7080 – tlwebaccess/tlwebadm refuses to work with cert key in private dir

Bug 7080 - tlwebaccess/tlwebadm refuses to work with cert key in private dir

Summary: tlwebaccess/tlwebadm refuses to work with cert key in private dir

Status:	NEW

Alias:	None

Product:	ThinLinc
Classification:	Unclassified
Component:	Other (show other bugs)
Version:	1.3.1
Hardware:	PC Unknown

Importance:	P2 Normal
Target Milestone:	MediumPrio
Assignee:	Peter Åstrand

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-11-20 10:46 CET by Pierre Ossman
Modified:	2022-05-11 13:11 CEST (History)
CC List:	2 users (show)

See Also:	7831
Acceptance Criteria:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Pierre Ossman cendio

2017-11-20 10:46:58 CET

tlwebaccess and tlwebadm has a security check that the private key isn't world readable. When this triggers we get:

> 2017-11-20 10:41:22 ERROR tlwebaccess[14211]: [::ffff:83.233.150.227] File is read and writeable by others than file owner.
> 2017-11-20 10:41:22 ERROR tlwebaccess[14211]: [::ffff:83.233.150.227] Failed to reliable read the certificate key from file, exiting.

Unfortunately it only checks the file itself, rather than the entire path leading to the file. This breaks certbot/letsencrypt as they secure the files via the directory:

> drwx------. 3 root root 34 Nov 20 10:38 /etc/letsencrypt/archive/

and not the files:

> -rw-r--r--. 1 root root 1704 Nov 20 10:38 /etc/letsencrypt/archive/certdemo.thinlinc.com/privkey1.pem

This means we cannot use these files directly without some modification.

Comment 1 Martin Östlund cendio

2022-05-11 13:11:07 CEST

This might not be true any more. Since Cerbot v0.29.0 they changed default key permissions from 0644 to 0660

https://community.letsencrypt.org/t/certbot-0-29-0-release/79306

Note You need to log in before you can comment on or make changes to this bug.