Renewing certificates with certbot

Renewing certificates with certbot

[Julien Lepiller]

Hi,

I use certificates from let's encrypt for my website and mail servers, 
and found that there was an issue with certificates generated by the 
certbot service in Guix: the generated private keys are world-readable 
(in a directory that cannot be accessed by anyone but root, so it's OK I 
guess). OpenSMTPD is not happy with that though, so I have to chmod the 
files every time. I came up with a variant of the deploy-hook that's 
presented in the manual, and I'd like to update the example with it. 
Here it is:

;; Find running nginx and reload its configuration (for certificates)
(define %my-deploy-hook
   (program-file
    "my-deploy-hook"
    #~(let* ((pid (call-with-input-file "/var/run/nginx/pid" read))
             (cert-dir (getenv "RENEWED_LINEAGE"))
             (privkey (string-append cert-dir "/privkey.pem")))
        ;; certbot private keys are world-readable by default, and smtpd 
complains
        ;; about that, refusing to start otherwise
        (chmod privkey #o600)
        (kill pid SIGHUP))))

What do you think?

Re: Renewing certificates with certbot

[swedebugia]

[-- Attachment #1.1: Type: text/plain, Size: 1243 bytes --]

On 2019-02-22 14:49, Julien Lepiller wrote:
> Hi,
> 
> I use certificates from let's encrypt for my website and mail servers,
> and found that there was an issue with certificates generated by the
> certbot service in Guix: the generated private keys are world-readable
> (in a directory that cannot be accessed by anyone but root, so it's OK I
> guess). OpenSMTPD is not happy with that though, so I have to chmod the
> files every time. I came up with a variant of the deploy-hook that's
> presented in the manual, and I'd like to update the example with it.
> Here it is:
> 
> ;; Find running nginx and reload its configuration (for certificates)
> (define %my-deploy-hook
>   (program-file
>    "my-deploy-hook"
>    #~(let* ((pid (call-with-input-file "/var/run/nginx/pid" read))
>             (cert-dir (getenv "RENEWED_LINEAGE"))
>             (privkey (string-append cert-dir "/privkey.pem")))
>        ;; certbot private keys are world-readable by default, and smtpd
> complains
>        ;; about that, refusing to start otherwise
>        (chmod privkey #o600)
>        (kill pid SIGHUP))))
> 
> What do you think?
> 

LGTM.

-- 
Cheers Swedebugia


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

Re: Renewing certificates with certbot

[Ludovic Courtès]

Hi,

Julien Lepiller <julien@lepiller.eu> skribis:

> I use certificates from let's encrypt for my website and mail servers,
> and found that there was an issue with certificates generated by the
> certbot service in Guix: the generated private keys are world-readable
> (in a directory that cannot be accessed by anyone but root, so it's OK
> I guess). OpenSMTPD is not happy with that though, so I have to chmod
> the files every time. I came up with a variant of the deploy-hook
> that's presented in the manual, and I'd like to update the example
> with it. Here it is:
>
> ;; Find running nginx and reload its configuration (for certificates)
> (define %my-deploy-hook
>   (program-file
>    "my-deploy-hook"
>    #~(let* ((pid (call-with-input-file "/var/run/nginx/pid" read))
>             (cert-dir (getenv "RENEWED_LINEAGE"))
>             (privkey (string-append cert-dir "/privkey.pem")))
>        ;; certbot private keys are world-readable by default, and
> smtpd complains
>        ;; about that, refusing to start otherwise
>        (chmod privkey #o600)
>        (kill pid SIGHUP))))
>
> What do you think?

It sounds like a serious issue that private keys are world-readable.  Is
it a bug on our side or in Certbot?  I think we should fix it so that
they are never world-readable, rather than document how to work around
the bug.

WDYT?

Thanks,
Ludo’.

Re: Renewing certificates with certbot

[Julien Lepiller]

Le 2019-03-06 14:42, Ludovic Courtès a écrit :
> Hi,
> 
> Julien Lepiller <julien@lepiller.eu> skribis:
> 
>> I use certificates from let's encrypt for my website and mail servers,
>> and found that there was an issue with certificates generated by the
>> certbot service in Guix: the generated private keys are world-readable
>> (in a directory that cannot be accessed by anyone but root, so it's OK
>> I guess). OpenSMTPD is not happy with that though, so I have to chmod
>> the files every time. I came up with a variant of the deploy-hook
>> that's presented in the manual, and I'd like to update the example
>> with it. Here it is:
>> 
>> ;; Find running nginx and reload its configuration (for certificates)
>> (define %my-deploy-hook
>>   (program-file
>>    "my-deploy-hook"
>>    #~(let* ((pid (call-with-input-file "/var/run/nginx/pid" read))
>>             (cert-dir (getenv "RENEWED_LINEAGE"))
>>             (privkey (string-append cert-dir "/privkey.pem")))
>>        ;; certbot private keys are world-readable by default, and
>> smtpd complains
>>        ;; about that, refusing to start otherwise
>>        (chmod privkey #o600)
>>        (kill pid SIGHUP))))
>> 
>> What do you think?
> 
> It sounds like a serious issue that private keys are world-readable.  
> Is
> it a bug on our side or in Certbot?  I think we should fix it so that
> they are never world-readable, rather than document how to work around
> the bug.
> 
> WDYT?
> 
> Thanks,
> Ludo’.

I don't think this is an issue: the file is world-readable, but the 
directory
it's in is not accessible to anyone but root. OpenSMTPD still complains,
but I think there's no security issue.

Re: Renewing certificates with certbot

[Giovanni Biscuolo]

[-- Attachment #1: Type: text/plain, Size: 712 bytes --]

Hi Julien,

Julien Lepiller <julien@lepiller.eu> writes:

[...]

> I don't think this is an issue: the file is world-readable, but the 
> directory
> it's in is not accessible to anyone but root. OpenSMTPD still complains,
> but I think there's no security issue.

not a seriuos (security) issue but an issue (service warning) should be
fixed anyway IMHO, other *future* services could be affacted by this and
complain or not start at all

your fix should be applied in certbot-service-type service definition if
possible (and reported upstream if it depends on the software)

WDYT?

sorry I can't help fixing this

Thanks!
Giovanni

-- 
Giovanni Biscuolo

Xelera IT Infrastructures

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

Re: Renewing certificates with certbot

[ng0]

Julien Lepiller transcribed 1.6K bytes:
> Le 2019-03-06 14:42, Ludovic Courtès a écrit :
> > Hi,
> > 
> > Julien Lepiller <julien@lepiller.eu> skribis:
> > 
> > > I use certificates from let's encrypt for my website and mail servers,
> > > and found that there was an issue with certificates generated by the
> > > certbot service in Guix: the generated private keys are world-readable
> > > (in a directory that cannot be accessed by anyone but root, so it's OK
> > > I guess). OpenSMTPD is not happy with that though, so I have to chmod
> > > the files every time. I came up with a variant of the deploy-hook
> > > that's presented in the manual, and I'd like to update the example
> > > with it. Here it is:
> > > 
> > > ;; Find running nginx and reload its configuration (for certificates)
> > > (define %my-deploy-hook
> > >   (program-file
> > >    "my-deploy-hook"
> > >    #~(let* ((pid (call-with-input-file "/var/run/nginx/pid" read))
> > >             (cert-dir (getenv "RENEWED_LINEAGE"))
> > >             (privkey (string-append cert-dir "/privkey.pem")))
> > >        ;; certbot private keys are world-readable by default, and
> > > smtpd complains
> > >        ;; about that, refusing to start otherwise
> > >        (chmod privkey #o600)
> > >        (kill pid SIGHUP))))
> > > 
> > > What do you think?
> > 
> > It sounds like a serious issue that private keys are world-readable.  Is
> > it a bug on our side or in Certbot?  I think we should fix it so that

It's a certbot default, on all all systems.

> > they are never world-readable, rather than document how to work around
> > the bug.
> > 
> > WDYT?
> > 
> > Thanks,
> > Ludo’.
> 
> I don't think this is an issue: the file is world-readable, but the
> directory
> it's in is not accessible to anyone but root. OpenSMTPD still complains,
> but I think there's no security issue.
> 
> 

Re: Renewing certificates with certbot

[Julien Lepiller]

Le 2019-03-06 15:19, ng0@n0.is a écrit :
> Julien Lepiller transcribed 1.6K bytes:
>> Le 2019-03-06 14:42, Ludovic Courtès a écrit :
>> > Hi,
>> >
>> > Julien Lepiller <julien@lepiller.eu> skribis:
>> >
>> > > I use certificates from let's encrypt for my website and mail servers,
>> > > and found that there was an issue with certificates generated by the
>> > > certbot service in Guix: the generated private keys are world-readable
>> > > (in a directory that cannot be accessed by anyone but root, so it's OK
>> > > I guess). OpenSMTPD is not happy with that though, so I have to chmod
>> > > the files every time. I came up with a variant of the deploy-hook
>> > > that's presented in the manual, and I'd like to update the example
>> > > with it. Here it is:
>> > >
>> > > ;; Find running nginx and reload its configuration (for certificates)
>> > > (define %my-deploy-hook
>> > >   (program-file
>> > >    "my-deploy-hook"
>> > >    #~(let* ((pid (call-with-input-file "/var/run/nginx/pid" read))
>> > >             (cert-dir (getenv "RENEWED_LINEAGE"))
>> > >             (privkey (string-append cert-dir "/privkey.pem")))
>> > >        ;; certbot private keys are world-readable by default, and
>> > > smtpd complains
>> > >        ;; about that, refusing to start otherwise
>> > >        (chmod privkey #o600)
>> > >        (kill pid SIGHUP))))
>> > >
>> > > What do you think?
>> >
>> > It sounds like a serious issue that private keys are world-readable.  Is
>> > it a bug on our side or in Certbot?  I think we should fix it so that
> 
> It's a certbot default, on all all systems.

Actually, reading https://github.com/certbot/certbot/issues/1473 
suggests
it's not the case anymore. I was probably running an older version
of certbot.

> 
>> > they are never world-readable, rather than document how to work around
>> > the bug.
>> >
>> > WDYT?
>> >
>> > Thanks,
>> > Ludo’.
>> 
>> I don't think this is an issue: the file is world-readable, but the
>> directory
>> it's in is not accessible to anyone but root. OpenSMTPD still 
>> complains,
>> but I think there's no security issue.
>> 
>> 

Re: Renewing certificates with certbot

[ng0]

Julien Lepiller transcribed 2.1K bytes:
> Le 2019-03-06 15:19, ng0@n0.is a écrit :
> > Julien Lepiller transcribed 1.6K bytes:
> > > Le 2019-03-06 14:42, Ludovic Courtès a écrit :
> > > > Hi,
> > > >
> > > > Julien Lepiller <julien@lepiller.eu> skribis:
> > > >
> > > > > I use certificates from let's encrypt for my website and mail servers,
> > > > > and found that there was an issue with certificates generated by the
> > > > > certbot service in Guix: the generated private keys are world-readable
> > > > > (in a directory that cannot be accessed by anyone but root, so it's OK
> > > > > I guess). OpenSMTPD is not happy with that though, so I have to chmod
> > > > > the files every time. I came up with a variant of the deploy-hook
> > > > > that's presented in the manual, and I'd like to update the example
> > > > > with it. Here it is:
> > > > >
> > > > > ;; Find running nginx and reload its configuration (for certificates)
> > > > > (define %my-deploy-hook
> > > > >   (program-file
> > > > >    "my-deploy-hook"
> > > > >    #~(let* ((pid (call-with-input-file "/var/run/nginx/pid" read))
> > > > >             (cert-dir (getenv "RENEWED_LINEAGE"))
> > > > >             (privkey (string-append cert-dir "/privkey.pem")))
> > > > >        ;; certbot private keys are world-readable by default, and
> > > > > smtpd complains
> > > > >        ;; about that, refusing to start otherwise
> > > > >        (chmod privkey #o600)
> > > > >        (kill pid SIGHUP))))
> > > > >
> > > > > What do you think?
> > > >
> > > > It sounds like a serious issue that private keys are world-readable.  Is
> > > > it a bug on our side or in Certbot?  I think we should fix it so that
> > 
> > It's a certbot default, on all all systems.
> 
> Actually, reading https://github.com/certbot/certbot/issues/1473 suggests
> it's not the case anymore. I was probably running an older version
> of certbot.

Thanks for pointing me to this, I wasn't aware of this
 
> > 
> > > > they are never world-readable, rather than document how to work around
> > > > the bug.
> > > >
> > > > WDYT?
> > > >
> > > > Thanks,
> > > > Ludo’.
> > > 
> > > I don't think this is an issue: the file is world-readable, but the
> > > directory
> > > it's in is not accessible to anyone but root. OpenSMTPD still
> > > complains,
> > > but I think there's no security issue.
> > > 
> > > 
> 
> 

Re: Renewing certificates with certbot

[Chris Marusich]

[-- Attachment #1: Type: text/plain, Size: 1662 bytes --]

Hi Julien,

Sorry for the late reply.

Julien Lepiller <julien@lepiller.eu> writes:

> I use certificates from let's encrypt for my website and mail servers,
> and found that there was an issue with certificates generated by the
> certbot service in Guix: the generated private keys are world-readable
> (in a directory that cannot be accessed by anyone but root, so it's OK
> I guess). OpenSMTPD is not happy with that though, so I have to chmod
> the files every time. I came up with a variant of the deploy-hook
> that's presented in the manual, and I'd like to update the example
> with it. Here it is:
>
> ;; Find running nginx and reload its configuration (for certificates)
> (define %my-deploy-hook
>   (program-file
>    "my-deploy-hook"
>    #~(let* ((pid (call-with-input-file "/var/run/nginx/pid" read))
>             (cert-dir (getenv "RENEWED_LINEAGE"))
>             (privkey (string-append cert-dir "/privkey.pem")))
>        ;; certbot private keys are world-readable by default, and
> smtpd complains
>        ;; about that, refusing to start otherwise
>        (chmod privkey #o600)
>        (kill pid SIGHUP))))
>
> What do you think?

I think it would be harmless to include as an example.  Since nobody has
said anything in a few weeks, I'd say commit it!

As for certbot's behavior, do you know why it creates the private keys
world-readable in the first place?  That seems strange.  Can certbot
itself be fixed so it doesn't do that?  If not, can we update the
service definition to somehow do this automatically for people (e.g.,
provide an optional, included-by-default deploy hook)?

-- 
Chris

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

Re: Renewing certificates with certbot

[Clément Lassieur]

Hi Chris,

Unless I misunderstood, this email[1] from Julien suggests that the
issue was that certbot was too old, but it was fixed upstream.

Cheers,
Clément

[1]: https://lists.gnu.org/archive/html/guix-devel/2019-03/msg00070.html

Re: Renewing certificates with certbot

[Chris Marusich]

[-- Attachment #1: Type: text/plain, Size: 291 bytes --]

Hi Clément,

Clément Lassieur <clement@lassieur.org> writes:

> Unless I misunderstood, this email[1] from Julien suggests that the
> issue was that certbot was too old, but it was fixed upstream.

You're right!  I didn't see the other replies.  Sorry for the noise!

-- 
Chris

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]