Exim doesn't like symlinks for certificate files [wrong!, solved]

artfulrobot · February 25, 2016, 1:15pm

I’m using a certificate with exim4 on Debian but I’ve found that I need to point exim at /etc/letsencrypt/archive/mydomain.com/fullchain1.pem instead of the .../live/mydomain/fullchain.pem.

I also had to change the permissions in /e/l/a because it assumes only root will be accessing these, which is not true on my system (e.g. exim does not run as root, but nevertheless needs access to the private cert).

But I notice the 1 in the archive and assume there will be a 2 at some point, perhaps after renewal. This will obvs. break my exim config.

Can anyone explain under what circumstances the names in /e/l/archive/ are created/updated?

Otherwise I’ll need to write a knotty script that derefs symlinks to ensure that exim has the up-to-date cert.

Thanks

TCM · February 25, 2016, 1:24pm

What is the exact error you’re getting?

Osiris · February 25, 2016, 2:08pm

It’s actually a security risk not having root (and no read access for other users) as owner for your private key. Most of the software accessing private keys are started as root, access the key and drop privileges to a non-root user afterwards… As far as I know, that’s the right way to do things

artfulrobot · February 25, 2016, 2:36pm

It’s owned root, but I put the particular key in a group that grants access to the appropriate non-root user.

Nit · February 25, 2016, 2:43pm

That is sadly at least not the case of ejabberd and prosody. Must be an xmpp server things…

artfulrobot · February 25, 2016, 2:46pm

Well it says this:

TLS error on connection from example.com [1.2.3.4] (cert/key setup: 
cert=/etc/letsencrypt/live/mydomain.com/fullchain.pem 
key=/etc/letsencrypt/live/mydomain.com/privkey.pem): Error while reading file.

Switch to non-symlink path and it works.

I suppose I just have to make a script copy from the dereferenced symlink to a stable path and point exim at that.

TCM · February 25, 2016, 3:32pm

And just to check, you can access that path as the user that exim is running as?

It makes no sense that it wouldn’t work. You have to go out of your way as an application to treat symlinks special. If an application is not aware of symlinks because it specifically needs to be, then it wouldn’t know the difference between a link and a regular file, and it makes no sense that exim would treat symlinks in a special way, at least not certificates.

artfulrobot · February 25, 2016, 4:24pm

Well what a duffer I am. Yes, Exim could not get to one of the parent of the symlink dirs. Doh!

R33P · October 16, 2017, 9:26pm

I had the same problem. I’m not sure what the best solution is, but I found that setting the group owner to Debian-exim on the archive/ and live/ dirs did the trick:

server:/etc/letsencrypt# ls -al
total 16
drwxr-xr-x   8 root root         111 Oct 16 15:50 .
drwxr-xr-x 131 root root        8192 Oct 16 15:47 ..
drwx------   3 root root          41 Oct 16 15:49 accounts
drwxr-x---   3 root Debian-exim   24 Oct 16 17:43 archive
drwxr-xr-x   2 root root         114 Oct 16 17:32 csr
drwx------   2 root root         114 Oct 16 17:32 keys
drwxr-x---   3 root Debian-exim   24 Oct 16 17:43 live
-rw-r--r--   1 root root        1389 Oct 16 15:47 options-ssl-apache.conf
drwxr-xr-x   2 root root          29 Oct 16 17:43 renewal

-Paul

Topic		Replies	Views
[resolved] Why is live subdirectory permissions 700? Server	5	1616	October 26, 2017
Private key permissions after certbot renewal Help	6	2224	February 28, 2021
Debian jessie possible permission issue for exim4 Help	3	5598	September 19, 2016
Exim4 and LE certs Server	1	2972	December 29, 2015
Symlinks not correct in /live folder Help	8	4516	June 16, 2017

Exim doesn't like symlinks for certificate files [wrong!, solved]

Related topics