diff --git a/go/secretsmgr/secretsmgr.go b/go/secretsmgr/secretsmgr.go index 79fe7425ff..f5983699c2 100644 --- a/go/secretsmgr/secretsmgr.go +++ b/go/secretsmgr/secretsmgr.go @@ -479,12 +479,6 @@ func shouldRenewACMECert(c acmeCertificate) (bool, error) { } func writeCertificate(certDef acmeCertificate, cert *vapi.Secret) error { - restoreGroup, err := setGroup(certDef.Group) - if err != nil { - return fmt.Errorf("setting group to write output: %w", err) - } - defer restoreGroup() - setFiles := []struct { name string content []byte @@ -504,10 +498,18 @@ func writeCertificate(certDef acmeCertificate, cert *vapi.Secret) error { }} for _, sf := range setFiles { - log.Infof("writing file %v mode %s", sf.name, sf.perm) - os.Remove(sf.name) // optimistically try to remove the file, we don't care if it succeeds // if it doesn't, we'll error when we try to open it + } + + restoreGroup, err := setGroup(certDef.Group) + if err != nil { + return fmt.Errorf("setting group to write output: %w", err) + } + defer restoreGroup() + + for _, sf := range setFiles { + log.Infof("writing file %v mode %s group %s", sf.name, sf.perm, certDef.Group) f, err := os.OpenFile(sf.name, os.O_WRONLY|os.O_CREATE|os.O_EXCL, sf.perm) if err != nil {