acmetool
acmetool copied to clipboard
/var/lib/acme/conf/target file permission
Hey,
Thanks for maintaining acmetool. It seems exactly what I was after — an idempotent and declarative ACME client.
I'm setting up a DNS hook and added the TSIG key as an environment variable to /var/lib/acme/conf/target
. However on running acmetool
, it warns of its permissions:
20220313183755 [WARN] fdb: "conf/target" has wrong mode -rw-r-----, changing to -rw-r--r--
Why is that? Given the target file now contains credentials, I'd definitely not want it to be world-readable.
Thanks!
You can override permissions enforcement using this file: https://github.com/hlandau/acmetool/blob/master/_doc/contrib/perm.example
Ah, thanks. That'll do it.
You might want to add it to https://github.com/hlandau/acmetool/blob/master/_doc/SCHEMA.md, too, as right now I don't think I would've discovered it without your help.
I gave perm
a try and if I'm not mistaken, it expects to set permissions on entire directory. I was attempting to only lock down conf/target
, but that errs with:
20220314150328 [CRITICAL] acmetool: fatal: storage: open fdb: mkdir /var/lib/acme/conf/target: not a directory
That it turn makes me think that individual certs could use a permission system. For example, the private certificate for an SMTP server would need to be owned by Postfix, whereas a certificate for a web server should only be readable by it. How do you handle these situations? State directories have a very large structure overhead, so I'm not too keen on duplicating them per-service.
Thanks!