Use an ongoing certificate to avoid leaving unmatched key/cert pair

fs_overlay/opt/certs_manager/certs_manager.rb

@@ -115,11 +115,11 @@ def ensure_signed(domains, exit_on_failure = false)
         OpenSSL.create_csr(domain)
         if ACME.sign(domain)
           chain_certs(domain)
-          Nginx.reload || exit(1)
+          Nginx.reload || fail_and_shutdown
           puts "Signed certificate for #{domain.name}"
         else
           puts("Failed to obtain certs for #{domain.name}")
-          exit(1) if exit_on_failure
+          fail_and_shutdown if exit_on_failure
         end
       else
         puts "Signing skipped for #{domain.name}, it expires at #{OpenSSL.expires_in_days(domain.signed_cert_path)} days from now."

fs_overlay/opt/certs_manager/lib/commands.rb

@@ -44,4 +44,9 @@ def ensure_dummy_certificate_for_default_server
       )
     end
   end
+
+  def fail_and_shutdown
+    Nginx.stop
+    exit(1)
+  end
 end

fs_overlay/opt/certs_manager/lib/nginx.rb

@@ -36,7 +36,7 @@ def self.start(daemon = true)
 
     unless success
       puts "Nginx failed to start, exiting ..."
-      exit(1)
+      Commands.fail_and_shutdown
     end
   end