starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-03-03 14:40:00 +01:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

tls-alpn-01 key and certificate permissions too strict #488

New Issue
Closed
opened 2025-12-29 01:26:07 +01:00 by adam · 0 comments
adam commented 2025-12-29 01:26:07 +01:00
Owner
Copy Link

Originally created by @georgefx on GitHub (Aug 15, 2020).

Running dehydrated on FreeBSD 12.1-p8.

dehydrated-0.6.5 installed via pkg. dehydrated is running as user and group letsencrypt.

I have www as a member of group letsencrypt

# pw groupshow letsencrypt
letsencrypt:*:1002:www

In generate_alpn_certificate() openssl generates key and cert file with mode 600 (o=rw), thus www cannot read the tls-alpn-01 key and certificate (maybe this is specific to FreeBSD?). www cannot read the files and the challenge fails.

My naive fix is to add a chmod g+r in generate_alpn_certificate(). Not sure if this is generally appropriate though.

Note:
Since sudo is not available I'm running dehydrated as su -m letsencrypt -c "dehydrated -c -x". As far as I can tell from the code, dehydrated basically achieves the same effect using sudo, so this should not change anything. Maybe using su would generally be more portable?

Originally created by @georgefx on GitHub (Aug 15, 2020). Running dehydrated on **FreeBSD 12.1-p8**. **dehydrated-0.6.5** installed via pkg. dehydrated is running as user and group letsencrypt. I have www as a member of group letsencrypt # pw groupshow letsencrypt letsencrypt:*:1002:www In `generate_alpn_certificate()` openssl generates key and cert file with mode 600 (o=rw), thus www cannot read the tls-alpn-01 key and certificate (maybe this is specific to FreeBSD?). www cannot read the files and the challenge fails. My naive fix is to add a `chmod g+r` in `generate_alpn_certificate()`. Not sure if this is generally appropriate though. *Note:* Since sudo is not available I'm running dehydrated as `su -m letsencrypt -c "dehydrated -c -x"`. As far as I can tell from the code, dehydrated basically achieves the same effect using sudo, so this should not change anything. Maybe using su would generally be more portable?
adam closed this issue 2025-12-29 01:26:08 +01:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Complicated
bug
enhancement
help wanted
pull-request
Mirrored from GitHub Pull Request
 suggestions wanted
testing
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/dehydrated#488
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?