Credentials configuration file having 'unsafe permissions'

minakitty · June 26, 2023, 4:57pm

Like it says on the tin, certbot is working fine, but I'm trying to secure my API token for Cloudflare. I -thought- chmod 600 was what I wanted (working from memory for doing SMB credentials in fstab), but it threw this error, so clearly I modded the file wrong.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: rdw.one

I ran this command:

sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials ~/.certbot.ini --dns-cloudflare-propagation-seconds 60 -d rdw.one -d *.rdw.one

It produced this output (certificate generated just fine):

Renewing an existing certificate for rdw.one and *.rdw.one
Unsafe permissions on credentials configuration file: /home/heatheriac/.certbot.ini

My web server is (include version): apache 2.4.46

The operating system my web server runs on is (include version): 5.4.0-150-generic #167-Ubuntu SMP Mon May 15 17:35:05 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

My hosting provider, if applicable, is: Self

I can login to a root shell on my machine (yes or no, or I don't know):Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.6.0

Osiris · June 26, 2023, 5:27pm

Hi!

Is there a specific question you'd like to address? Because the warning message is pretty clear it seems.

Please note that for renewals you should be able to simply run sudo certbot renew. If you only want to renew a single certificate among many, you could use the --cert-name option.

minakitty · June 26, 2023, 5:36pm

I'm trying to figure out what the proper permissions value is for the credentials file. I thought it was 600, but since it's giving that error, I clearly messed up somewhere

Osiris · June 26, 2023, 5:37pm

What's the owner of the file?

minakitty · June 26, 2023, 5:38pm

my user account: heatheriac/heatheriac

minakitty · June 26, 2023, 5:39pm

Oh ... wait. that's supposed to be root/root, isn't it.

Osiris · June 26, 2023, 5:39pm

Yupz

Certbot usually runs as root. Certbot will complain if the owner of the file isn't the user running the Certbot process.

minakitty · June 26, 2023, 5:42pm

Yeah .,.. things should be better now. Part of the problem I have is I run multiple domains (so have to repeat this process regularly) and the last time I renewed a cert I had to move from apt's version to snap and rebuild a lot of stuff from the ground up.

I'm hoping this domain set is done and dusted, and just have to do the other domains once each (since I can do full wildcards), so having the credential file is beneficial for me in the future anyway.

Thanks for the rubber duck programming!

Osiris · June 26, 2023, 5:44pm

By the way, I searched the standard Certbot documentation and couldn't find anything about this warning, but it seems to be mentioned in the DNS plugin documentation: Welcome to certbot-dns-cloudflare’s documentation! — certbot-dns-cloudflare 0 documentation

minakitty · June 26, 2023, 5:54pm

Thanks, I remember looking around for this when it first happened (technically this issue was a few weeks old, just been busy) and couldn't find anything. But I also have a tendency to do niche things being self hosted and such

system · July 26, 2023, 5:55pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.