search

albertito / chasquid

SMTP (email) server with a focus on simplicity, security, and ease of operation [mirror]
https://blitiri.com.ar/p/chasquid/
Other
868 stars 56 forks source link

Question about symlinking the certbot pem files... #26

Closed lifeModder19135 closed 2 years ago

lifeModder19135 commented 2 years ago

In the README which was generated inside /etc/chasquid/certs, it is recommended using a symlink to point to /etc/letsencrypt/live/rapidev.org/{privkey,fullchain}.pem

Note the directory structure matches certbot's structure, so if you use it you can just create symlinks to /etc/letsencrypt/live/.

This is a great idea! Especially since my certs need regen every 90 days. I have a lot of subdomains, which equates to an entire day of headache every few months. Each cuttable corner is a blessing!

The issue is that the very next line in the README states:

Note also that the certificates and private keys must be readable by the chasquid user.

I don't see how these (symlinking and readability) can coexist when we arent allowed to change the modes of the files in /etc/letsencrypt/live. Ive already created softlinks with ln -s, but soft links look at the original for permissions.

For example, the filemode for my linked files are now 777 ( rwxrwxrwx ), yet cat fullchain.pem still outputs "permission denied."

The only workaround I can think of is to remove the -s flag from the ln command, but this is pointless because then the certs will not auto-update when I update the originals, and that is the only reason for linking in the first place. Is their a way around this?

Thanks in advance for your help! And for the MTA!

foxcpp commented 2 years ago

Are you sure they won't update? Does certbot create new files instead of overwriting them in place?

albertito commented 2 years ago

The recommended way is to use filesystem ACLs to give chasquid read access to the /etc/letsencrypt/live and /etc/letsencrypt/archive directories. New files in those directories inherit the ACLs from the parent, so after a cert renewal the new files will also be readable by chasquid.

This is documented in the how-to. In particular, this part sets up the ACLs on the letsencrypt certificates:

# Give chasquid access to the certificates.
# Dovecot does not need this as it reads them as root.
sudo setfacl -R -m u:chasquid:rX /etc/letsencrypt/{live,archive}

Does this help? Let us know if there's something still unclear!

lifeModder19135 commented 2 years ago

Thank you. I should have thought of that. It was the README that threw me off, I guess. It recommended symlinking, so that's sort of the lens through which I was sort of viewing the situation. Thanks again. Ill be sure to star the repo if I haven't already.

albertito commented 2 years ago

I see! The installlation guide mentions the symlinking but not the ACLs, and I think it's a good point that it can be confusing.

I'll update the doc to make it clearer, thanks for letting us know!

albertito commented 2 years ago

The documentation changes are in master and in v1.9.

Please reopen/comment further if there's any other suggestion, and thanks again for reporting this!