Browse Source

Merge "letsencrypt: tighten certificate permissions"

changes/37/644937/5
Zuul 1 month ago
parent
commit
8228afb159

+ 3
- 0
playbooks/roles/letsencrypt-acme-sh-install/files/driver.sh View File

@@ -12,6 +12,9 @@ if [[ ${LETSENCRYPT_STAGING} != 0 ]]; then
12 12
     STAGING="--staging"
13 13
 fi
14 14
 
15
+# Ensure we don't write out files as world-readable
16
+umask 027
17
+
15 18
 echo -e  "\n--- start --- ${1} --- $(date -u '+%Y-%m-%dT%k:%M:%S%z') ---" >> ${LOG_FILE}
16 19
 
17 20
 if [[ ${1} == "issue" ]]; then

+ 14
- 1
playbooks/roles/letsencrypt-acme-sh-install/tasks/main.yaml View File

@@ -4,6 +4,11 @@
4 4
     dest: /opt/acme.sh
5 5
     version: dev
6 6
 
7
+- name: Install letsencrypt group
8
+  group:
9
+    name: letsencrypt
10
+    state: present
11
+
7 12
 - name: Install driver script
8 13
   copy:
9 14
     src: driver.sh
@@ -20,4 +25,12 @@
20 25
   include_role:
21 26
     name: logrotate
22 27
   vars:
23
-    logrotate_file_name: /var/log/acme.sh/acme.sh.log
28
+    logrotate_file_name: /var/log/acme.sh/acme.sh.log
29
+
30
+- name: Setup top level cert directory
31
+  file:
32
+    path: /etc/letsencrypt-certs
33
+    state: directory
34
+    owner: root
35
+    group: letsencrypt
36
+    mode: u=rwx,g=rx,o=,g+s

+ 10
- 0
testinfra/test_letsencrypt.py View File

@@ -45,16 +45,26 @@ def test_certs_created(host):
45 45
             '/etc/letsencrypt-certs/'
46 46
             'letsencrypt01.opendev.org/letsencrypt01.opendev.org.key')
47 47
         assert domain_one.exists
48
+        assert domain_one.user == "root"
49
+        assert domain_one.group == "letsencrypt"
50
+        assert domain_one.mode == 0o640
51
+
48 52
         domain_two = host.file(
49 53
             '/etc/letsencrypt-certs/'
50 54
             'someotherservice.opendev.org/someotherservice.opendev.org.key')
51 55
         assert domain_two.exists
56
+        assert domain_two.user == "root"
57
+        assert domain_two.group == "letsencrypt"
58
+        assert domain_two.mode == 0o640
52 59
 
53 60
     elif host.backend.get_hostname() == 'letsencrypt02.opendev.org':
54 61
         domain_one = host.file(
55 62
             '/etc/letsencrypt-certs/'
56 63
             'letsencrypt02.opendev.org/letsencrypt02.opendev.org.key')
57 64
         assert domain_one.exists
65
+        assert domain_one.user == "root"
66
+        assert domain_one.group == "letsencrypt"
67
+        assert domain_one.mode == 0o640
58 68
 
59 69
     else:
60 70
         pytest.skip()

Loading…
Cancel
Save