Add permissions to provider certmonger

[jh23453]

The certmonger provider supports owner/group for the files. I've tried to get a certificate for cockpit. https://100things.wzzrd.com/2021/06/10/Proper-SSL-certs-in-cockpit.html suggests using "chmod g+r" for the certificates. It might be useful to support that. I could change the owner of my certificate to cockpit-ws, but would that be a good idea? I'm unsure.

[richm]

@martinpitt what ownership/permissions do cockpit certs need?

[martinpitt]

See PR #97, the role already can specify permissions. But it's not necessary any more with recent cockpit versions (Fedora, c8s, RHEL 8.7/9.1 at least, possibly already earlier) , permissions don't matter there. Can't be more precise right now, only next week again.

[jh23453]

@martinpitt Thanks for the hint to the pull request - that should work nicely. I guess I'll remove my cert and retry with "group: cockpit-ws". Did that and yes, the resulting key/cert are readable from cockpit. So technically it works like you expected. Let me see if I find some suggestion for the documentation. Just to complete, here's how I requested certificates with ipa-getcert:

ipa-getcert request --wait \
        --keyfile="${keydir}/50-certmonger.key"   --key-owner=root:cockpit-ws --key-perms=640 \
        --certfile="${certdir}/50-certmonger.crt" --cert-owner=root --cert-perms=644 \
        -N "CN=${hostname}" -D "${hostname}" -K "cockpit/${hostname}"

Thanks for the prompt feedback.

[jh23453]

Please look at https://github.com/linux-system-roles/certificate/pull/134

[martinpitt]

But it's not necessary any more with recent cockpit versions

To be specific: This was changed in https://cockpit-project.org/blog/cockpit-257.html , which is in RHEL 8.6 and 9.0, all Fedoras, CentOS 8/9 stream, Ubuntu 22.04 LTS. Debian stable has a backport.

[martinpitt]

@jh23453 : If you have a recent enough cockpit, you should be able to drop all four --{cert,key}-{owner,perms} options.

[Nihlus]

Some services require more restrictive permissions (postgresql, for example wants 0600 permissions for the private key). It would be nice if a mode parameter could be added to the module so we could control it ourselves.