Upgrade certmagic from v0.14.1 to v0.15.2 (#18138)

vendor/github.com/caddyserver/certmagic/crypto.go

@@ -72,6 +72,10 @@ func encodePrivateKey(key crypto.PrivateKey) ([]byte, error) {
 func decodePrivateKey(keyPEMBytes []byte) (crypto.Signer, error) {
 	keyBlockDER, _ := pem.Decode(keyPEMBytes)
 
+	if keyBlockDER == nil {
+		return nil, fmt.Errorf("failed to decode PEM block containing private key")
+	}
+
 	if keyBlockDER.Type != "PRIVATE KEY" && !strings.HasSuffix(keyBlockDER.Type, " PRIVATE KEY") {
 		return nil, fmt.Errorf("unknown PEM header %q", keyBlockDER.Type)
 	}
@@ -142,14 +146,14 @@ func (cfg *Config) saveCertResource(issuer Issuer, cert CertificateResource) err
 	certKey := cert.NamesKey()
 
 	all := []keyValue{
-		{
-			key:   StorageKeys.SiteCert(issuerKey, certKey),
-			value: cert.CertificatePEM,
-		},
 		{
 			key:   StorageKeys.SitePrivateKey(issuerKey, certKey),
 			value: cert.PrivateKeyPEM,
 		},
+		{
+			key:   StorageKeys.SiteCert(issuerKey, certKey),
+			value: cert.CertificatePEM,
+		},
 		{
 			key:   StorageKeys.SiteMeta(issuerKey, certKey),
 			value: metaBytes,