-
Notifications
You must be signed in to change notification settings - Fork 129
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
/var/lib/acme/conf/target file permission #347
Comments
You can override permissions enforcement using this file: https://github.com/hlandau/acmetool/blob/master/_doc/contrib/perm.example |
Ah, thanks. That'll do it. You might want to add it to https://github.com/hlandau/acmetool/blob/master/_doc/SCHEMA.md, too, as right now I don't think I would've discovered it without your help. |
I gave
That it turn makes me think that individual certs could use a permission system. For example, the private certificate for an SMTP server would need to be owned by Postfix, whereas a certificate for a web server should only be readable by it. How do you handle these situations? State directories have a very large structure overhead, so I'm not too keen on duplicating them per-service. Thanks! |
Hey,
Thanks for maintaining acmetool. It seems exactly what I was after — an idempotent and declarative ACME client.
I'm setting up a DNS hook and added the TSIG key as an environment variable to
/var/lib/acme/conf/target
. However on runningacmetool
, it warns of its permissions:Why is that? Given the target file now contains credentials, I'd definitely not want it to be world-readable.
Thanks!
The text was updated successfully, but these errors were encountered: