How to give group read permissions for a certain private key?
dboehmer opened this issue · 2 comments
I want to run the Radicale CalDAV as packaged by Debian with a LE certificate. Radicale is directly started as a non-root user and group and is missing permissions to read the private key. How to configure the conf/perm file to grant a group read permissions?
This is what the live directory looks like for this domain (I replaced my actual domain name):
root@mx:~# ls -l /var/lib/acme/live/dav.example.com/ -L
total 20
-rw-r--r-- 1 root root 2163 Oct 25 14:40 cert
-rw-r--r-- 1 root root 1647 Oct 25 14:40 chain
-rw-r--r-- 1 root root 3810 Oct 25 14:40 fullchain
-rw------- 1 root root 1675 Oct 25 14:40 privkey
-rw-r--r-- 1 root root 83 Oct 25 14:40 url
I tried to configure conf/perm like this:
live/dav.example.com/privkey 0640 0750 root radicale
- user
rootshould still own the file withrw- - group
radicaleshould have group permissionr-- - directory permissions are pointless in case of a single file
But acmetool fails to apply these permissions because it seems to expect every pattern to be a directory:
root@mx:~# acmetool
20181025145545 [CRITICAL] acmetool: fatal: storage: mkdir /var/lib/acme/live/dav.example.com/privkey: not a directory
There are multiple domains with LE certificates on this system and I want to explicitly grant permissions for this single private key.
There is an issue that touches on this already: #140
That said, absent a fix for that issue you could add radicale to the 'ssl' group, and use the conf/perms file to assign read access to (all) the private keys. This does let any daemon you have that uses ssl keys read all of your private keys, but it's the only way at this moment.
Okay, this is not a perfect solution but it works and can accept it. I fixed the missing permission by adding the service user to group ssl-cert and adding this to acme/conf/perm:
# path-pattern file-mode dir-mode uid gid
keys 0640 0750 root ssl-cert