Skip to content

Commit

Permalink
Secure creation of certbundle for haproxy on renewal.
Browse files Browse the repository at this point in the history 
certbundle.new should be created and protected with chmod *before* the secret key is copied into it. Otherwise, though temporarily, the key becomes world readable and might be read by a local user monitoring the folder.
  • Loading branch information
@antobinary
datenritter authored and antobinary committed Feb 24, 2024
1 parent fc40d50 commit be6f89f
Showing 1 changed file with 3 additions and 2 deletions.
5 changes: 3 additions & 2 deletions bbb-install.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -816,9 +816,10 @@ END
cat > /etc/letsencrypt/renewal-hooks/deploy/haproxy <<HERE
#!/bin/bash -e
{ cat /etc/letsencrypt/live/$HOST/fullchain.pem; echo; cat /etc/letsencrypt/live/$HOST/privkey.pem; } > /etc/haproxy/certbundle.pem.new
chown root:haproxy /etc/haproxy/certbundle.pem.new
{ touch /etc/haproxy/certbundle.pem.new
chmod 0640 /etc/haproxy/certbundle.pem.new
cat /etc/letsencrypt/live/$HOST/fullchain.pem; echo; cat /etc/letsencrypt/live/$HOST/privkey.pem; } > /etc/haproxy/certbundle.pem.new
chown root:haproxy /etc/haproxy/certbundle.pem.new
mv /etc/haproxy/certbundle.pem.new /etc/haproxy/certbundle.pem
systemctl reload haproxy
HERE
Expand Down

0 comments on commit be6f89f

Please sign in to comment.