Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

acme: wrong permssions for .well-known/acme-challenge/* / 403 #106603

Closed
rkoe opened this issue Dec 10, 2020 · 4 comments · Fixed by #106857
Closed

acme: wrong permssions for .well-known/acme-challenge/* / 403 #106603

rkoe opened this issue Dec 10, 2020 · 4 comments · Fixed by #106857
Labels
0.kind: bug Something is broken 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS

Comments

@rkoe
Copy link
Contributor

rkoe commented Dec 10, 2020
edited
Loading

Describe the bug
Since 20.09, renewing Let's Encrypt-certificates fail with lighttpd.

The problem is, that:

  • the files created below .well-known/acme-challenge/ are not world-readable anymore (This is the bug.)
  • lighttpd only serves world-readable files (for security reasons)
  • so, trying to read the acme-challenge via http(s) results in 403, and the certificate creation fails:
    log message: acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from https://DOMAIN/.well-known/acme-challenge/...

This is probably caused by #91121, line UMask = 0027;, this should probably be UMask = 0022;

Workaround:

  • "Manually" fix the permissions during certificate-renewal, e.g. by running the following as root:
    while true; do ll */.well-known/acme-challenge/; chmod a+r */.well-known/acme-challenge/*; sleep 0.05; done
  • restart all renewal-services: systemctl restart acme-DOMAIN.service
  • repeat each time new certificates are necessary, until this bug is fixed

(Note: This problem is indpendent from #101445)

To Reproduce
Steps to reproduce the behavior:

  1. run lighttpd
  2. add an acme-configuration for a domain, which is served by lighttpd
  3. try to renew a certificate

Notify maintainers
@m1cr0man @flokli
@rkoe rkoe added the 0.kind: bug Something is broken label Dec 10, 2020
@veprbl veprbl added the 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS label Dec 10, 2020
@m1cr0man
Copy link
Contributor

You have two options to resolve this:

  1. Add the lighttpd user to the acme group in your config
  2. Set the group of your cert(s) to the lighttpd group. This is what Apache HTTPD does

@gstrauss
Copy link

  1. lighttpd supports TLS-ALPN-01 ("acme-tls/1") since lighttpd 1.4.53, and that challenge type is supported by the dehydrated client, among others. lighttpd TLS-ALPN-01

@m1cr0man
Copy link
Contributor

Sorry, reading over this again I understand what you're really highlighting here. I will change the UMask to 0023. This is safe enough as lego does a good job at not outputting sensitive files with the wrong permissions, and we have our own chmods in the renew script to do the same thing.

@m1cr0man m1cr0man mentioned this issue Dec 13, 2020
Merged
10 tasks
@m1cr0man
Copy link
Contributor

@rkoe could you give #106857 a test please?

m1cr0man added a commit to m1cr0man/nixpkgs that referenced this issue Dec 28, 2020
@m1cr0man
nixos/acme: change service umask to 0023
f670e1d 
Closes NixOS#106603
Some webservers (lighttpd) require that the
files they are serving are world readable. We
do our own chmods in the scripts anyway, and
lego has sensible permissions on its output
files, so this change is safe enough.
m1cr0man added a commit to m1cr0man/nixpkgs that referenced this issue Feb 6, 2021
@m1cr0man
nixos/acme: change service umask to 0023
a72d434 
Closes NixOS#106603
Some webservers (lighttpd) require that the
files they are serving are world readable. We
do our own chmods in the scripts anyway, and
lego has sensible permissions on its output
files, so this change is safe enough.

(cherry picked from commit f670e1d)
This was referenced May 16, 2021
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0.kind: bug Something is broken 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

nixos/acme: Fixes for account creation and remove tmpfiles usage m1cr0man/nixpkgs
4 participants
@veprbl @gstrauss @rkoe @m1cr0man