From mboxrd@z Thu Jan 1 00:00:00 1970 From: Chris Marusich Subject: Re: Renewing certificates with certbot Date: Fri, 22 Mar 2019 01:00:18 -0700 Message-ID: <87k1gr5ofh.fsf@gmail.com> References: Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([209.51.188.92]:35753) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1h7F6d-000178-At for guix-devel@gnu.org; Fri, 22 Mar 2019 04:00:52 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1h7F6Y-0001IQ-Ui for guix-devel@gnu.org; Fri, 22 Mar 2019 04:00:45 -0400 Received: from mail-pg1-x52d.google.com ([2607:f8b0:4864:20::52d]:42906) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1h7F6R-00018A-Hx for guix-devel@gnu.org; Fri, 22 Mar 2019 04:00:40 -0400 Received: by mail-pg1-x52d.google.com with SMTP id p6so949541pgh.9 for ; Fri, 22 Mar 2019 01:00:23 -0700 (PDT) In-Reply-To: (Julien Lepiller's message of "Fri, 22 Feb 2019 14:49:52 +0100") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Julien Lepiller Cc: guix-devel@gnu.org --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi Julien, Sorry for the late reply. Julien Lepiller writes: > I use certificates from let's encrypt for my website and mail servers, > and found that there was an issue with certificates generated by the > certbot service in Guix: the generated private keys are world-readable > (in a directory that cannot be accessed by anyone but root, so it's OK > I guess). OpenSMTPD is not happy with that though, so I have to chmod > the files every time. I came up with a variant of the deploy-hook > that's presented in the manual, and I'd like to update the example > with it. Here it is: > > ;; Find running nginx and reload its configuration (for certificates) > (define %my-deploy-hook > (program-file > "my-deploy-hook" > #~(let* ((pid (call-with-input-file "/var/run/nginx/pid" read)) > (cert-dir (getenv "RENEWED_LINEAGE")) > (privkey (string-append cert-dir "/privkey.pem"))) > ;; certbot private keys are world-readable by default, and > smtpd complains > ;; about that, refusing to start otherwise > (chmod privkey #o600) > (kill pid SIGHUP)))) > > What do you think? I think it would be harmless to include as an example. Since nobody has said anything in a few weeks, I'd say commit it! As for certbot's behavior, do you know why it creates the private keys world-readable in the first place? That seems strange. Can certbot itself be fixed so it doesn't do that? If not, can we update the service definition to somehow do this automatically for people (e.g., provide an optional, included-by-default deploy hook)? =2D-=20 Chris --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEy/WXVcvn5+/vGD+x3UCaFdgiRp0FAlyUlhIACgkQ3UCaFdgi Rp0LaA/+JEYtmtPjbnTFxPnYkX/QTBuNRlcX1bdZZmzzKIvCRCa9JPjMRBnwpqWw AmOJHFg2zlsV3iSzWJ6FA1qIZdGMsYqjatSvZVb1LqpiT1A+MSw8Kk5neLGYwp5t Es8I82CN+9OmiuXFhj/fjRW0hiHGbeoizDTBhCeuHvN/GSOObina+UfJdiVlnWPM u/aFPmSXoUtjZTNXC1seko+N02QUWEcxZto5TpQ1bZKWIqIbP6xKlWrotuv4FJcd beKcUFI+2Za/7sGfq5t4HeE6McAkzpTNleKcITTypG5CBO34tce2pWlCS64ClzHq yHNvaw6AKC4ieVgKRXLTqDuZWtT4PgZLyIKeda/0tyZTH2R788Vm8X5mFZazmMPu wYBioPn4GtFKhH4BiZ+Zv9y7ibhB8o3+BxCjFwO+UCLlwkdEtbvEILRez39VRlLl uAu8CM+MmWbakc5xudKsfdM6dRKdunQW53yAqhQ/roF7Rqg+VEkCWIe6GlzumMzm B3hFzTY6IZc3Idd/pFPvlOjA6f92vWIz9BKZgRBAqVz3ruOpxjlGWTci9QjWFUqz 0NnWomuvFCATmHHDlIPSSE5O+vvkU4idkFlVOdoEzqSjsWAT+MCZgeF/a6V1E4q1 7vylJ8FpzoNEoCrjxAjARSwLB/mvzVgE46vv0pEHSl5gowoCbXc= =2Z1Q -----END PGP SIGNATURE----- --=-=-=--