is not atomic

[ibukanov]

Currently if one of ln -sf at the end of sign_domain fails, it will leave the file in inconsistent state when some of certificate links points to newer files while other to older files. If the webserver is restarted at that moment, it may ends up with wrong non-working ssl config.

A possible workaround is to create a directory like links.$timestamp, place symlinks there. Then have a symlink like links pointing to links.$timestamp. Then make privkey.pem etc. to point to links/privkey.pem which in turn will point to prevkey.timestamp.pem. This way only single link links will need to be updated to pint to the new links.$timestamp and that is atomic.

A variation of that is to place all generated files into cert.$timestamp directory and have a symlink like current that points to this directory. This is simpler, but is not compatible with current setups.