letsencrypt: tighten certificate permissions

Ensure the certificate material is not world-readable. Create a letsencrypt group, and have things owned by root but group readable. Change-Id: I49a6a8520aca27e70b3e48d0fcc874daf1c4ff24
2019-04-11 10:09:19 +10:00 · 2019-04-11 10:09:19 +10:00 · dedd3a409f
commit dedd3a409f
parent f028966fd3
3 changed files with 27 additions and 1 deletions
--- a/playbooks/roles/letsencrypt-acme-sh-install/files/driver.sh
+++ b/playbooks/roles/letsencrypt-acme-sh-install/files/driver.sh
@ -12,6 +12,9 @@ if [[ ${LETSENCRYPT_STAGING} != 0 ]]; then
    STAGING="--staging"
 fi

+# Ensure we don't write out files as world-readable
+umask 027
+
 echo -e  "\n--- start --- ${1} --- $(date -u '+%Y-%m-%dT%k:%M:%S%z') ---" >> ${LOG_FILE}

 if [[ ${1} == "issue" ]]; then
--- a/playbooks/roles/letsencrypt-acme-sh-install/tasks/main.yaml
+++ b/playbooks/roles/letsencrypt-acme-sh-install/tasks/main.yaml
@ -4,6 +4,11 @@
    dest: /opt/acme.sh
    version: dev

+- name: Install letsencrypt group
+  group:
+    name: letsencrypt
+    state: present
+
 - name: Install driver script
  copy:
    src: driver.sh
@ -20,4 +25,12 @@
  include_role:
    name: logrotate
  vars:
-    logrotate_file_name: /var/log/acme.sh/acme.sh.log
+    logrotate_file_name: /var/log/acme.sh/acme.sh.log
+
+- name: Setup top level cert directory
+  file:
+    path: /etc/letsencrypt-certs
+    state: directory
+    owner: root
+    group: letsencrypt
+    mode: u=rwx,g=rx,o=,g+s
--- a/testinfra/test_letsencrypt.py
+++ b/testinfra/test_letsencrypt.py
@ -45,16 +45,26 @@ def test_certs_created(host):
            '/etc/letsencrypt-certs/'
            'letsencrypt01.opendev.org/letsencrypt01.opendev.org.key')
        assert domain_one.exists
+        assert domain_one.user == "root"
+        assert domain_one.group == "letsencrypt"
+        assert domain_one.mode == 0o640
+
        domain_two = host.file(
            '/etc/letsencrypt-certs/'
            'someotherservice.opendev.org/someotherservice.opendev.org.key')
        assert domain_two.exists
+        assert domain_two.user == "root"
+        assert domain_two.group == "letsencrypt"
+        assert domain_two.mode == 0o640

    elif host.backend.get_hostname() == 'letsencrypt02.opendev.org':
        domain_one = host.file(
            '/etc/letsencrypt-certs/'
            'letsencrypt02.opendev.org/letsencrypt02.opendev.org.key')
        assert domain_one.exists
+        assert domain_one.user == "root"
+        assert domain_one.group == "letsencrypt"
+        assert domain_one.mode == 0o640

    else:
        pytest.skip()