docker: Only do setfacl if we issued the certificates

Today, we do setfacl unconditionally; this can be a problem for user-provided certificates because they may be located somewhere else. This patch fixes the problem by only doing setfacl after renewing the certificates. Externally provided certificates will be untouched, and the user is responsible for ensuring that chasquid can read them. Thanks to Alex Ellwein (aellwein@github) for reporting this in #29!
albertito · Aug 23, 2022 · 567ad35 · 567ad35
1 parent b779941
commit 567ad35
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh
@@ -46,6 +46,10 @@ if [ "$AUTO_CERTS" != "" ]; then
 	# Note this requires you to restart every week or so, to make sure
 	# your certificate does not expire.
 	certbot renew
+
+	# Give chasquid access to the certificates.
+	# Dovecot does not need this as it reads them as root.
+	setfacl -R -m u:chasquid:rX /etc/letsencrypt/{live,archive}
 fi
 
 CERT_DOMAINS=""
@@ -66,10 +70,6 @@ if [ "$CERT_DOMAINS" == "" ]; then
 	exit 1
 fi
 
-# Give chasquid access to the certificates.
-# Dovecot does not need this as it reads them as root.
-setfacl -R -m u:chasquid:rX /etc/letsencrypt/{live,archive}
-
 # Give chasquid access to the data directory.
 mkdir -p /data/chasquid/data
 chown -R chasquid /data/chasquid/