From c1c1921dde6e907b42bce04f118fc36c237fa84c Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Thu, 4 Jun 2020 21:43:29 +0000
Subject: [PATCH] make sure the private key is never world-readable

1. Set the private to chmod 0600 on creation.
2. Avoid possible race condition by setting the private
   key backup to 0600 _first_ and then saving the key.
3. Reset existing backup key to chmod 0600 before
   saving the new key.
---
 acme.sh | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/acme.sh b/acme.sh
index 97d71a22..a079fae6 100755
--- a/acme.sh
+++ b/acme.sh
@@ -1076,6 +1076,8 @@ _createkey() {
     fi
   fi
 
+  chmod 600 "$f"
+
   if _isEccKey "$length"; then
     _debug "Using ec name: $eccname"
     if _opkey="$(${ACME_OPENSSL_BIN:-openssl} ecparam -name "$eccname" -genkey 2>/dev/null)"; then
@@ -5265,10 +5267,12 @@ _installcert() {
       cp "$_real_key" "$_backup_path/key.bak"
     fi
     if [ -f "$_real_key" ]; then
+      chmod 600 "$_real_key"
       cat "$CERT_KEY_PATH" >"$_real_key" || return 1
     else
-      cat "$CERT_KEY_PATH" >"$_real_key" || return 1
+      touch "$_real_key"
       chmod 600 "$_real_key"
+      cat "$CERT_KEY_PATH" >"$_real_key" || return 1
     fi
   fi