search

kereis / traefik-certs-dumper

Dumps Let's Encrypt certificates of a specified domain which Traefik stores in acme.json.
Apache License 2.0
129 stars 24 forks source link

Add feature of changing ownership of cert and key file #3

Closed maxxie85 closed 4 years ago

maxxie85 commented 4 years ago

I added an option to change the ownership of the key file and the cert file.

I find that not all my docker-containers run as root. These containers are unable to load the key file because it's readonly for the user. Changing the owner when dumping fixes this issue for me.

kereis commented 4 years ago

Sorry for the delay. I'll try to review it today. I think in general that I need to improve the current situation of the Docker container user, as it uses the user root by default.

Either way, fixing that little "security" problem may render these environment variables a little bit useless. We could temporarily keep the file's GID and UID in variables, chown to container user and then chown it back to the original owner. Maybe you can agree with this one or even have a better suggestion, I don't know.

maxxie85 commented 4 years ago

We could temporarily keep the file's GID and UID in variables, chown to container user and then chown it back to the original owner. Maybe you can agree with this one or even have a better suggestion, I don't know.

That would only work if the files are already existing. But not if it's deployed for the first time.

Also the owner of the acme.json file doesn't have to be the same owner for the certificates. This situation is true for me. Where traefik runs as a different user than some services for which I need the certificate to be dumped.

kereis commented 4 years ago

We could temporarily keep the file's GID and UID in variables, chown to container user and then chown it back to the original owner. Maybe you can agree with this one or even have a better suggestion, I don't know.

That would only work if the files are already existing. But not if it's deployed for the first time.

Also the owner of the acme.json file doesn't have to be the same owner for the certificates. This situation is true for me. Where traefik runs as a different user than some services for which I need the certificate to be dumped.

Yeah, that makes sense. Alright, I'll take a look at it.

By the way, would you be fine abbreviating OVERRIDE_UID and OVERRIDE_GID with UID and GID respectively?

kereis commented 4 years ago

Hey, sorry for the very delayed response. Had some stuff going on. I just tested the image, trying to change the ownership and everything seems to work fine. I merge this one and create a new release.