From 256beb31ce4c2db9cd0a9f5afe14f893a4be24b1 Mon Sep 17 00:00:00 2001
From: Erich Eckner <git@eckner.net>
Date: Tue, 14 Jan 2020 09:17:14 +0100
Subject: rotate-keys: use new server keys immediately

---
 rotate-keys.in | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/rotate-keys.in b/rotate-keys.in
index 9299af7..8255729 100644
--- a/rotate-keys.in
+++ b/rotate-keys.in
@@ -45,6 +45,10 @@ host_key_files=$(
 if [ "$(whoami)" != "${certificate_user}" ]; then
 
   if [ "$(whoami)" = 'root' ]; then
+    chown -R "${certificate_user}" "${key_dir}"
+    su "${certificate_user}" -s /bin/bash -c "${me}" \
+    || exit $?
+
     updated_something=false
     for host_key_file in ${host_key_files}; do
       if [ -f "${key_dir}/${host_key_file}.key.new" ] \
@@ -68,8 +72,6 @@ if [ "$(whoami)" != "${certificate_user}" ]; then
       systemctl try-restart nginx
     fi
 
-    chown -R "${certificate_user}" "${key_dir}"
-    su "${certificate_user}" -s /bin/bash -c "${me}"
     exit $?
   fi
   >&2 printf 'only root can su %s\n' "${certificate_user}"
-- 
cgit v1.2.3-54-g00ecf