Back up old client.pem files

For post-mortems, let's make a backup of the client
certificate before renewing them.

Signed-off-by: Helga Velroyen <helgav@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>

diff --git a/lib/tools/ssl_update.py b/lib/tools/ssl_update.py
index 36453d2..3764e2d 100644 (file)
--- a/lib/tools/ssl_update.py
+++ b/lib/tools/ssl_update.py
@@ -100,7 +100,6 @@ def RegenerateClientCertificate(
   # The hostname of the node is provided with the input data.
   hostname = data.get(constants.NDS_NODE_NAME)
 
-  # TODO: make backup of the file before regenerating.
   utils.GenerateSignedSslCert(client_cert, serial_no, signing_cert,
                               common_name=hostname)
 

diff --git a/lib/utils/x509.py b/lib/utils/x509.py
index 63ded07..dde88f9 100644 (file)
--- a/lib/utils/x509.py
+++ b/lib/utils/x509.py
@@ -386,7 +386,7 @@ def GenerateSignedSslCert(filename_cert, serial_no,
       common_name, validity * 24 * 60 * 60, serial_no, signing_cert_pem)
 
   utils_io.WriteFile(filename_cert, mode=0440, data=key_pem + cert_pem,
-                     uid=uid, gid=gid)
+                     uid=uid, gid=gid, backup=True)
   return (key_pem, cert_pem)