letencrypt cert permission issue

chaosbunker / dockerbunker

a tool that helps configure, deploy and manage dockerized web-applications or static sites behind an nginx reverse proxy container

MIT License

73 stars 17 forks source link

letencrypt cert permission issue #16

Open stephanfriedrich opened 5 years ago

stephanfriedrich commented 5 years ago

hi, every letsencrypt cert and its folder structure will be created with root:root privileges, but i run docker with user-docker:docker privileges. everything works nice, but nor the letsencrypt shit cant be updated via sour dockerbunker (because of permission issues)

any advice ? imho letsencrypt should also run under docker-user ?!

chaosbunker commented 5 years ago

Hi again.. let's encrypt is containerized and running as root in the certbot container...

Are you sure renewal does not work? AFAICT renewal should be no issue because during renewal the certbot container runs again as root...

If really necessary you can always add a certbot post-renewal hook that does chown -R on the dir

e.g. save the following in /path/to/dockerbunker/data/conf/nginx/ssl/letsencrypt/renewal-hooks/post/fix-permissions.sh .. replace uid and gid with the ones of your user and group. You might have to make the script executable

#!/bin/sh

chown -R 1000:1000 /etc/letsencrypt

The next time certbot renews certs it will set the proper permissions. (to test, you can run certbot renew --dry-run (change that in cerbot.sh)

But again, I don't think this is necessary for a successful renewal.

chaosbunker commented 5 years ago

Just realizing .. it makes sense to add this post-renewal hook via dockerbunker, as dockerbunker needs to read the contents of that directory. I'll do this when I have some spare time (also welcoming PR's :)

stephanfriedrich commented 4 years ago

thx i will check it out.

stephanfriedrich commented 4 years ago

@chaosbunker sorry for the long wait. i did not describe the problem well, let me try it again.

problem: after initializing a dockerbunker-service with letsencrypt-certs i tried to remove this service via dockerbunker menu. everything was removed as expected, expect from nginx/ssl/letsencrypt/ folder, because the docker-certbot container writes cert-files with root-privileges. dockerbunker runs without root-privileges and cant remove this cert-files.

solution ? now, i understand dockerbunker and think this is not an dockerbunker issue. but for dockerbunker users its not clear what todo. so it should be mentioned as "steps after removal".

@chaosbunker what do you think?