* Renewing certificates with certbot
@ 2019-02-22 13:49 Julien Lepiller
2019-02-22 17:57 ` swedebugia
` (2 more replies)
0 siblings, 3 replies; 11+ messages in thread
From: Julien Lepiller @ 2019-02-22 13:49 UTC (permalink / raw)
To: guix-devel
Hi,
I use certificates from let's encrypt for my website and mail servers,
and found that there was an issue with certificates generated by the
certbot service in Guix: the generated private keys are world-readable
(in a directory that cannot be accessed by anyone but root, so it's OK I
guess). OpenSMTPD is not happy with that though, so I have to chmod the
files every time. I came up with a variant of the deploy-hook that's
presented in the manual, and I'd like to update the example with it.
Here it is:
;; Find running nginx and reload its configuration (for certificates)
(define %my-deploy-hook
(program-file
"my-deploy-hook"
#~(let* ((pid (call-with-input-file "/var/run/nginx/pid" read))
(cert-dir (getenv "RENEWED_LINEAGE"))
(privkey (string-append cert-dir "/privkey.pem")))
;; certbot private keys are world-readable by default, and smtpd
complains
;; about that, refusing to start otherwise
(chmod privkey #o600)
(kill pid SIGHUP))))
What do you think?
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Renewing certificates with certbot
2019-02-22 13:49 Renewing certificates with certbot Julien Lepiller
@ 2019-02-22 17:57 ` swedebugia
2019-03-06 13:42 ` Ludovic Courtès
2019-03-22 8:00 ` Chris Marusich
2 siblings, 0 replies; 11+ messages in thread
From: swedebugia @ 2019-02-22 17:57 UTC (permalink / raw)
To: guix-devel
[-- Attachment #1.1: Type: text/plain, Size: 1243 bytes --]
On 2019-02-22 14:49, Julien Lepiller wrote:
> Hi,
>
> I use certificates from let's encrypt for my website and mail servers,
> and found that there was an issue with certificates generated by the
> certbot service in Guix: the generated private keys are world-readable
> (in a directory that cannot be accessed by anyone but root, so it's OK I
> guess). OpenSMTPD is not happy with that though, so I have to chmod the
> files every time. I came up with a variant of the deploy-hook that's
> presented in the manual, and I'd like to update the example with it.
> Here it is:
>
> ;; Find running nginx and reload its configuration (for certificates)
> (define %my-deploy-hook
> (program-file
> "my-deploy-hook"
> #~(let* ((pid (call-with-input-file "/var/run/nginx/pid" read))
> (cert-dir (getenv "RENEWED_LINEAGE"))
> (privkey (string-append cert-dir "/privkey.pem")))
> ;; certbot private keys are world-readable by default, and smtpd
> complains
> ;; about that, refusing to start otherwise
> (chmod privkey #o600)
> (kill pid SIGHUP))))
>
> What do you think?
>
LGTM.
--
Cheers Swedebugia
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Renewing certificates with certbot
2019-02-22 13:49 Renewing certificates with certbot Julien Lepiller
2019-02-22 17:57 ` swedebugia
@ 2019-03-06 13:42 ` Ludovic Courtès
2019-03-06 13:51 ` Julien Lepiller
2019-03-22 8:00 ` Chris Marusich
2 siblings, 1 reply; 11+ messages in thread
From: Ludovic Courtès @ 2019-03-06 13:42 UTC (permalink / raw)
To: Julien Lepiller; +Cc: guix-devel
Hi,
Julien Lepiller <julien@lepiller.eu> skribis:
> I use certificates from let's encrypt for my website and mail servers,
> and found that there was an issue with certificates generated by the
> certbot service in Guix: the generated private keys are world-readable
> (in a directory that cannot be accessed by anyone but root, so it's OK
> I guess). OpenSMTPD is not happy with that though, so I have to chmod
> the files every time. I came up with a variant of the deploy-hook
> that's presented in the manual, and I'd like to update the example
> with it. Here it is:
>
> ;; Find running nginx and reload its configuration (for certificates)
> (define %my-deploy-hook
> (program-file
> "my-deploy-hook"
> #~(let* ((pid (call-with-input-file "/var/run/nginx/pid" read))
> (cert-dir (getenv "RENEWED_LINEAGE"))
> (privkey (string-append cert-dir "/privkey.pem")))
> ;; certbot private keys are world-readable by default, and
> smtpd complains
> ;; about that, refusing to start otherwise
> (chmod privkey #o600)
> (kill pid SIGHUP))))
>
> What do you think?
It sounds like a serious issue that private keys are world-readable. Is
it a bug on our side or in Certbot? I think we should fix it so that
they are never world-readable, rather than document how to work around
the bug.
WDYT?
Thanks,
Ludo’.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Renewing certificates with certbot
2019-03-06 13:42 ` Ludovic Courtès
@ 2019-03-06 13:51 ` Julien Lepiller
2019-03-06 14:12 ` Giovanni Biscuolo
2019-03-06 14:19 ` ng0
0 siblings, 2 replies; 11+ messages in thread
From: Julien Lepiller @ 2019-03-06 13:51 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: guix-devel
Le 2019-03-06 14:42, Ludovic Courtès a écrit :
> Hi,
>
> Julien Lepiller <julien@lepiller.eu> skribis:
>
>> I use certificates from let's encrypt for my website and mail servers,
>> and found that there was an issue with certificates generated by the
>> certbot service in Guix: the generated private keys are world-readable
>> (in a directory that cannot be accessed by anyone but root, so it's OK
>> I guess). OpenSMTPD is not happy with that though, so I have to chmod
>> the files every time. I came up with a variant of the deploy-hook
>> that's presented in the manual, and I'd like to update the example
>> with it. Here it is:
>>
>> ;; Find running nginx and reload its configuration (for certificates)
>> (define %my-deploy-hook
>> (program-file
>> "my-deploy-hook"
>> #~(let* ((pid (call-with-input-file "/var/run/nginx/pid" read))
>> (cert-dir (getenv "RENEWED_LINEAGE"))
>> (privkey (string-append cert-dir "/privkey.pem")))
>> ;; certbot private keys are world-readable by default, and
>> smtpd complains
>> ;; about that, refusing to start otherwise
>> (chmod privkey #o600)
>> (kill pid SIGHUP))))
>>
>> What do you think?
>
> It sounds like a serious issue that private keys are world-readable.
> Is
> it a bug on our side or in Certbot? I think we should fix it so that
> they are never world-readable, rather than document how to work around
> the bug.
>
> WDYT?
>
> Thanks,
> Ludo’.
I don't think this is an issue: the file is world-readable, but the
directory
it's in is not accessible to anyone but root. OpenSMTPD still complains,
but I think there's no security issue.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Renewing certificates with certbot
2019-03-06 13:51 ` Julien Lepiller
@ 2019-03-06 14:12 ` Giovanni Biscuolo
2019-03-06 14:19 ` ng0
1 sibling, 0 replies; 11+ messages in thread
From: Giovanni Biscuolo @ 2019-03-06 14:12 UTC (permalink / raw)
To: Julien Lepiller, Ludovic Courtès; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 712 bytes --]
Hi Julien,
Julien Lepiller <julien@lepiller.eu> writes:
[...]
> I don't think this is an issue: the file is world-readable, but the
> directory
> it's in is not accessible to anyone but root. OpenSMTPD still complains,
> but I think there's no security issue.
not a seriuos (security) issue but an issue (service warning) should be
fixed anyway IMHO, other *future* services could be affacted by this and
complain or not start at all
your fix should be applied in certbot-service-type service definition if
possible (and reported upstream if it depends on the software)
WDYT?
sorry I can't help fixing this
Thanks!
Giovanni
--
Giovanni Biscuolo
Xelera IT Infrastructures
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Renewing certificates with certbot
2019-03-06 13:51 ` Julien Lepiller
2019-03-06 14:12 ` Giovanni Biscuolo
@ 2019-03-06 14:19 ` ng0
2019-03-06 14:33 ` Julien Lepiller
1 sibling, 1 reply; 11+ messages in thread
From: ng0 @ 2019-03-06 14:19 UTC (permalink / raw)
To: Julien Lepiller; +Cc: guix-devel
Julien Lepiller transcribed 1.6K bytes:
> Le 2019-03-06 14:42, Ludovic Courtès a écrit :
> > Hi,
> >
> > Julien Lepiller <julien@lepiller.eu> skribis:
> >
> > > I use certificates from let's encrypt for my website and mail servers,
> > > and found that there was an issue with certificates generated by the
> > > certbot service in Guix: the generated private keys are world-readable
> > > (in a directory that cannot be accessed by anyone but root, so it's OK
> > > I guess). OpenSMTPD is not happy with that though, so I have to chmod
> > > the files every time. I came up with a variant of the deploy-hook
> > > that's presented in the manual, and I'd like to update the example
> > > with it. Here it is:
> > >
> > > ;; Find running nginx and reload its configuration (for certificates)
> > > (define %my-deploy-hook
> > > (program-file
> > > "my-deploy-hook"
> > > #~(let* ((pid (call-with-input-file "/var/run/nginx/pid" read))
> > > (cert-dir (getenv "RENEWED_LINEAGE"))
> > > (privkey (string-append cert-dir "/privkey.pem")))
> > > ;; certbot private keys are world-readable by default, and
> > > smtpd complains
> > > ;; about that, refusing to start otherwise
> > > (chmod privkey #o600)
> > > (kill pid SIGHUP))))
> > >
> > > What do you think?
> >
> > It sounds like a serious issue that private keys are world-readable. Is
> > it a bug on our side or in Certbot? I think we should fix it so that
It's a certbot default, on all all systems.
> > they are never world-readable, rather than document how to work around
> > the bug.
> >
> > WDYT?
> >
> > Thanks,
> > Ludo’.
>
> I don't think this is an issue: the file is world-readable, but the
> directory
> it's in is not accessible to anyone but root. OpenSMTPD still complains,
> but I think there's no security issue.
>
>
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Renewing certificates with certbot
2019-03-06 14:19 ` ng0
@ 2019-03-06 14:33 ` Julien Lepiller
2019-03-06 16:26 ` ng0
0 siblings, 1 reply; 11+ messages in thread
From: Julien Lepiller @ 2019-03-06 14:33 UTC (permalink / raw)
To: guix-devel
Le 2019-03-06 15:19, ng0@n0.is a écrit :
> Julien Lepiller transcribed 1.6K bytes:
>> Le 2019-03-06 14:42, Ludovic Courtès a écrit :
>> > Hi,
>> >
>> > Julien Lepiller <julien@lepiller.eu> skribis:
>> >
>> > > I use certificates from let's encrypt for my website and mail servers,
>> > > and found that there was an issue with certificates generated by the
>> > > certbot service in Guix: the generated private keys are world-readable
>> > > (in a directory that cannot be accessed by anyone but root, so it's OK
>> > > I guess). OpenSMTPD is not happy with that though, so I have to chmod
>> > > the files every time. I came up with a variant of the deploy-hook
>> > > that's presented in the manual, and I'd like to update the example
>> > > with it. Here it is:
>> > >
>> > > ;; Find running nginx and reload its configuration (for certificates)
>> > > (define %my-deploy-hook
>> > > (program-file
>> > > "my-deploy-hook"
>> > > #~(let* ((pid (call-with-input-file "/var/run/nginx/pid" read))
>> > > (cert-dir (getenv "RENEWED_LINEAGE"))
>> > > (privkey (string-append cert-dir "/privkey.pem")))
>> > > ;; certbot private keys are world-readable by default, and
>> > > smtpd complains
>> > > ;; about that, refusing to start otherwise
>> > > (chmod privkey #o600)
>> > > (kill pid SIGHUP))))
>> > >
>> > > What do you think?
>> >
>> > It sounds like a serious issue that private keys are world-readable. Is
>> > it a bug on our side or in Certbot? I think we should fix it so that
>
> It's a certbot default, on all all systems.
Actually, reading https://github.com/certbot/certbot/issues/1473
suggests
it's not the case anymore. I was probably running an older version
of certbot.
>
>> > they are never world-readable, rather than document how to work around
>> > the bug.
>> >
>> > WDYT?
>> >
>> > Thanks,
>> > Ludo’.
>>
>> I don't think this is an issue: the file is world-readable, but the
>> directory
>> it's in is not accessible to anyone but root. OpenSMTPD still
>> complains,
>> but I think there's no security issue.
>>
>>
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Renewing certificates with certbot
2019-03-06 14:33 ` Julien Lepiller
@ 2019-03-06 16:26 ` ng0
0 siblings, 0 replies; 11+ messages in thread
From: ng0 @ 2019-03-06 16:26 UTC (permalink / raw)
To: Julien Lepiller; +Cc: guix-devel
Julien Lepiller transcribed 2.1K bytes:
> Le 2019-03-06 15:19, ng0@n0.is a écrit :
> > Julien Lepiller transcribed 1.6K bytes:
> > > Le 2019-03-06 14:42, Ludovic Courtès a écrit :
> > > > Hi,
> > > >
> > > > Julien Lepiller <julien@lepiller.eu> skribis:
> > > >
> > > > > I use certificates from let's encrypt for my website and mail servers,
> > > > > and found that there was an issue with certificates generated by the
> > > > > certbot service in Guix: the generated private keys are world-readable
> > > > > (in a directory that cannot be accessed by anyone but root, so it's OK
> > > > > I guess). OpenSMTPD is not happy with that though, so I have to chmod
> > > > > the files every time. I came up with a variant of the deploy-hook
> > > > > that's presented in the manual, and I'd like to update the example
> > > > > with it. Here it is:
> > > > >
> > > > > ;; Find running nginx and reload its configuration (for certificates)
> > > > > (define %my-deploy-hook
> > > > > (program-file
> > > > > "my-deploy-hook"
> > > > > #~(let* ((pid (call-with-input-file "/var/run/nginx/pid" read))
> > > > > (cert-dir (getenv "RENEWED_LINEAGE"))
> > > > > (privkey (string-append cert-dir "/privkey.pem")))
> > > > > ;; certbot private keys are world-readable by default, and
> > > > > smtpd complains
> > > > > ;; about that, refusing to start otherwise
> > > > > (chmod privkey #o600)
> > > > > (kill pid SIGHUP))))
> > > > >
> > > > > What do you think?
> > > >
> > > > It sounds like a serious issue that private keys are world-readable. Is
> > > > it a bug on our side or in Certbot? I think we should fix it so that
> >
> > It's a certbot default, on all all systems.
>
> Actually, reading https://github.com/certbot/certbot/issues/1473 suggests
> it's not the case anymore. I was probably running an older version
> of certbot.
Thanks for pointing me to this, I wasn't aware of this
> >
> > > > they are never world-readable, rather than document how to work around
> > > > the bug.
> > > >
> > > > WDYT?
> > > >
> > > > Thanks,
> > > > Ludo’.
> > >
> > > I don't think this is an issue: the file is world-readable, but the
> > > directory
> > > it's in is not accessible to anyone but root. OpenSMTPD still
> > > complains,
> > > but I think there's no security issue.
> > >
> > >
>
>
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Renewing certificates with certbot
2019-02-22 13:49 Renewing certificates with certbot Julien Lepiller
2019-02-22 17:57 ` swedebugia
2019-03-06 13:42 ` Ludovic Courtès
@ 2019-03-22 8:00 ` Chris Marusich
2 siblings, 0 replies; 11+ messages in thread
From: Chris Marusich @ 2019-03-22 8:00 UTC (permalink / raw)
To: Julien Lepiller; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 1662 bytes --]
Hi Julien,
Sorry for the late reply.
Julien Lepiller <julien@lepiller.eu> writes:
> I use certificates from let's encrypt for my website and mail servers,
> and found that there was an issue with certificates generated by the
> certbot service in Guix: the generated private keys are world-readable
> (in a directory that cannot be accessed by anyone but root, so it's OK
> I guess). OpenSMTPD is not happy with that though, so I have to chmod
> the files every time. I came up with a variant of the deploy-hook
> that's presented in the manual, and I'd like to update the example
> with it. Here it is:
>
> ;; Find running nginx and reload its configuration (for certificates)
> (define %my-deploy-hook
> (program-file
> "my-deploy-hook"
> #~(let* ((pid (call-with-input-file "/var/run/nginx/pid" read))
> (cert-dir (getenv "RENEWED_LINEAGE"))
> (privkey (string-append cert-dir "/privkey.pem")))
> ;; certbot private keys are world-readable by default, and
> smtpd complains
> ;; about that, refusing to start otherwise
> (chmod privkey #o600)
> (kill pid SIGHUP))))
>
> What do you think?
I think it would be harmless to include as an example. Since nobody has
said anything in a few weeks, I'd say commit it!
As for certbot's behavior, do you know why it creates the private keys
world-readable in the first place? That seems strange. Can certbot
itself be fixed so it doesn't do that? If not, can we update the
service definition to somehow do this automatically for people (e.g.,
provide an optional, included-by-default deploy hook)?
--
Chris
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Renewing certificates with certbot
@ 2019-03-22 10:55 Clément Lassieur
2019-03-23 1:08 ` Chris Marusich
0 siblings, 1 reply; 11+ messages in thread
From: Clément Lassieur @ 2019-03-22 10:55 UTC (permalink / raw)
To: cmmarusich; +Cc: guix-devel
Hi Chris,
Unless I misunderstood, this email[1] from Julien suggests that the
issue was that certbot was too old, but it was fixed upstream.
Cheers,
Clément
[1]: https://lists.gnu.org/archive/html/guix-devel/2019-03/msg00070.html
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2019-03-23 1:09 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-02-22 13:49 Renewing certificates with certbot Julien Lepiller
2019-02-22 17:57 ` swedebugia
2019-03-06 13:42 ` Ludovic Courtès
2019-03-06 13:51 ` Julien Lepiller
2019-03-06 14:12 ` Giovanni Biscuolo
2019-03-06 14:19 ` ng0
2019-03-06 14:33 ` Julien Lepiller
2019-03-06 16:26 ` ng0
2019-03-22 8:00 ` Chris Marusich
-- strict thread matches above, loose matches on Subject: below --
2019-03-22 10:55 Clément Lassieur
2019-03-23 1:08 ` Chris Marusich
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).