From c0bd9bd02f689c4997993824d0661624ef9e7da6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stephan=20D=C3=BCsterhaupt?= <me@stephanduesterhaupt.de>
Date: Sat, 25 Apr 2026 10:17:16 +0200
Subject: [PATCH] Restore SELinux context for newly deployed certificate files
 when possible

---
 dyntls.sh | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/dyntls.sh b/dyntls.sh
index e0299c6..1281942 100644
--- a/dyntls.sh
+++ b/dyntls.sh
@@ -1214,9 +1214,18 @@ _create_cert() {
                 cat "$DYNTLS_DOMAIN_TARGET_CERT" "$chain_path" > "$fullchain_path"
 
                 # Adjust the permission(s)
-                chmod 640 "$chain_path" "$fullchain_path"
+                chmod 640 "$DYNTLS_DOMAIN_TARGET_CERT" "$chain_path" "$fullchain_path"
                 #chmod 640 "$DYNTLS_PKI_HTTP_CERT_DIR"/*.pem*
 
+                # Restore SELinux context(s) if restorecon is available
+                if command -v restorecon >/dev/null 2>&1; then
+                    _log "Restoring SELinux context(s) for certificate files via restorecon." 1
+                    restorecon -Rv "$DYNTLS_DOMAIN_TARGET_CERT" "$chain_path" "$fullchain_path" >/dev/null 2>&1 || \
+                        _log "restorecon reported an error while relabeling certificate files." 3
+                else
+                    _log "restorecon not found; skipping SELinux context restore for certificate files." 2
+                fi
+
                 # Remove temporary file(s)
                 _log "Removing ACME chain file: $DYNTLS_LE_TMP_DIR/$DYNTLS_MEMBER_HOSTNAME.$DYNTLS_PKI_TMP_CHAIN_SUFFIX" 1
                 rm -f "$DYNTLS_LE_TMP_DIR/$DYNTLS_MEMBER_HOSTNAME.$DYNTLS_PKI_TMP_CHAIN_SUFFIX"