letsencrypt: tighten certificate permissions

Ensure the certificate material is not world-readable.  Create a
letsencrypt group, and have things owned by root but group readable.

Change-Id: I49a6a8520aca27e70b3e48d0fcc874daf1c4ff24
This commit is contained in:
Ian Wienand 2019-04-11 10:09:19 +10:00
parent f028966fd3
commit dedd3a409f
3 changed files with 27 additions and 1 deletions

View File

@ -12,6 +12,9 @@ if [[ ${LETSENCRYPT_STAGING} != 0 ]]; then
STAGING="--staging"
fi
# Ensure we don't write out files as world-readable
umask 027
echo -e "\n--- start --- ${1} --- $(date -u '+%Y-%m-%dT%k:%M:%S%z') ---" >> ${LOG_FILE}
if [[ ${1} == "issue" ]]; then

View File

@ -4,6 +4,11 @@
dest: /opt/acme.sh
version: dev
- name: Install letsencrypt group
group:
name: letsencrypt
state: present
- name: Install driver script
copy:
src: driver.sh
@ -20,4 +25,12 @@
include_role:
name: logrotate
vars:
logrotate_file_name: /var/log/acme.sh/acme.sh.log
logrotate_file_name: /var/log/acme.sh/acme.sh.log
- name: Setup top level cert directory
file:
path: /etc/letsencrypt-certs
state: directory
owner: root
group: letsencrypt
mode: u=rwx,g=rx,o=,g+s

View File

@ -45,16 +45,26 @@ def test_certs_created(host):
'/etc/letsencrypt-certs/'
'letsencrypt01.opendev.org/letsencrypt01.opendev.org.key')
assert domain_one.exists
assert domain_one.user == "root"
assert domain_one.group == "letsencrypt"
assert domain_one.mode == 0o640
domain_two = host.file(
'/etc/letsencrypt-certs/'
'someotherservice.opendev.org/someotherservice.opendev.org.key')
assert domain_two.exists
assert domain_two.user == "root"
assert domain_two.group == "letsencrypt"
assert domain_two.mode == 0o640
elif host.backend.get_hostname() == 'letsencrypt02.opendev.org':
domain_one = host.file(
'/etc/letsencrypt-certs/'
'letsencrypt02.opendev.org/letsencrypt02.opendev.org.key')
assert domain_one.exists
assert domain_one.user == "root"
assert domain_one.group == "letsencrypt"
assert domain_one.mode == 0o640
else:
pytest.skip()