Best practice for hook script to copy private key to apache2 /etc/ssl/private

Help
1

I have a certbot server that pushes certs to servers. In the case of a couple, it can't get the private key into the directory (/etc/ssl/private). I can not run commands as root, but must run as user certbot. I have tried to copy to /tmp and /home/certbot on the destination Apache server, but this fails too.

How do people copy cert and privkey to Apache servers, and restart Apache? No matter how permissive I make the destination dir, it won't copy (rsync).

My domain is: ipa.prd.locatnet.io

I ran this command: su certbot -c "rsync -azvL /etc/letsencrypt/live/ipa.prd.localnet.io/privkey.pem ply-jenkins01.ipa.prd.localnet.io:/home/certbot"

It produced this output: rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1207) [sender=3.1.3]

My web server is (include version): Apache/2.4.18 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 16.04.3 LTS

My hosting provider, if applicable, is: NA

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.27.0

2

Just a guess but the /live/../privkey.pem file is a symlink

Have you created the target file first?

6 Likes
3

The live pem is a symlink to the file in archive, which is

4 -rw-------  1 root root 1708 Dec 19 17:06 privkey1.pem

Yes, the target file on the Jenkins/Apache server is there in /etc/ssl/private from my manual copy of the file. Until now I have been manually putting the cert and priv key files on the Jenkins server, and restarting Apache, but trying to automate it.

Thanks for the help.

1 Like
4

If you can do it manually, then you can automate it.
Just make the exact same steps while using the exact same authority/users.

  • As user "A", copy files from "A" to B"
  • As user "B", copy files from "B" to "C"
  • As user "C", restart/reload web server
5 Likes
5

I think the issue is, for whatever reason, when certbot creates the cert for this domain, it has different perms than certs created for other domains on this same certbot server.

root@ply-certbot-u20-01:/etc/letsencrypt/archive# pwd
/etc/letsencrypt/archive
root@ply-certbot-u20-01:/etc/letsencrypt/archive# ls -ls
total 44
4 drwxrwxrwx 2 root root 4096 Jan  2 03:46 inteliquent.net
4 drwxrwxrwx 2 root root 4096 Nov 30 04:02 inteliquent-stg.net
4 drwxrwxrwx 2 root root 4096 Dec  3 06:07 ipa.dev.localnet.io
4 drwxr-xr-x 2 root root 4096 Dec 19 17:06 ipa.prd.localnet.io
4 drwxrwxrwx 2 root root 4096 Dec  3 18:51 ipa.stg.localnet.io
4 drwxrwxrwx 2 root root 4096 Dec  8 04:16 sipis.inteliquent-stg.net
4 drwxrwxrwx 2 root root 4096 Dec 11 15:16 sipis.sip.global
4 drwxrwxrwx 2 root root 4096 Nov 25 16:53 vo.sip.global
4 drwxrwxrwx 2 root root 4096 Dec  3 20:31 voyant.com
4 drwxrwxrwx 2 root root 4096 Oct 18 19:55 voyant-stg.com
4 drwxrwxrwx 2 root root 4096 Apr  4  2022 vp.sip.global
root@ply-certbot-u20-01:/etc/letsencrypt/archive# ls -lsa inteliquent.net | grep priv
4 -rwxrwxrwx  1 root root 1708 Jan  7  2022 privkey1.pem
4 -rwxrwxrwx  1 root root 1704 Mar  8  2022 privkey2.pem
4 -rw-rwxr--  1 root root 1704 May  7  2022 privkey3.pem
4 -rw-rwxr--  1 root root 1704 Jul  6 03:46 privkey4.pem
4 -rw-rwxr--  1 root root 1704 Sep  4 03:46 privkey5.pem
4 -rw-rwxr--  1 root root 1704 Nov  3 03:46 privkey6.pem
4 -rw-rwxr--  1 root root 1704 Jan  2 03:46 privkey7.pem
root@ply-certbot-u20-01:/etc/letsencrypt/archive# ls -lsa inteliquent-stg.net | grep priv
4 -rwxrwxrwx  1 root root 1704 Jan  7  2022 privkey1.pem
4 -rwxrwxrwx  1 root root 1704 Feb  2  2022 privkey2.pem
4 -rw-rwxr--  1 root root 1704 Apr  4  2022 privkey3.pem
4 -rw-rwxr--  1 root root 1704 Jun  3  2022 privkey4.pem
4 -rw-rwxr--  1 root root 1704 Aug  2 04:02 privkey5.pem
4 -rw-rwxr--  1 root root 1704 Oct  1 04:02 privkey6.pem
4 -rw-rwxr--  1 root root 1708 Nov 30 04:02 privkey7.pem
root@ply-certbot-u20-01:/etc/letsencrypt/archive# ls -lsa ipa.dev.localnet.io | grep priv
4 -rwxrwxrwx  1 root root 1704 Jan 10  2022 privkey1.pem
4 -rwxrwxrwx  1 root root 1704 Jan 10  2022 privkey2.pem
4 -rwxrwxrwx  1 root root 1704 Jan 10  2022 privkey3.pem
4 -rwxrwxrwx  1 root root 1708 Jan 10  2022 privkey4.pem
4 -rwxrwxrwx  1 root root 1708 Jan 10  2022 privkey5.pem
4 -rw-rwxr--  1 root root 1704 May  9  2022 privkey6.pem
4 -rw-rwxr--  1 root root 1704 Jul  8 06:07 privkey7.pem
4 -rw-rwxr--  1 root root 1704 Oct  4 06:07 privkey8.pem
4 -rw-rwxr--  1 root root 1704 Dec  3 06:07 privkey9.pem
root@ply-certbot-u20-01:/etc/letsencrypt/archive# ls -lsa ipa.prd.localnet.io | grep priv
4 -rw-------  1 root root 1708 Dec 19 17:06 privkey1.pem
root@ply-certbot-u20-01:/etc/letsencrypt/archive#
6

That is NOT normal.
"root root" is fine.
But "-rwxrwxrwx" and "-rw-rwxr--" were altered.

5 Likes
7

even in the other directories, the private keys permissions vary. Unsure why that is.

8

That's normal.

5 Likes
9

ok, good to know. That would make sense for a private key.

10

Someone has tried modifying them to suit a particular need [likely to copy them].

The modifications should be made on the copy - not the original.

6 Likes
11

"The modifications should be made on the copy - not the original."

Unsure exactly what you mean by that.

12

Updated:

  • As user "A", copy files from "A" to "B"
    [make any necessary changes - chmod/chgrp/chown to files in "B"]

  • As user "B", copy files from "B" to "C"
    [make any necessary changes - chmod/chgrp/chown to files in "C"]

  • As user "C", restart/reload web server

Never change anything in "A"

6 Likes
13

I've used these Push and Pull models in the past:

  • Push - I write a script using Fabric (https://www.fabfile.org/) to automatically SSH into the remote server and restart apache. That is invoked as a Certbot hook.

  • Pull - The remote servers have a cronjob. They poll for new certificates, and copy/restart as needed.

For large systems, I use nginx to dynamically load (or request) certificates from an internal HTTP API and cache them into the server for a few hours.

In your situation... you could potentially run Certbot as a certbot user with an alternate --config-dir, and have a cronjob reset permissions on that directory (if needed). This works well if you run Certbot in standalone mode on a higher port (-http-01-port=8080) and then proxy the ./well-known/acme-challenge traffic onto that higher port.

5 Likes
14

Thank you jvanasco and rg305.

the recommendation to copy the source private key, and manipulate that file (and leave ownership & permissions alone on the orig /etc/letsencrypt/ alone) worked.

I copied the priv key to a new file name in /etc/letsencrypt/live/, and altered it's permissions, such that I can now remote cp it. I then do some other remote commands on the client to get the file where it needs to be, and with the right ownership/permissions, and am able to reload Apache2.

Thanks for the help.

6 Likes
15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.