From a8a5672c34cdd17584c739f9360a8740ee433368 Mon Sep 17 00:00:00 2001
From: "John W. O'Brien" <john@saltant.com>
Date: Thu, 8 Feb 2018 17:58:12 -0500
Subject: [PATCH] Set secure umask when generating key

---
 acme.sh | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/acme.sh b/acme.sh
index a21b24e7..61409d77 100755
--- a/acme.sh
+++ b/acme.sh
@@ -979,13 +979,16 @@ _createkey() {
     fi
   fi
 
-  if _isEccKey "$length"; then
-    _debug "Using ec name: $eccname"
-    ${ACME_OPENSSL_BIN:-openssl} ecparam -name "$eccname" -genkey 2>/dev/null >"$f"
-  else
-    _debug "Using RSA: $length"
-    ${ACME_OPENSSL_BIN:-openssl} genrsa "$length" 2>/dev/null >"$f"
-  fi
+  (
+    umask 0077
+    if _isEccKey "$length"; then
+      _debug "Using ec name: $eccname"
+      ${ACME_OPENSSL_BIN:-openssl} ecparam -name "$eccname" -genkey 2>/dev/null >"$f"
+    else
+      _debug "Using RSA: $length"
+      ${ACME_OPENSSL_BIN:-openssl} genrsa "$length" 2>/dev/null >"$f"
+    fi
+  )
 
   if [ "$?" != "0" ]; then
     _err "Create key error."