Wrong default permissions on certificate files #1

New Issue

3wordchant · 2021-11-14T17:33:55Z

3wordchant commented

2021-11-14 17:33:55 +00:00

snikket_server gives a permissions error on start, requiring a abra app run snikket_snikket_demo_coopcloud_tech snikket_server chmod -R 777 /certs/snikket.demo.coopcloud.tech/ and then restarting the snikket_server service.

Perhaps setting world readable permissions in the docker volume spec would help?

`snikket_server` gives a permissions error on start, requiring a `abra app run snikket_snikket_demo_coopcloud_tech snikket_server chmod -R 777 /certs/snikket.demo.coopcloud.tech/` and then restarting the `snikket_server` service. Perhaps setting world readable permissions in the docker volume spec would help?

decentral1se commented

2021-12-04 15:43:32 +00:00

Ah yep. I ended up running chown -R prosody:prosody /certs/*. But yeh, the certdumper does then overwrite those permissions later on.

Seems like we could add something into the certdumper command there? I did notice that there are a few certdumper containers going around and I realised that I used a different one for another project without evening knowing I was. Config looks like:

  cert_mgmr:
    image: humenius/traefik-certs-dumper:1.4.1
    volumes:
      - ${TRAEFIK_SERVICE}:/traefik:ro
      - certs:/output:rw
    environment:
      - DOMAIN=foo.com
      - OVERRIDE_UID=10001
      - OVERRIDE_GID=10001

User/groups perms are supported by this one but idk if there is an advantage over ldez/traefik-certs-dumper:v2.7.4 or it is missing some feature or whatever.

Ah yep. I ended up running `chown -R prosody:prosody /certs/*`. But yeh, the certdumper does then overwrite those permissions later on. Seems like we could add something into the certdumper command there? I did notice that there are a few certdumper containers going around and I realised that I used a different one for another project without evening knowing I was. Config looks like: ``` cert_mgmr: image: humenius/traefik-certs-dumper:1.4.1 volumes: - ${TRAEFIK_SERVICE}:/traefik:ro - certs:/output:rw environment: - DOMAIN=foo.com - OVERRIDE_UID=10001 - OVERRIDE_GID=10001 ``` User/groups perms are supported by this one but idk if there is an advantage over `ldez/traefik-certs-dumper:v2.7.4` or it is missing some feature or whatever.

3wordchant commented

2021-12-04 15:45:06 +00:00

@roxxers you got any suggestions from your recent work on certdumper?

@roxxers you got any suggestions from your recent work on `certdumper`?

decentral1se commented

2022-01-09 14:07:37 +00:00

Pretty gnarly breaking change but this is now solved with

		compose.yml
		Lines 77 to 86 in c9646a1900
	
				  certs:

				    image: humenius/traefik-certs-dumper:1.5

				    volumes:

				      - traefik_letsencrypt:/traefik

				      - certs:/output

				    environment:

				      - ACME_FILE_PATH=/traefik/production-acme.json

				      - DOMAIN=${DOMAIN},groups.${DOMAIN},share.${DOMAIN}

				      - OVERRIDE_UID=101  # prosody

				      - OVERRIDE_GID=102  # prosody

(and a somewhat better cert dumper setup that only dumps the relevant certs for the matching domains?).

Pretty gnarly breaking change but this is now solved with https://git.coopcloud.tech/coop-cloud/snikket/src/commit/c9646a190086394fdb9bec9550f9033b010b6329/compose.yml#L77-L86 (and a somewhat better cert dumper setup that only dumps the relevant certs for the matching domains?).

decentral1se closed this issue

2022-01-09 14:07:37 +00:00

Sign in to join this conversation.

2 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: coop-cloud/snikket#1