From be6f89fd6d8dfdcb80f13ad12c835154035c7d72 Mon Sep 17 00:00:00 2001 From: datenritter Date: Wed, 27 Sep 2023 13:37:56 +0200 Subject: [PATCH 1/2] Secure creation of certbundle for haproxy on renewal. certbundle.new should be created and protected with chmod *before* the secret key is copied into it. Otherwise, though temporarily, the key becomes world readable and might be read by a local user monitoring the folder. --- bbb-install.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/bbb-install.sh b/bbb-install.sh index d35fb52..6f47859 100644 --- a/bbb-install.sh +++ b/bbb-install.sh @@ -816,9 +816,10 @@ END cat > /etc/letsencrypt/renewal-hooks/deploy/haproxy < /etc/haproxy/certbundle.pem.new -chown root:haproxy /etc/haproxy/certbundle.pem.new +{ touch /etc/haproxy/certbundle.pem.new chmod 0640 /etc/haproxy/certbundle.pem.new +cat /etc/letsencrypt/live/$HOST/fullchain.pem; echo; cat /etc/letsencrypt/live/$HOST/privkey.pem; } > /etc/haproxy/certbundle.pem.new +chown root:haproxy /etc/haproxy/certbundle.pem.new mv /etc/haproxy/certbundle.pem.new /etc/haproxy/certbundle.pem systemctl reload haproxy HERE From 61562d6589e488218c9583bf084edc9e4c78c395 Mon Sep 17 00:00:00 2001 From: datenritter Date: Wed, 27 Sep 2023 13:40:45 +0200 Subject: [PATCH 2/2] File creation outside bracket. --- bbb-install.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/bbb-install.sh b/bbb-install.sh index 6f47859..6adef54 100644 --- a/bbb-install.sh +++ b/bbb-install.sh @@ -816,9 +816,10 @@ END cat > /etc/letsencrypt/renewal-hooks/deploy/haproxy < /etc/haproxy/certbundle.pem.new + +{ cat /etc/letsencrypt/live/$HOST/fullchain.pem; echo; cat /etc/letsencrypt/live/$HOST/privkey.pem; } > /etc/haproxy/certbundle.pem.new chown root:haproxy /etc/haproxy/certbundle.pem.new mv /etc/haproxy/certbundle.pem.new /etc/haproxy/certbundle.pem systemctl reload haproxy