search

andreaswolf / ansible-role-letsencrypt

Ansible role for generating certificates with acme-tiny via Let’s encrypt
46 stars 20 forks source link

Cert out directory can't work #5

Closed SuperQ closed 8 years ago

SuperQ commented 8 years ago

Because the role creates the user, but has no facility to adjust an output directory for certs, this role can never work without setting up a 1777 directory ahead of time.

TASK [andreaswolf.letsencrypt : generate the initial certificate] **************
fatal: [XXXX]: FAILED! => {"changed": true, "cmd": ["./renew-certs.py"], "delta": "0:00:04.328285", "end": "2016-01-28 19:34:49.733613", "failed": true, "failed_when_result": true, "rc": 1, "start": "2016-01-28 19:34:45.405328", "stderr": "Traceback (most recent call last):\n  File \"./renew-certs.py\", line 44, in <module>\n    f = open(cert['certpath'], 'w')\nIOError: [Errno 13] Permission denied: u'/etc/ssl/certs/FOO'", "stdout": "Generating certificate for FOO", "stdout_lines": ["Generating certificate for FOO"], "warnings": []}

A couple of fixes:

andreaswolf commented 8 years ago

Actually that’s a shortcoming, yes. The role (currently) simply relies on the user either a) using the Debian cert/key directories in /etc/ssl/ or b) creating the directories themselves. Creating the directory if necessary would of course be useful.

I don’t get your second remark though: what does the group have to do with running the script? I changed the group of the certs directory to my letsencrypt group with a playbook task, and changed the permissions to x7x, so the group can write the certificates. That’s enough in my case.

SuperQ commented 8 years ago

The problem is if you use this via ansible galaxy, there is a race condition. In the execution, the letsencrypt user/group don't exist ahead of creating the cert, so you can't depend on chown working on any dir you create.

spodkowinski commented 8 years ago

I solved this by using certpath: "{{acme_tiny_data_directory}}/mycert.crt" and creating a symlink afterwards to the actual target path:

- name: Link certificates
  file: src={{item.certpath}} dest=/etc/nginx/ssl/{{item.certpath | basename}} state=link
  with_items: letsencrypt_certs
andreaswolf commented 8 years ago

I think this is best solved by adjusting the permissions on the cert directory after creating the user/group. The actual permissions should be specified in the configuration; I’ll fix the code accordingly.

SuperQ commented 8 years ago

Yea, I was going to write up a PR to fix this, I just didn't have time at FOSDEM.

andreaswolf commented 8 years ago

Is closed with #10.