Bug #8788
LE(?) certs not installed with the correct permissions on cn-dev-orc-1
Start date:
2019-04-30
Due date:
% Done:
100%
Milestone:
None
Product Version:
*
Story Points:
Sprint:
Description
when installing dataone-cn-metacat and dataone-cn-index, postinst returned errors from incorrect permissions in the LE certificate. These were installed only 2 weeks ago, so I assume the issue is with the certificate installation process, not something to do with the dataone packages.
the exception was:
2019-04-28 23:32:06 UTC FATAL: private key file "/var/lib/postgresql/9.3/main/server.key" has group or world access 2019-04-28 23:32:06 UTC DETAIL: File must have permissions u=rw (0600) or less if owned by the database user, or permissions u=rw,g=r (0640) or less if owned by root.
permissions on the file (privkey5.pem) were:
-rw-r----- 1 root ssl-cert 1704 Aug 17 2018 privkey1.pem -rw-r----- 1 root ssl-cert 1704 Oct 17 2018 privkey2.pem -rw-r----- 1 root ssl-cert 1704 Dec 16 12:33 privkey3.pem -rw-r----- 1 root ssl-cert 1704 Feb 14 12:21 privkey4.pem -rw-r--r-- 1 root root 1704 Apr 15 12:50 privkey5.pem
History
#1 Updated by Rob Nahf almost 5 years ago
- Description updated (diff)
#2 Updated by Dave Vieglais almost 5 years ago
After the lets encrypt certs are updated, it is necessary to run a script to set permissions consistently across the CNs. This is done by the script /etc/letsencrypt/post-cn-renewal.sh
#3 Updated by Dave Vieglais almost 5 years ago
- % Done changed from 0 to 100
- Assignee set to Dave Vieglais
- Status changed from New to Closed
