From 28ab4e8a448604aa869b850b4d7eed292ad80026 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stephan=20D=C3=BCsterhaupt?= <me@stephanduesterhaupt.de>
Date: Sat, 11 Apr 2026 11:57:56 +0200
Subject: [PATCH] Fix chain cleanup order after fullchain creation

---
 dyntls.sh | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/dyntls.sh b/dyntls.sh
index e6c7227..b4a597a 100644
--- a/dyntls.sh
+++ b/dyntls.sh
@@ -1093,10 +1093,6 @@ _create_cert() {
                 _log "Moving issued certificate to target: $DYNTLS_DOMAIN_TARGET_CERT" 2
                 mv "$out_file_tmp" "$DYNTLS_DOMAIN_TARGET_CERT"
 
-                # Remove temporary file(s)
-                _log "Removing ACME chain file: $DYNTLS_LE_TMP_DIR/$DYNTLS_MEMBER_HOSTNAME.$DYNTLS_PKI_TMP_CHAIN_SUFFIX" 1
-                rm -f "$DYNTLS_LE_TMP_DIR/$DYNTLS_MEMBER_HOSTNAME.$DYNTLS_PKI_TMP_CHAIN_SUFFIX"
-
                 # Create fullchain file choosing correct chain (R12 vs R13)
                 #issuer_CN=$(openssl x509 -noout -issuer -in "$DYNTLS_DOMAIN_TARGET_CERT" | sed -n 's/^issuer=.*CN=//p')
                 #_log "Detected issuer CN for chain selection: $issuer_CN" 1
@@ -1128,6 +1124,10 @@ _create_cert() {
                 chmod 640 "$chain_path" "$fullchain_path"
                 #chmod 640 "$DYNTLS_PKI_HTTP_CERT_DIR"/*.pem*
 
+                # Remove temporary file(s)
+                _log "Removing ACME chain file: $DYNTLS_LE_TMP_DIR/$DYNTLS_MEMBER_HOSTNAME.$DYNTLS_PKI_TMP_CHAIN_SUFFIX" 1
+                rm -f "$DYNTLS_LE_TMP_DIR/$DYNTLS_MEMBER_HOSTNAME.$DYNTLS_PKI_TMP_CHAIN_SUFFIX"
+
                 # Copy or link the server key AFTER cert is issued
                 KeyFile="$DYNTLS_PKI_HTTP_KEY_DIR/$DYNTLS_MEMBER_HOSTNAME.$DYNTLS_PKI_KEY_SUFFIX"
                 _log "Planned server key path: $KeyFile" 1