-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add permissions to provider certmonger #133
Comments
@martinpitt what ownership/permissions do cockpit certs need? |
See PR #97, the role already can specify permissions. But it's not necessary any more with recent cockpit versions (Fedora, c8s, RHEL 8.7/9.1 at least, possibly already earlier) , permissions don't matter there. Can't be more precise right now, only next week again. |
@martinpitt Thanks for the hint to the pull request - that should work nicely. I guess I'll remove my cert and retry with "group: cockpit-ws". Did that and yes, the resulting key/cert are readable from cockpit.
Thanks for the prompt feedback. |
Please look at #134 |
To be specific: This was changed in https://cockpit-project.org/blog/cockpit-257.html , which is in RHEL 8.6 and 9.0, all Fedoras, CentOS 8/9 stream, Ubuntu 22.04 LTS. Debian stable has a backport. |
@jh23453 : If you have a recent enough cockpit, you should be able to drop all four |
Some services require more restrictive permissions (postgresql, for example wants 0600 permissions for the private key). It would be nice if a |
Allow seeting of certificate and key files mode attribute through the use of the 'mode' parameter. The parameter follows Ansible's file mode rules, accepting either strings or integer values. Fixes linux-system-roles#133 Signed-off-by: Rafael Jeffman <rjeffman@redhat.com>
Allow setting of certificate and key files mode attribute through the use of the 'mode' parameter. The parameter follows Ansible's file mode rules, accepting either strings or integer values. Fixes linux-system-roles#133 Signed-off-by: Rafael Jeffman <rjeffman@redhat.com>
Allow setting of certificate and key files mode attribute through the use of the 'mode' parameter. The parameter follows Ansible's file mode rules, accepting either strings or integer values. Fixes linux-system-roles#133 Signed-off-by: Rafael Jeffman <rjeffman@redhat.com>
Allow setting of certificate and key files mode attribute through the use of the 'mode' parameter. The parameter follows Ansible's file mode rules, accepting either strings or integer values. Fixes #133 Signed-off-by: Rafael Jeffman <rjeffman@redhat.com>
The certmonger provider supports owner/group for the files.
I've tried to get a certificate for cockpit. https://100things.wzzrd.com/2021/06/10/Proper-SSL-certs-in-cockpit.html suggests using "chmod g+r" for the certificates. It might be useful to support that.
I could change the owner of my certificate to cockpit-ws, but would that be a good idea? I'm unsure.
The text was updated successfully, but these errors were encountered: