token file permissions

[murty2]

Steps to reproduce

When using LiteSpeed or OpenLiteSpeed, and default umask of 0077 on Linux:

acme.sh --issue -d www.mydomain.com -w /var/domains/d/html

fails because the token file is not readable by nobody (webserver user)

[github-actions[bot]]

Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.

[murty2]

Not fixed in updated code. The root cause seems to be that pre-hook is executed in a subshell which exits before requesting certificate. Therefore --pre-hook='umask 0022' does not fix the permissions on the token file. I think changing the owner/group of .well-known/ directory recursively is too drastic, whereas simply making the token file (a transient file) world readable is sufficient and more secure. Therefore, adding a chmod is a good idea like this:

--- acme.sh.orig        2022-09-03 13:09:02.272158313 -0400
+++ acme.sh     2022-09-03 13:09:41.452091020 -0400
@@ -4866,6 +4866,7 @@
           _on_issue_err "$_post_hook" "$vlist"
           return 1
         fi
+        chmod a+r "$wellknown_path/$token" || return 1
 
         if [ ! "$usingApache" ]; then
           if webroot_owner=$(_stat "$_currentRoot"); then

[Neilpang]

you can mkdir and change the permissions of the folder .well-known/ by yourself befoe issuing a cert. acme.sh will respect the permissions.

[murty2]

Not a solution. The issue is about the permissions on token file created inside .well-known/ not about permissions on .well-known/ (Now, resist the urge to say: "create token file yourself. acme.sh will respect)

[Neilpang]

fixed, please try again:

acme.sh --upgrade -b dev