Comments (2)
kpcyrd
commented on August 9, 2024
I've tried to implement this and ran into issues because the systemd unit is too locked down to modify anything that isn't a child of /var/lib/acme-redirect (this means we can't modify or create the directory itself). I'd rather keep this restriction in place instead of opening it up to modify everything in /var/lib, which means we need to rely on system-tempfiles again, which means the directory is going to have a hardcoded group.
It's still possible to implement this with a different approach:
- make
/var/lib/acme-redirecto+x - make
/var/lib/acme-redirect/*o-rwx - set the group from the config for
/var/lib/acme-redirect/*
from acme-redirect.
alerque
commented on August 9, 2024
I havn't dug into the PR or how setting a group would help, but here's one I used today: Setting up Apache was easy because it only needs to read the public key. Exim wants to read the private key. Rather than muching with the actual ownership, adding an ACL for the exim group to have read access:
[cert]
name = "example.com"
dns_names = [
"example.com",
]
exec = [
"setfacl -m g:exim:r /var/lib/acme-redirect/live/example.com/privkey",
"systemctl reload exim",
]I wasn't even sure whether the file node would get destroyed on updates or the ACL get blown away, but there you have it. Assuming the order of exec is deterministic...
from acme-redirect.
Related Issues (13)
- Create file with ca certificate chain HOT 1
- Prefer 0440 over 0640 during renew
- Pure Rust implementation? HOT 1
- Allow certificate storage data dir to be permanently configured
- Are wildcard subdomains supported?
- pre-hook
- Force certificate renew HOT 2
- RPM package for Fedora & RHEL family HOT 1
- Keys for apt-get need to be updated HOT 2
- Compatibility with OpenSSL 3.x -> cannot install with Debian 12 Bookworm HOT 2
- Create file with certificate and private key combined (lighttpd) HOT 1
- Global hooks, exec= in /etc/acme-redirect.conf HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from acme-redirect.