letsencrypt: tighten certificate permissions
Ensure the certificate material is not world-readable. Create a letsencrypt group, and have things owned by root but group readable. Change-Id: I49a6a8520aca27e70b3e48d0fcc874daf1c4ff24
This commit is contained in:
parent
f028966fd3
commit
dedd3a409f
@ -12,6 +12,9 @@ if [[ ${LETSENCRYPT_STAGING} != 0 ]]; then
|
|||||||
STAGING="--staging"
|
STAGING="--staging"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Ensure we don't write out files as world-readable
|
||||||
|
umask 027
|
||||||
|
|
||||||
echo -e "\n--- start --- ${1} --- $(date -u '+%Y-%m-%dT%k:%M:%S%z') ---" >> ${LOG_FILE}
|
echo -e "\n--- start --- ${1} --- $(date -u '+%Y-%m-%dT%k:%M:%S%z') ---" >> ${LOG_FILE}
|
||||||
|
|
||||||
if [[ ${1} == "issue" ]]; then
|
if [[ ${1} == "issue" ]]; then
|
||||||
|
@ -4,6 +4,11 @@
|
|||||||
dest: /opt/acme.sh
|
dest: /opt/acme.sh
|
||||||
version: dev
|
version: dev
|
||||||
|
|
||||||
|
- name: Install letsencrypt group
|
||||||
|
group:
|
||||||
|
name: letsencrypt
|
||||||
|
state: present
|
||||||
|
|
||||||
- name: Install driver script
|
- name: Install driver script
|
||||||
copy:
|
copy:
|
||||||
src: driver.sh
|
src: driver.sh
|
||||||
@ -20,4 +25,12 @@
|
|||||||
include_role:
|
include_role:
|
||||||
name: logrotate
|
name: logrotate
|
||||||
vars:
|
vars:
|
||||||
logrotate_file_name: /var/log/acme.sh/acme.sh.log
|
logrotate_file_name: /var/log/acme.sh/acme.sh.log
|
||||||
|
|
||||||
|
- name: Setup top level cert directory
|
||||||
|
file:
|
||||||
|
path: /etc/letsencrypt-certs
|
||||||
|
state: directory
|
||||||
|
owner: root
|
||||||
|
group: letsencrypt
|
||||||
|
mode: u=rwx,g=rx,o=,g+s
|
||||||
|
@ -45,16 +45,26 @@ def test_certs_created(host):
|
|||||||
'/etc/letsencrypt-certs/'
|
'/etc/letsencrypt-certs/'
|
||||||
'letsencrypt01.opendev.org/letsencrypt01.opendev.org.key')
|
'letsencrypt01.opendev.org/letsencrypt01.opendev.org.key')
|
||||||
assert domain_one.exists
|
assert domain_one.exists
|
||||||
|
assert domain_one.user == "root"
|
||||||
|
assert domain_one.group == "letsencrypt"
|
||||||
|
assert domain_one.mode == 0o640
|
||||||
|
|
||||||
domain_two = host.file(
|
domain_two = host.file(
|
||||||
'/etc/letsencrypt-certs/'
|
'/etc/letsencrypt-certs/'
|
||||||
'someotherservice.opendev.org/someotherservice.opendev.org.key')
|
'someotherservice.opendev.org/someotherservice.opendev.org.key')
|
||||||
assert domain_two.exists
|
assert domain_two.exists
|
||||||
|
assert domain_two.user == "root"
|
||||||
|
assert domain_two.group == "letsencrypt"
|
||||||
|
assert domain_two.mode == 0o640
|
||||||
|
|
||||||
elif host.backend.get_hostname() == 'letsencrypt02.opendev.org':
|
elif host.backend.get_hostname() == 'letsencrypt02.opendev.org':
|
||||||
domain_one = host.file(
|
domain_one = host.file(
|
||||||
'/etc/letsencrypt-certs/'
|
'/etc/letsencrypt-certs/'
|
||||||
'letsencrypt02.opendev.org/letsencrypt02.opendev.org.key')
|
'letsencrypt02.opendev.org/letsencrypt02.opendev.org.key')
|
||||||
assert domain_one.exists
|
assert domain_one.exists
|
||||||
|
assert domain_one.user == "root"
|
||||||
|
assert domain_one.group == "letsencrypt"
|
||||||
|
assert domain_one.mode == 0o640
|
||||||
|
|
||||||
else:
|
else:
|
||||||
pytest.skip()
|
pytest.skip()
|
||||||
|
Loading…
Reference in New Issue
Block a user