Wrong ACL for certificates

[arodier]

This is the second problem that broke the build. I am working on a fix that should make the certificates ACLs more secure. I will push on dev asap.

[fredericmoulins]

The ACL permissions are too permissive, ok, but "too permissive" should not be causing a task to fail. Do you know what is the cause of the error in the build?

With the current permissions and ACL, I don't understand what would restrict the access to the certificates to break this command. (I guess they are read (by slapd?) when ssl-config.ldif is loaded.)

https://jenkins.homebox.space/job/homebox-dev-micro-deploy/83/

TASK [ldap : Modify the configuration if not already done] *********************
fatal: [homebox]: FAILED! => changed=true 
  cmd:
  - ldapmodify
  - -QY
  - EXTERNAL
  - -H
  - ldapi:///
  - -f
  - /etc/ldap/changes/ssl-config.ldif
  delta: '0:00:00.016571'
  end: '2019-11-04 08:19:56.061151'
  msg: non-zero return code
  rc: 80
  start: '2019-11-04 08:19:56.044580'
  stderr: 'ldap_modify: Other (e.g., implementation specific) error (80)'
  stderr_lines:
  - 'ldap_modify: Other (e.g., implementation specific) error (80)'
  stdout: modifying entry "cn=config"
  stdout_lines: <omitted>
Monday 04 November 2019  08:19:56 +0000 (0:00:00.280)       0:03:58.850 ******* 

[fredericmoulins]

Moreover, even if the ACL are too permissive, the apparmor profiles are restricting the processes to their required certificates only (cf git grep 'letsencrypt' install/playbooks/roles/*/templates/apparmor.d/). So as it is, it should be relatively ok.

The permissions on the keys and certificates in archive are weird, but apparently it is not a security issue given the permissions on the archive directory, and it has been fixed in a more recent version of certbot (0.29.1). cf: https://github.com/certbot/certbot/issues/1473 and this comment: https://github.com/certbot/certbot/issues/1473#issuecomment-443347999 The new behavior and options might be good to know to adapt the permissions accordingly.