getssl icon indicating copy to clipboard operation
getssl copied to clipboard
verified publisher icon srvrco

Feature :: Add ability to specify ownership and umask on created files

Open nickcmaynard opened this issue 7 years ago • 3 comments

The default, extremely restrictive umask works for many circumstances, but some situations (ie. Debian's exim) cannot work with this - in this example the process reading the key & cert files is not root.

To make this possible the admin has only one choice right now - manually fix the permissions. This cannot be the final solution, as subsequent cert refreshes may cancel these changes and leave the system in a broken state.

The request, therefore, is as follows:

  1. Add an option to specify the ownership/umask on created files, ie.
    • DOMAIN_CHAIN_LOCATION
    • DOMAIN_KEY_LOCATION
  2. Add an option to specify the ownership/umask on the domain directory, ie.
    • DOMAIN_DIR

nickcmaynard avatar Apr 30 '18 21:04 nickcmaynard

ad 1) These should be able to be configured seperately? ie specify ownership/umask for certs and keys seperately.

ad 2) The reason why it is need would be interesting? The domain dir should be only used by getssl and certs should be copied out from it with the location variables.

QuingKhaos avatar Oct 08 '19 15:10 QuingKhaos

We ran into this issue last night too. slapd failed to restart as the permissions on the key file were wrong. The correct permissions for slapd in our case are ownership root:ssl-cert and umask 0640.

What is needed in order for the issue to be resolved?

respencer avatar Jul 05 '21 10:07 respencer

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.

github-actions[bot] avatar Sep 04 '21 02:09 github-actions[bot]