Closed hickey closed 3 years ago
iredmail
commented
3 years ago Hi @hickey
Thanks for helping. Did you test with this change? Can other services start with this permission?
You may need to set the group to ssl-cert, then add other daemon users to ssl-cert group.
hickey
commented
3 years ago No, this has not been tested in an actual container. Part of the reason being that your repo has a Dockerfile that builds off an Ubuntu base yet your production image is based on Alpine. If your repos were kept in sync with your production builds I would have been more than happy to build a test container (which would be the one I would be running today) so that my private key is not exposed.
There are only two changes here and they both are to secure the private key. The change to the combined.pem file is purely a mistake of including the the private key into the PEM file, which should never have been done.
The second change, again to protect the secret key is purely just a change of permissions. Yes, it is possible that the ownership of the file will need to be changed to accommodate using the key in both NGINX, Dovecot and Postfix, but I really can not test this without building from your current production Dockerfiles so that it can be confirmed that there are not package and environmental differences between Ubuntu and Alpine.
The SSL private key is now set to not be world readable.
In addition the
combined.pem(akafullchain.pem) was incorrectly including the private key. Thefullchain.pemfiles should never include the private key. They contain only the certificate and the CA certificates necessary to validate the certificate. In most cases the CA certificates would be user supplied for CA(s) that are not included in theca-certificatespackage.Signed-off-by: Gerard Hickey hickey@kinetic-compute.com