Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add permissions to provider certmonger #133

Closed
jh23453 opened this issue Aug 20, 2022 · 7 comments · Fixed by #175
Closed

Add permissions to provider certmonger #133

jh23453 opened this issue Aug 20, 2022 · 7 comments · Fixed by #175

Comments

@jh23453
Copy link

jh23453 commented Aug 20, 2022

The certmonger provider supports owner/group for the files.
I've tried to get a certificate for cockpit. https://100things.wzzrd.com/2021/06/10/Proper-SSL-certs-in-cockpit.html suggests using "chmod g+r" for the certificates. It might be useful to support that.
I could change the owner of my certificate to cockpit-ws, but would that be a good idea? I'm unsure.
@richm
Copy link
Collaborator

richm commented Aug 20, 2022

@martinpitt what ownership/permissions do cockpit certs need?

@martinpitt
Copy link
Contributor

See PR #97, the role already can specify permissions. But it's not necessary any more with recent cockpit versions (Fedora, c8s, RHEL 8.7/9.1 at least, possibly already earlier) , permissions don't matter there. Can't be more precise right now, only next week again.

@jh23453
Copy link
Author

jh23453 commented Aug 21, 2022

@martinpitt Thanks for the hint to the pull request - that should work nicely. I guess I'll remove my cert and retry with "group: cockpit-ws". Did that and yes, the resulting key/cert are readable from cockpit.
So technically it works like you expected. Let me see if I find some suggestion for the documentation.
Just to complete, here's how I requested certificates with ipa-getcert:

ipa-getcert request --wait \
        --keyfile="${keydir}/50-certmonger.key"   --key-owner=root:cockpit-ws --key-perms=640 \
        --certfile="${certdir}/50-certmonger.crt" --cert-owner=root --cert-perms=644 \
        -N "CN=${hostname}" -D "${hostname}" -K "cockpit/${hostname}"

Thanks for the prompt feedback.

@jh23453
Copy link
Author

jh23453 commented Aug 21, 2022

Please look at #134

@martinpitt
Copy link
Contributor

But it's not necessary any more with recent cockpit versions

To be specific: This was changed in https://cockpit-project.org/blog/cockpit-257.html , which is in RHEL 8.6 and 9.0, all Fedoras, CentOS 8/9 stream, Ubuntu 22.04 LTS. Debian stable has a backport.

@martinpitt
Copy link
Contributor

@jh23453 : If you have a recent enough cockpit, you should be able to drop all four --{cert,key}-{owner,perms} options.

@Nihlus
Copy link

Nihlus commented Mar 19, 2023

Some services require more restrictive permissions (postgresql, for example wants 0600 permissions for the private key). It would be nice if a mode parameter could be added to the module so we could control it ourselves.

@richm richm mentioned this issue May 10, 2023
Merged
rjeffman added a commit to rjeffman/certificate that referenced this issue Jun 20, 2023
@rjeffman
feat: Allow setting certificate and key files mode
14b7a3b 
Allow seeting of certificate and key files mode attribute through the
use of the 'mode' parameter. The parameter follows Ansible's file mode
rules, accepting either strings or integer values.

Fixes linux-system-roles#133

Signed-off-by: Rafael Jeffman <rjeffman@redhat.com>
rjeffman added a commit to rjeffman/certificate that referenced this issue Jun 20, 2023
@rjeffman
feat: Allow setting certificate and key files mode
bcd9e8a 
Allow setting of certificate and key files mode attribute through the
use of the 'mode' parameter. The parameter follows Ansible's file mode
rules, accepting either strings or integer values.

Fixes linux-system-roles#133

Signed-off-by: Rafael Jeffman <rjeffman@redhat.com>
@rjeffman rjeffman linked a pull request Jun 21, 2023 that will close this issue
feat: Allow setting certificate and key files mode #175
Merged
rjeffman added a commit to rjeffman/certificate that referenced this issue Jun 28, 2023
@rjeffman
feat: Allow setting certificate and key files mode
aaa2393 
Allow setting of certificate and key files mode attribute through the
use of the 'mode' parameter. The parameter follows Ansible's file mode
rules, accepting either strings or integer values.

Fixes linux-system-roles#133

Signed-off-by: Rafael Jeffman <rjeffman@redhat.com>
richm pushed a commit that referenced this issue Jun 28, 2023
@rjeffman @richm
feat: Allow setting certificate and key files mode
73eb6b7 
Allow setting of certificate and key files mode attribute through the
use of the 'mode' parameter. The parameter follows Ansible's file mode
rules, accepting either strings or integer values.

Fixes #133

Signed-off-by: Rafael Jeffman <rjeffman@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: Allow setting certificate and key files mode rjeffman/certificate
4 participants
@richm @martinpitt @Nihlus @jh23453