Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set the correct owner and permissions for SSL certificate and key #1370

Merged
merged 4 commits into from
Aug 15, 2017
Merged

Set the correct owner and permissions for SSL certificate and key #1370

merged 4 commits into from
Aug 15, 2017

Conversation

jaym
Copy link
Contributor

@jaym jaym commented Aug 14, 2017

This is a follow up to #1366 and
#1368.

This patch will set the owner of the ssl certificate and key to the
user that is running rabbitmq/nginx. In #1366, we discovered that
rabbitmq was expecting certs to be in the nginx directory, however
that wasn't necessarily the case when the ssl certificate was not
generated by private-chef-cookbooks. In these cases, the rabbitmq
management interface would be completely broken as the certs we
asked it to use were not there. After fixing that, #1368 was required
because the custom certificate that was being set for the accpetance
environment was owned by root and had the permissions 600, which meant
the opscode user could not read it. Rabbitmq does not start as root like
nginx, so rabitmq was unable to read the certificate. While #1368 got
our environment working, I suspect others may run into a similar issue
unless we explicitly set the owner and permissions on the files to what
we expect.

@jaym jaym requested a review from a team August 14, 2017 13:27
@jaym jaym force-pushed the jdm/cert-key-perms branch from ef53919 to 4394f62 Compare August 14, 2017 13:28
schisamo
schisamo suggested changes Aug 14, 2017
View reviewed changes
Copy link
Contributor

@schisamo schisamo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jaym To ensure this is working as expected in our infra let's remove the changes introduced into the chef-server-deploy cookbook in:
a9b396f

@jaym jaym requested a review from a team as a code owner August 14, 2017 14:18
tduffield
tduffield suggested changes Aug 14, 2017
View reviewed changes
Copy link
Contributor

@tduffield tduffield left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We'll need to update the version in the metadata.rb otherwise the cookbook won't get uploaded correctly.

@jaym jaym force-pushed the jdm/cert-key-perms branch from 194355c to 1d68b7f Compare August 14, 2017 20:25
stevendanna
stevendanna approved these changes Aug 15, 2017
View reviewed changes
Copy link
Contributor

@stevendanna stevendanna left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks reasonable. If we wanted we could maybe do permissions 640 with the owner as root and the group as opscode, but I think that is a bit more confusing and doesn't add too much benefit.

@jaym
Copy link
Contributor Author

jaym commented Aug 15, 2017

i think that makes sense, everything else is owned by root

@jaym jaym force-pushed the jdm/cert-key-perms branch from 1d68b7f to d46c210 Compare August 15, 2017 13:40
Jay Mundrawala added 4 commits August 15, 2017 06:47
Set the correct owner and permissions for SSL certificate and key
917bde0 
This is a follow up to #1366 and
#1368.

This patch will set the owner of the ssl certificate and key to the
user that is running rabbitmq/nginx. In #1366, we discovered that
rabbitmq was expecting certs to be in the nginx directory, however
that wasn't necessarily the case when the ssl certificate was not
generated by private-chef-cookbooks. In these cases, the rabbitmq
management interface would be completely broken as the certs we
asked it to use were not there. After fixing that, #1368 was required
because the custom certificate that was being set for the accpetance
environment was owned by root and had the permissions 600, which meant
the opscode user could not read it. Rabbitmq does not start as root like
nginx, so rabitmq was unable to read the certificate. While #1368 got
our environment working, I suspect others may run into a similar issue
unless we explicitly set the owner and permissions on the files to what
we expect.

Signed-off-by: Jay Mundrawala <[email protected]>
Revert a9b396f
a82ff3a 
This is now set correctly when running chef-server-ctl reconfigure

Signed-off-by: Jay Mundrawala <[email protected]>
Bump cookbook version
b15614f 
Signed-off-by: Jay Mundrawala <[email protected]>
Make root own the certs, but part of the opscode group
6e29bf7 
Signed-off-by: Jay Mundrawala <[email protected]>
@jaym jaym force-pushed the jdm/cert-key-perms branch from d46c210 to 6e29bf7 Compare August 15, 2017 13:47
@stevendanna stevendanna merged commit 8845c54 into master Aug 15, 2017
@jaym jaym deleted the jdm/cert-key-perms branch August 15, 2017 14:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@schisamo schisamo schisamo approved these changes

@stevendanna stevendanna stevendanna approved these changes

@tduffield tduffield tduffield approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jaym @schisamo @stevendanna @tduffield