From bd34efc598ef9ec743f3812ea964945a859eece9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stephan=20D=C3=BCsterhaupt?= <me@stephanduesterhaupt.de>
Date: Sat, 28 Mar 2026 10:33:05 +0100
Subject: [PATCH] Make HTTP and service key symlinks relative to base.key.pem

---
 dyntls.sh | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/dyntls.sh b/dyntls.sh
index 081766e..215cbb3 100644
--- a/dyntls.sh
+++ b/dyntls.sh
@@ -29,9 +29,10 @@
 # Project Home: https://dev.town-square.de/cb601/dyntls
 #
 ###############################################################################
+
 # MIT License
 #
-# Copyright (c) 2025 CB-601 - the open tec Elevator <mail@opensource-technology.de>
+# Copyright (c) 2026 CB-601 - the open tec Elevator <mail@opensource-technology.de>
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -875,12 +876,13 @@ _ProvideCertDomainService() {
 
             # Provide server key: either symlink to base or copy unique key
             KeyPath="$EffectivePkiDir/private/$DYNTLS_MEMBER_HOSTNAME.$DYNTLS_PKI_KEY_SUFFIX"
+
             if [ "$DYNTLS_PKI_KEY_LNS" -eq 1 ]; then
-                _log "Create a symlink '$EffectivePkiDir/private/base.$DYNTLS_PKI_KEY_SUFFIX' to '$KeyPath'." 1
-                ln -sf "$EffectivePkiDir/private/base.$DYNTLS_PKI_KEY_SUFFIX" "$KeyPath"
+                _log "Using relative symlink for service key: $KeyPath -> $DYNTLS_PKI_SERVER_BASEKEY_FILE" 1
+                ln -sf "$DYNTLS_PKI_SERVER_BASEKEY_FILE" "$KeyPath"
             else
-                _log "Copy unique key from '$DYNTLS_PKI_HTTP_KEY_DIR/$DYNTLS_MEMBER_HOSTNAME.$DYNTLS_PKI_KEY_SUFFIX' to '$EffectivePkiDir/private/$DYNTLS_MEMBER_HOSTNAME.$DYNTLS_PKI_KEY_SUFFIX'." 1
-                cp "$DYNTLS_PKI_HTTP_KEY_DIR/$DYNTLS_MEMBER_HOSTNAME.$DYNTLS_PKI_KEY_SUFFIX" "$EffectivePkiDir/private/"
+                _log "Using dedicated service key copy at: $KeyPath (source: $EffectivePkiDir/private/$DYNTLS_PKI_SERVER_BASEKEY_FILE)" 1
+                cp "$EffectivePkiDir/private/$DYNTLS_PKI_SERVER_BASEKEY_FILE" "$KeyPath"
             fi
 
             # Adjust ownership and permissions on .pem files
@@ -1077,10 +1079,10 @@ _create_cert() {
                 _log "Planned server key path: $KeyFile" 1
 
                 if [ "$DYNTLS_PKI_KEY_LNS" -eq 1 ]; then
-                    _log "Linking base server key to: $KeyFile" 1
-                    ln -sf "$DYNTLS_PKI_SERVER_BASEKEY" "$KeyFile"
+                    _log "Using relative symlink for server key: $KeyFile -> $DYNTLS_PKI_SERVER_BASEKEY_FILE" 1
+                    ln -sf "$DYNTLS_PKI_SERVER_BASEKEY_FILE" "$KeyFile"
                 else
-                    _log "Copying dedicated server key to: $KeyFile" 1
+                    _log "Using dedicated server key copy at: $KeyFile (source: $DYNTLS_PKI_SERVER_BASEKEY)" 1
                     cp -a "$DYNTLS_PKI_SERVER_BASEKEY" "$KeyFile"
                 fi