You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Thanks for maintaining acmetool. It seems exactly what I was after — an idempotent and declarative ACME client.
I'm setting up a DNS hook and added the TSIG key as an environment variable to /var/lib/acme/conf/target. However on running acmetool, it warns of its permissions:
20220313183755 [WARN] fdb: "conf/target" has wrong mode -rw-r-----, changing to -rw-r--r--
Why is that? Given the target file now contains credentials, I'd definitely not want it to be world-readable.
Thanks!
The text was updated successfully, but these errors were encountered:
I gave perm a try and if I'm not mistaken, it expects to set permissions on entire directory. I was attempting to only lock down conf/target, but that errs with:
20220314150328 [CRITICAL] acmetool: fatal: storage: open fdb: mkdir /var/lib/acme/conf/target: not a directory
That it turn makes me think that individual certs could use a permission system. For example, the private certificate for an SMTP server would need to be owned by Postfix, whereas a certificate for a web server should only be readable by it. How do you handle these situations? State directories have a very large structure overhead, so I'm not too keen on duplicating them per-service.
Hey,
Thanks for maintaining acmetool. It seems exactly what I was after — an idempotent and declarative ACME client.
I'm setting up a DNS hook and added the TSIG key as an environment variable to
/var/lib/acme/conf/target
. However on runningacmetool
, it warns of its permissions:Why is that? Given the target file now contains credentials, I'd definitely not want it to be world-readable.
Thanks!
The text was updated successfully, but these errors were encountered: