Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL Certificate Symlinks #857

Open
mousebat opened this issue Aug 17, 2018 · 6 comments
Open

SSL Certificate Symlinks #857

mousebat opened this issue Aug 17, 2018 · 6 comments
Labels
feature
Milestone
4.x

Comments

@mousebat
Copy link

mousebat commented Aug 17, 2018
edited
Loading

Hi

I use letsencrypt to generate SSL certs for my websites. It uses symlinks to point to the most current SSL certificates as they're updated on a regular basis.

Radicale doesn't seem to want to follow the symlinks regardless of permissions/owner (the symlinks and it's parents are 777).

I'm using Radicale 2.1.10

Can anyone else replicate this?
@mousebat
Copy link
Author

mousebat commented Aug 17, 2018
edited
Loading

I've just tried putting the resolved file path in the config but still getting "[Errno 13] Permission denied: '/etc/letsencrypt/archive/mydomain/fullchain.pem'.

It appears to be permissions related on first glance but the path to the file has read permission. Not sure if my radicale user is chrooted?

I've tried changing line 203 in main.py to: filename = os.readlink(getattr(server_class, name)) but it doesn't fully resolve the chain of symlinks that LetsEncrypt uses.

I might have to just have a cron script, that runs after certbot updates the certificates, that overwrites the certificates in /etc/radicale/ssl/?

@tberger2
Copy link

tberger2 commented Aug 23, 2018
edited
Loading

This is my solution for prosody which should work after substituting file and path variables:

vi /root/certbot.sh

#!/bin/bash
LOGFILE='/var/log/messages'
echo $(date +%d.%m.%Y-%H:%Mh) >> $LOGFILE
certbot renew -a nginx --renew-hook '/root/letsencrypt-to-prosody.sh' >> $LOGFILE

vi /root/letsencrypt-to-prosody.sh

#!/bin/bash
LETSENCRYPT_DIR="/etc/letsencrypt/live/mydomain/"
CERT_DIR="/etc/jabber/certs/"
cp $LETSENCRYPT_DIR'fullchain.pem' $LETSENCRYPT_DIR'privkey.pem' $CERT_DIR
/etc/init.d/prosody reload
echo "certs successfully updatetd" | mail -s "Let's Encrypt" [email protected]

crontab -e
0 0 * * 0 /bin/bash -l -c "/root/certbot.sh"

@mousebat
Copy link
Author

Yeah - that's a more elegant solution than I currently use which involves running the command to copy the ssl's directly from within cron with no logging.

Would be good if python could follow "chained" symlinks properly tho ;)

@dittnamn
Copy link

I ran into this problem as well, and I would suggest replacing open(filename, "r").close() with open(os.path.realpath(filename), "r").close() in radicale/server.py.

@sphakka
Copy link

sphakka commented Sep 19, 2023

I ran into this problem as well, and I would suggest replacing open(filename, "r").close() with open(os.path.realpath(filename), "r").close() in radicale/server.py.

That wouldn't solve the issue, because of the restrictive ownership and permissions of the symlink's target. So, install a deploy hook like @tberger2's or use ACLs.

On the long run, I suggest to enhance radicale with some privilege-dropping mechanism so that it can deal with any system-level permissions at start-up.

@pbiering
Copy link
Collaborator

pbiering commented Mar 3, 2024

related to #692

@pbiering pbiering added this to the 4.x milestone Mar 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature
Projects
None yet
Milestone
4.x
Development

No branches or pull requests
5 participants
@mousebat @sphakka @pbiering @tberger2 @dittnamn