fix: close temp file before renaming it

d-Rickyy-b · d-Rickyy-b · commit fb10013d3766 · 2026-04-10T15:24:28.000+02:00
After the ct_index temp file was written but before it was closed, we were renaming it to the final file. That causes issues since the handle to the temp file is still open and we're blocking ourselves with that.

The solution is to extract the function to store the temp file and let the defer file.Close() close the file so that we can rename it afterwards.
diff --git a/internal/certificatetransparency/ct-watcher.go b/internal/certificatetransparency/ct-watcher.go
@@ -251,7 +251,10 @@ func (w *Watcher) Stop() {
 	if config.AppConfig.General.Recovery.Enabled {
 		// Store current CT Indexes before shutting down
 		filePath := config.AppConfig.General.Recovery.CTIndexFile
-		metrics.Metrics.SaveCertIndexes(filePath)
+		err := metrics.Metrics.SaveCertIndexes(filePath)
+		if err != nil {
+			log.Printf("Failed to save CT index file: %v\n", err)
+		}
 	}
 
 	w.cancelFunc()
@@ -320,7 +323,11 @@ func (w *Watcher) CreateIndexFile(filePath string) error {
 
 	w.cancelFunc()
 
-	metrics.Metrics.SaveCertIndexes(filePath)
+	saveErr := metrics.Metrics.SaveCertIndexes(filePath)
+	if saveErr != nil {
+		return saveErr
+	}
+
 	log.Println("Index file saved to", filePath)
 
 	return nil
diff --git a/internal/metrics/logmetrics.go b/internal/metrics/logmetrics.go
@@ -244,12 +244,14 @@ func (m *LogMetrics) SaveCertIndexesAtInterval(interval time.Duration, ctIndexFi
 	defer ticker.Stop()
 
 	for range ticker.C {
-		m.SaveCertIndexes(ctIndexFilePath)
+		if err := m.SaveCertIndexes(ctIndexFilePath); err != nil {
+			log.Printf("Error saving CT indexes at '%s': %s\n", ctIndexFilePath, err)
+		}
 	}
 }
 
 // SaveCertIndexes saves the index of CTLogs to a file.
-func (m *LogMetrics) SaveCertIndexes(ctIndexFilePath string) {
+func (m *LogMetrics) SaveCertIndexes(ctIndexFilePath string) error {
 	tempFilePath := ctIndexFilePath + ".tmp"
 
 	// Get the index data
@@ -260,39 +262,47 @@ func (m *LogMetrics) SaveCertIndexes(ctIndexFilePath string) {
 		log.Panic(cerr)
 	}
 
+	// Store index data in a temp file
+	err := storeTempFile(tempFilePath, bytes)
+	if err != nil {
+		return err
+	}
+
+	// Atomically move the temp file to the permanent file
+	renameErr := os.Rename(tempFilePath, ctIndexFilePath)
+	if renameErr != nil {
+		return fmt.Errorf("could not rename CT index temp file: %w", renameErr)
+	}
+
+	return nil
+}
+
+// storeTempFile stores the passed data in the tempFilePath.
+func storeTempFile(tempFilePath string, bytes []byte) error {
 	// Save data to a temporary file first
 	file, openErr := os.OpenFile(tempFilePath, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o644)
 	if openErr != nil {
-		log.Println("Could not save CT index to temporary file: ", openErr)
-		return
+		return fmt.Errorf("could not save CT index to temporary file: %w", openErr)
 	}
 	defer file.Close()
 
 	truncateErr := file.Truncate(0)
 	if truncateErr != nil {
-		log.Println("Error truncating CT index temp file: ", truncateErr)
-		return
+		return fmt.Errorf("could not save CT index to temporary file: %w", truncateErr)
 	}
 
 	// TODO: check for short writes
 	_, writeErr := file.Write(bytes)
 	if writeErr != nil {
-		log.Println("Error writing to CT index temp file: ", writeErr)
-		return
+		return fmt.Errorf("could not save CT index to temporary file: %w", writeErr)
 	}
 
 	syncErr := file.Sync()
 	if syncErr != nil {
-		log.Println("Error syncing CT index temp file: ", syncErr)
-		return
+		return fmt.Errorf("could not save CT index to temporary file: %w", syncErr)
 	}
 
-	// Atomically move the temp file to the permanent file
-	renameErr := os.Rename(tempFilePath, ctIndexFilePath)
-	if renameErr != nil {
-		log.Println("Error renaming CT index temp file: ", renameErr)
-		return
-	}
+	return nil
 }
 
 // GetProcessedCerts returns the total number of processed certificates.
