-
-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Debian: Make live directory readable by ssl-cert group #1425
Comments
Same for me. |
+1 But you also have to make |
Don't copy the LE certificates. Instead use the ssl-cert group to manage access to the LE certificates directly. See certbot/certbot#1425 for a request to have the LE client do this itself.
Don't copy the LE certificates. Instead use the ssl-cert group to manage access to the LE certificates directly. See certbot/certbot#1425 for a request to have the LE client do this itself.
👍 |
Please add this! |
Unless you're not on ubuntu or debian and there is no ssl-cert group. If you have root access, set the group manually yourself. Coding in a dependency to a specific distribution's idiosyncrasies is a terrible idea. |
It only needs to check if the group exists, and if so use that instead, and then document this behaviour. I don't think it needs to be coded to be distribution-specific, and it would make for a small usability improvement that has caught out a number of people. |
There already is distro-specific behavior for every major class of distro, out of necessity, so that might be a moot point. In any case I'd argue that it's not a "terrible idea" to comport to a general quality of life measure in one of the 2 general classes of distribution that everyone uses, especially if the project is going to recommend that people use the upstream version and not a distribution package (which would presumably be tweaked to comply with this |
Making it run smoothly on the distribution family that accounts for almost 73% of known Linux servers is not catering to a distribution's idiosyncrasies. It is addressing the needs of your major user base.
Wholeheartedly agree. The moment you suggest users not use a distribution-supplied package, you are essentially taking responsibility for working correctly on each distribution. |
Don't copy the LE certificates. Instead use the ssl-cert group to manage access to the LE certificates directly. See certbot/certbot#1425 for a request to have the LE client do this itself.
We've made a lot of changes to Certbot since this issue was opened. If you still have this issue with an up-to-date version of Certbot, can you please add a comment letting us know? This helps us to better see what issues are still affecting our users. If there is no activity in the next 30 days, this issue will be automatically closed. |
In the scope of us recommending to use the upstream version through the snap packaging, I think this issue still need to be studied to see if we can improve things. @bmw what do you think? |
Sure, but especially since neither us or Debian/Ubuntu has done anything about this in any Certbot distribution method for the last 4.5 years, I'll add that I honestly doubt the small Certbot team will have the resources to prioritize this ourselves anytime soon. In the meantime, if you modify the directories and private key with the permissions you want, Certbot should preserve them. |
We've made a lot of changes to Certbot since this issue was opened. If you still have this issue with an up-to-date version of Certbot, can you please add a comment letting us know? This helps us to better see what issues are still affecting our users. If there is no activity in the next 30 days, this issue will be automatically closed. |
On one of my systems I have: |
I think this is an important issue because now users have to use self made deploy hooks and use some random tutorials from internet. It's a big probability to mess and expose system. From what I read it looks like LE must use the following approach.
This can be done via post install hook. But still remains a big problem that users should configure the path to a cert themselves. The Debian has ssl-cert package with a /usr/sbin/make-ssl-cert wrapper for To be compliant with existing Debian approach the LE privkey should be also stored into I think that instead of separate privkey and fullchain files the LE should generate a single file as discussed in #5087. It remains few things to consider. Keys locationThe Daemon specific certsIf the same cert is used by many daemons then if one of them was hacked and private key leaked then all others are compromised too. Certs managementIn the https://wiki.debian.org/SslCertificateHandling was proposed a tool that simplifies certs configuration. Maybe some ideas may be useful to consider. ArchiveThe certs archive may remain the current Alternative ACME clientsThe acme.sh, dehydrated and others like Caddy may store the certs in the same location. Additional links |
We've made a lot of changes to Certbot since this issue was opened. If you still have this issue with an up-to-date version of Certbot, can you please add a comment letting us know? This helps us to better see what issues are still affecting our users. If there is no activity in the next 30 days, this issue will be automatically closed. |
This issue has been closed due to lack of activity, but if you think it should be reopened, please open a new issue with a link to this one and we'll take a look. |
On Debian, programs that run as non-root have the group
ssl-cert
, for exampleejabberd
.The
/etc/letsencrypt/live
is only readable byroot
and nobody else. This directory should be readable and executable by thessl-cert
group.The text was updated successfully, but these errors were encountered: