unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* Renewing certificates with certbot
@ 2019-02-22 13:49 Julien Lepiller
  2019-02-22 17:57 ` swedebugia
                   ` (2 more replies)
  0 siblings, 3 replies; 11+ messages in thread
From: Julien Lepiller @ 2019-02-22 13:49 UTC (permalink / raw)
  To: guix-devel

Hi,

I use certificates from let's encrypt for my website and mail servers, 
and found that there was an issue with certificates generated by the 
certbot service in Guix: the generated private keys are world-readable 
(in a directory that cannot be accessed by anyone but root, so it's OK I 
guess). OpenSMTPD is not happy with that though, so I have to chmod the 
files every time. I came up with a variant of the deploy-hook that's 
presented in the manual, and I'd like to update the example with it. 
Here it is:

;; Find running nginx and reload its configuration (for certificates)
(define %my-deploy-hook
   (program-file
    "my-deploy-hook"
    #~(let* ((pid (call-with-input-file "/var/run/nginx/pid" read))
             (cert-dir (getenv "RENEWED_LINEAGE"))
             (privkey (string-append cert-dir "/privkey.pem")))
        ;; certbot private keys are world-readable by default, and smtpd 
complains
        ;; about that, refusing to start otherwise
        (chmod privkey #o600)
        (kill pid SIGHUP))))

What do you think?

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: Renewing certificates with certbot
  2019-02-22 13:49 Renewing certificates with certbot Julien Lepiller
@ 2019-02-22 17:57 ` swedebugia
  2019-03-06 13:42 ` Ludovic Courtès
  2019-03-22  8:00 ` Chris Marusich
  2 siblings, 0 replies; 11+ messages in thread
From: swedebugia @ 2019-02-22 17:57 UTC (permalink / raw)
  To: guix-devel


[-- Attachment #1.1: Type: text/plain, Size: 1243 bytes --]

On 2019-02-22 14:49, Julien Lepiller wrote:
> Hi,
> 
> I use certificates from let's encrypt for my website and mail servers,
> and found that there was an issue with certificates generated by the
> certbot service in Guix: the generated private keys are world-readable
> (in a directory that cannot be accessed by anyone but root, so it's OK I
> guess). OpenSMTPD is not happy with that though, so I have to chmod the
> files every time. I came up with a variant of the deploy-hook that's
> presented in the manual, and I'd like to update the example with it.
> Here it is:
> 
> ;; Find running nginx and reload its configuration (for certificates)
> (define %my-deploy-hook
>   (program-file
>    "my-deploy-hook"
>    #~(let* ((pid (call-with-input-file "/var/run/nginx/pid" read))
>             (cert-dir (getenv "RENEWED_LINEAGE"))
>             (privkey (string-append cert-dir "/privkey.pem")))
>        ;; certbot private keys are world-readable by default, and smtpd
> complains
>        ;; about that, refusing to start otherwise
>        (chmod privkey #o600)
>        (kill pid SIGHUP))))
> 
> What do you think?
> 

LGTM.

-- 
Cheers Swedebugia


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: Renewing certificates with certbot
  2019-02-22 13:49 Renewing certificates with certbot Julien Lepiller
  2019-02-22 17:57 ` swedebugia
@ 2019-03-06 13:42 ` Ludovic Courtès
  2019-03-06 13:51   ` Julien Lepiller
  2019-03-22  8:00 ` Chris Marusich
  2 siblings, 1 reply; 11+ messages in thread
From: Ludovic Courtès @ 2019-03-06 13:42 UTC (permalink / raw)
  To: Julien Lepiller; +Cc: guix-devel

Hi,

Julien Lepiller <julien@lepiller.eu> skribis:

> I use certificates from let's encrypt for my website and mail servers,
> and found that there was an issue with certificates generated by the
> certbot service in Guix: the generated private keys are world-readable
> (in a directory that cannot be accessed by anyone but root, so it's OK
> I guess). OpenSMTPD is not happy with that though, so I have to chmod
> the files every time. I came up with a variant of the deploy-hook
> that's presented in the manual, and I'd like to update the example
> with it. Here it is:
>
> ;; Find running nginx and reload its configuration (for certificates)
> (define %my-deploy-hook
>   (program-file
>    "my-deploy-hook"
>    #~(let* ((pid (call-with-input-file "/var/run/nginx/pid" read))
>             (cert-dir (getenv "RENEWED_LINEAGE"))
>             (privkey (string-append cert-dir "/privkey.pem")))
>        ;; certbot private keys are world-readable by default, and
> smtpd complains
>        ;; about that, refusing to start otherwise
>        (chmod privkey #o600)
>        (kill pid SIGHUP))))
>
> What do you think?

It sounds like a serious issue that private keys are world-readable.  Is
it a bug on our side or in Certbot?  I think we should fix it so that
they are never world-readable, rather than document how to work around
the bug.

WDYT?

Thanks,
Ludo’.

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: Renewing certificates with certbot
  2019-03-06 13:42 ` Ludovic Courtès
@ 2019-03-06 13:51   ` Julien Lepiller
  2019-03-06 14:12     ` Giovanni Biscuolo
  2019-03-06 14:19     ` ng0
  0 siblings, 2 replies; 11+ messages in thread
From: Julien Lepiller @ 2019-03-06 13:51 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: guix-devel

Le 2019-03-06 14:42, Ludovic Courtès a écrit :
> Hi,
> 
> Julien Lepiller <julien@lepiller.eu> skribis:
> 
>> I use certificates from let's encrypt for my website and mail servers,
>> and found that there was an issue with certificates generated by the
>> certbot service in Guix: the generated private keys are world-readable
>> (in a directory that cannot be accessed by anyone but root, so it's OK
>> I guess). OpenSMTPD is not happy with that though, so I have to chmod
>> the files every time. I came up with a variant of the deploy-hook
>> that's presented in the manual, and I'd like to update the example
>> with it. Here it is:
>> 
>> ;; Find running nginx and reload its configuration (for certificates)
>> (define %my-deploy-hook
>>   (program-file
>>    "my-deploy-hook"
>>    #~(let* ((pid (call-with-input-file "/var/run/nginx/pid" read))
>>             (cert-dir (getenv "RENEWED_LINEAGE"))
>>             (privkey (string-append cert-dir "/privkey.pem")))
>>        ;; certbot private keys are world-readable by default, and
>> smtpd complains
>>        ;; about that, refusing to start otherwise
>>        (chmod privkey #o600)
>>        (kill pid SIGHUP))))
>> 
>> What do you think?
> 
> It sounds like a serious issue that private keys are world-readable.  
> Is
> it a bug on our side or in Certbot?  I think we should fix it so that
> they are never world-readable, rather than document how to work around
> the bug.
> 
> WDYT?
> 
> Thanks,
> Ludo’.

I don't think this is an issue: the file is world-readable, but the 
directory
it's in is not accessible to anyone but root. OpenSMTPD still complains,
but I think there's no security issue.

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: Renewing certificates with certbot
  2019-03-06 13:51   ` Julien Lepiller
@ 2019-03-06 14:12     ` Giovanni Biscuolo
  2019-03-06 14:19     ` ng0
  1 sibling, 0 replies; 11+ messages in thread
From: Giovanni Biscuolo @ 2019-03-06 14:12 UTC (permalink / raw)
  To: Julien Lepiller, Ludovic Courtès; +Cc: guix-devel

[-- Attachment #1: Type: text/plain, Size: 712 bytes --]

Hi Julien,

Julien Lepiller <julien@lepiller.eu> writes:

[...]

> I don't think this is an issue: the file is world-readable, but the 
> directory
> it's in is not accessible to anyone but root. OpenSMTPD still complains,
> but I think there's no security issue.

not a seriuos (security) issue but an issue (service warning) should be
fixed anyway IMHO, other *future* services could be affacted by this and
complain or not start at all

your fix should be applied in certbot-service-type service definition if
possible (and reported upstream if it depends on the software)

WDYT?

sorry I can't help fixing this

Thanks!
Giovanni

-- 
Giovanni Biscuolo

Xelera IT Infrastructures

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: Renewing certificates with certbot
  2019-03-06 13:51   ` Julien Lepiller
  2019-03-06 14:12     ` Giovanni Biscuolo
@ 2019-03-06 14:19     ` ng0
  2019-03-06 14:33       ` Julien Lepiller
  1 sibling, 1 reply; 11+ messages in thread
From: ng0 @ 2019-03-06 14:19 UTC (permalink / raw)
  To: Julien Lepiller; +Cc: guix-devel

Julien Lepiller transcribed 1.6K bytes:
> Le 2019-03-06 14:42, Ludovic Courtès a écrit :
> > Hi,
> > 
> > Julien Lepiller <julien@lepiller.eu> skribis:
> > 
> > > I use certificates from let's encrypt for my website and mail servers,
> > > and found that there was an issue with certificates generated by the
> > > certbot service in Guix: the generated private keys are world-readable
> > > (in a directory that cannot be accessed by anyone but root, so it's OK
> > > I guess). OpenSMTPD is not happy with that though, so I have to chmod
> > > the files every time. I came up with a variant of the deploy-hook
> > > that's presented in the manual, and I'd like to update the example
> > > with it. Here it is:
> > > 
> > > ;; Find running nginx and reload its configuration (for certificates)
> > > (define %my-deploy-hook
> > >   (program-file
> > >    "my-deploy-hook"
> > >    #~(let* ((pid (call-with-input-file "/var/run/nginx/pid" read))
> > >             (cert-dir (getenv "RENEWED_LINEAGE"))
> > >             (privkey (string-append cert-dir "/privkey.pem")))
> > >        ;; certbot private keys are world-readable by default, and
> > > smtpd complains
> > >        ;; about that, refusing to start otherwise
> > >        (chmod privkey #o600)
> > >        (kill pid SIGHUP))))
> > > 
> > > What do you think?
> > 
> > It sounds like a serious issue that private keys are world-readable.  Is
> > it a bug on our side or in Certbot?  I think we should fix it so that

It's a certbot default, on all all systems.

> > they are never world-readable, rather than document how to work around
> > the bug.
> > 
> > WDYT?
> > 
> > Thanks,
> > Ludo’.
> 
> I don't think this is an issue: the file is world-readable, but the
> directory
> it's in is not accessible to anyone but root. OpenSMTPD still complains,
> but I think there's no security issue.
> 
> 

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: Renewing certificates with certbot
  2019-03-06 14:19     ` ng0
@ 2019-03-06 14:33       ` Julien Lepiller
  2019-03-06 16:26         ` ng0
  0 siblings, 1 reply; 11+ messages in thread
From: Julien Lepiller @ 2019-03-06 14:33 UTC (permalink / raw)
  To: guix-devel

Le 2019-03-06 15:19, ng0@n0.is a écrit :
> Julien Lepiller transcribed 1.6K bytes:
>> Le 2019-03-06 14:42, Ludovic Courtès a écrit :
>> > Hi,
>> >
>> > Julien Lepiller <julien@lepiller.eu> skribis:
>> >
>> > > I use certificates from let's encrypt for my website and mail servers,
>> > > and found that there was an issue with certificates generated by the
>> > > certbot service in Guix: the generated private keys are world-readable
>> > > (in a directory that cannot be accessed by anyone but root, so it's OK
>> > > I guess). OpenSMTPD is not happy with that though, so I have to chmod
>> > > the files every time. I came up with a variant of the deploy-hook
>> > > that's presented in the manual, and I'd like to update the example
>> > > with it. Here it is:
>> > >
>> > > ;; Find running nginx and reload its configuration (for certificates)
>> > > (define %my-deploy-hook
>> > >   (program-file
>> > >    "my-deploy-hook"
>> > >    #~(let* ((pid (call-with-input-file "/var/run/nginx/pid" read))
>> > >             (cert-dir (getenv "RENEWED_LINEAGE"))
>> > >             (privkey (string-append cert-dir "/privkey.pem")))
>> > >        ;; certbot private keys are world-readable by default, and
>> > > smtpd complains
>> > >        ;; about that, refusing to start otherwise
>> > >        (chmod privkey #o600)
>> > >        (kill pid SIGHUP))))
>> > >
>> > > What do you think?
>> >
>> > It sounds like a serious issue that private keys are world-readable.  Is
>> > it a bug on our side or in Certbot?  I think we should fix it so that
> 
> It's a certbot default, on all all systems.

Actually, reading https://github.com/certbot/certbot/issues/1473 
suggests
it's not the case anymore. I was probably running an older version
of certbot.

> 
>> > they are never world-readable, rather than document how to work around
>> > the bug.
>> >
>> > WDYT?
>> >
>> > Thanks,
>> > Ludo’.
>> 
>> I don't think this is an issue: the file is world-readable, but the
>> directory
>> it's in is not accessible to anyone but root. OpenSMTPD still 
>> complains,
>> but I think there's no security issue.
>> 
>> 

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: Renewing certificates with certbot
  2019-03-06 14:33       ` Julien Lepiller
@ 2019-03-06 16:26         ` ng0
  0 siblings, 0 replies; 11+ messages in thread
From: ng0 @ 2019-03-06 16:26 UTC (permalink / raw)
  To: Julien Lepiller; +Cc: guix-devel

Julien Lepiller transcribed 2.1K bytes:
> Le 2019-03-06 15:19, ng0@n0.is a écrit :
> > Julien Lepiller transcribed 1.6K bytes:
> > > Le 2019-03-06 14:42, Ludovic Courtès a écrit :
> > > > Hi,
> > > >
> > > > Julien Lepiller <julien@lepiller.eu> skribis:
> > > >
> > > > > I use certificates from let's encrypt for my website and mail servers,
> > > > > and found that there was an issue with certificates generated by the
> > > > > certbot service in Guix: the generated private keys are world-readable
> > > > > (in a directory that cannot be accessed by anyone but root, so it's OK
> > > > > I guess). OpenSMTPD is not happy with that though, so I have to chmod
> > > > > the files every time. I came up with a variant of the deploy-hook
> > > > > that's presented in the manual, and I'd like to update the example
> > > > > with it. Here it is:
> > > > >
> > > > > ;; Find running nginx and reload its configuration (for certificates)
> > > > > (define %my-deploy-hook
> > > > >   (program-file
> > > > >    "my-deploy-hook"
> > > > >    #~(let* ((pid (call-with-input-file "/var/run/nginx/pid" read))
> > > > >             (cert-dir (getenv "RENEWED_LINEAGE"))
> > > > >             (privkey (string-append cert-dir "/privkey.pem")))
> > > > >        ;; certbot private keys are world-readable by default, and
> > > > > smtpd complains
> > > > >        ;; about that, refusing to start otherwise
> > > > >        (chmod privkey #o600)
> > > > >        (kill pid SIGHUP))))
> > > > >
> > > > > What do you think?
> > > >
> > > > It sounds like a serious issue that private keys are world-readable.  Is
> > > > it a bug on our side or in Certbot?  I think we should fix it so that
> > 
> > It's a certbot default, on all all systems.
> 
> Actually, reading https://github.com/certbot/certbot/issues/1473 suggests
> it's not the case anymore. I was probably running an older version
> of certbot.

Thanks for pointing me to this, I wasn't aware of this
 
> > 
> > > > they are never world-readable, rather than document how to work around
> > > > the bug.
> > > >
> > > > WDYT?
> > > >
> > > > Thanks,
> > > > Ludo’.
> > > 
> > > I don't think this is an issue: the file is world-readable, but the
> > > directory
> > > it's in is not accessible to anyone but root. OpenSMTPD still
> > > complains,
> > > but I think there's no security issue.
> > > 
> > > 
> 
> 

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: Renewing certificates with certbot
  2019-02-22 13:49 Renewing certificates with certbot Julien Lepiller
  2019-02-22 17:57 ` swedebugia
  2019-03-06 13:42 ` Ludovic Courtès
@ 2019-03-22  8:00 ` Chris Marusich
  2 siblings, 0 replies; 11+ messages in thread
From: Chris Marusich @ 2019-03-22  8:00 UTC (permalink / raw)
  To: Julien Lepiller; +Cc: guix-devel

[-- Attachment #1: Type: text/plain, Size: 1662 bytes --]

Hi Julien,

Sorry for the late reply.

Julien Lepiller <julien@lepiller.eu> writes:

> I use certificates from let's encrypt for my website and mail servers,
> and found that there was an issue with certificates generated by the
> certbot service in Guix: the generated private keys are world-readable
> (in a directory that cannot be accessed by anyone but root, so it's OK
> I guess). OpenSMTPD is not happy with that though, so I have to chmod
> the files every time. I came up with a variant of the deploy-hook
> that's presented in the manual, and I'd like to update the example
> with it. Here it is:
>
> ;; Find running nginx and reload its configuration (for certificates)
> (define %my-deploy-hook
>   (program-file
>    "my-deploy-hook"
>    #~(let* ((pid (call-with-input-file "/var/run/nginx/pid" read))
>             (cert-dir (getenv "RENEWED_LINEAGE"))
>             (privkey (string-append cert-dir "/privkey.pem")))
>        ;; certbot private keys are world-readable by default, and
> smtpd complains
>        ;; about that, refusing to start otherwise
>        (chmod privkey #o600)
>        (kill pid SIGHUP))))
>
> What do you think?

I think it would be harmless to include as an example.  Since nobody has
said anything in a few weeks, I'd say commit it!

As for certbot's behavior, do you know why it creates the private keys
world-readable in the first place?  That seems strange.  Can certbot
itself be fixed so it doesn't do that?  If not, can we update the
service definition to somehow do this automatically for people (e.g.,
provide an optional, included-by-default deploy hook)?

-- 
Chris

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: Renewing certificates with certbot
@ 2019-03-22 10:55 Clément Lassieur
  2019-03-23  1:08 ` Chris Marusich
  0 siblings, 1 reply; 11+ messages in thread
From: Clément Lassieur @ 2019-03-22 10:55 UTC (permalink / raw)
  To: cmmarusich; +Cc: guix-devel

Hi Chris,

Unless I misunderstood, this email[1] from Julien suggests that the
issue was that certbot was too old, but it was fixed upstream.

Cheers,
Clément

[1]: https://lists.gnu.org/archive/html/guix-devel/2019-03/msg00070.html

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: Renewing certificates with certbot
  2019-03-22 10:55 Clément Lassieur
@ 2019-03-23  1:08 ` Chris Marusich
  0 siblings, 0 replies; 11+ messages in thread
From: Chris Marusich @ 2019-03-23  1:08 UTC (permalink / raw)
  To: Clément Lassieur; +Cc: guix-devel

[-- Attachment #1: Type: text/plain, Size: 291 bytes --]

Hi Clément,

Clément Lassieur <clement@lassieur.org> writes:

> Unless I misunderstood, this email[1] from Julien suggests that the
> issue was that certbot was too old, but it was fixed upstream.

You're right!  I didn't see the other replies.  Sorry for the noise!

-- 
Chris

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

^ permalink raw reply	[flat|nested] 11+ messages in thread

end of thread, other threads:[~2019-03-23  1:09 UTC | newest]

Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-02-22 13:49 Renewing certificates with certbot Julien Lepiller
2019-02-22 17:57 ` swedebugia
2019-03-06 13:42 ` Ludovic Courtès
2019-03-06 13:51   ` Julien Lepiller
2019-03-06 14:12     ` Giovanni Biscuolo
2019-03-06 14:19     ` ng0
2019-03-06 14:33       ` Julien Lepiller
2019-03-06 16:26         ` ng0
2019-03-22  8:00 ` Chris Marusich
  -- strict thread matches above, loose matches on Subject: below --
2019-03-22 10:55 Clément Lassieur
2019-03-23  1:08 ` Chris Marusich

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).