Bug #8788: LE(?) certs not installed with the correct permissions on cn-dev-orc-1 - Infrastructure - DataONE Tasks

Bug #8788

LE(?) certs not installed with the correct permissions on cn-dev-orc-1

Added by Rob Nahf over 5 years ago. Updated over 5 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Dave Vieglais

Category:

Support Operations

Target version:

Start date:

2019-04-30

Due date:

% Done:

100%

Milestone:

None

Product Version:

Story Points:

Sprint:

CCI-2.3.10

Description

when installing dataone-cn-metacat and dataone-cn-index, postinst returned errors from incorrect permissions in the LE certificate. These were installed only 2 weeks ago, so I assume the issue is with the certificate installation process, not something to do with the dataone packages.

the exception was:

2019-04-28 23:32:06 UTC FATAL:  private key file "/var/lib/postgresql/9.3/main/server.key" has group or world access
2019-04-28 23:32:06 UTC DETAIL:  File must have permissions u=rw (0600) or less if owned by the database user, or permissions u=rw,g=r (0640) or less if owned by root.

permissions on the file (privkey5.pem) were:

-rw-r----- 1 root ssl-cert 1704 Aug 17  2018 privkey1.pem
-rw-r----- 1 root ssl-cert 1704 Oct 17  2018 privkey2.pem
-rw-r----- 1 root ssl-cert 1704 Dec 16 12:33 privkey3.pem
-rw-r----- 1 root ssl-cert 1704 Feb 14 12:21 privkey4.pem
-rw-r--r-- 1 root root     1704 Apr 15 12:50 privkey5.pem

History

#1 Updated by Rob Nahf over 5 years ago

Description updated (diff)

#2 Updated by Dave Vieglais over 5 years ago

After the lets encrypt certs are updated, it is necessary to run a script to set permissions consistently across the CNs. This is done by the script /etc/letsencrypt/post-cn-renewal.sh

#3 Updated by Dave Vieglais over 5 years ago

% Done changed from 0 to 100
Assignee set to Dave Vieglais
Status changed from New to Closed

Also available in: Atom PDF

Project

General

Profile

Infrastructure

Issues