Exim doesn't like symlinks for certificate files [wrong!, solved]


#1

I’m using a certificate with exim4 on Debian but I’ve found that I need to point exim at /etc/letsencrypt/archive/mydomain.com/fullchain1.pem instead of the .../live/mydomain/fullchain.pem.

I also had to change the permissions in /e/l/a because it assumes only root will be accessing these, which is not true on my system (e.g. exim does not run as root, but nevertheless needs access to the private cert).

But I notice the 1 in the archive and assume there will be a 2 at some point, perhaps after renewal. This will obvs. break my exim config.

Can anyone explain under what circumstances the names in /e/l/archive/ are created/updated?

Otherwise I’ll need to write a knotty script that derefs symlinks to ensure that exim has the up-to-date cert.

Thanks


#2

What is the exact error you’re getting?


#3

It’s actually a security risk not having root (and no read access for other users) as owner for your private key. Most of the software accessing private keys are started as root, access the key and drop privileges to a non-root user afterwards… As far as I know, that’s the right way to do things :slightly_smiling:


#4

It’s owned root, but I put the particular key in a group that grants access to the appropriate non-root user.


#5

That is sadly at least not the case of ejabberd and prosody. Must be an xmpp server things…


#6

Well it says this:

TLS error on connection from example.com [1.2.3.4] (cert/key setup: 
cert=/etc/letsencrypt/live/mydomain.com/fullchain.pem 
key=/etc/letsencrypt/live/mydomain.com/privkey.pem): Error while reading file.

Switch to non-symlink path and it works.

I suppose I just have to make a script copy from the dereferenced symlink to a stable path and point exim at that.


#7

And just to check, you can access that path as the user that exim is running as?

It makes no sense that it wouldn’t work. You have to go out of your way as an application to treat symlinks special. If an application is not aware of symlinks because it specifically needs to be, then it wouldn’t know the difference between a link and a regular file, and it makes no sense that exim would treat symlinks in a special way, at least not certificates.


#8

Well what a duffer I am. Yes, Exim could not get to one of the parent of the symlink dirs. Doh!


#9

I had the same problem. I’m not sure what the best solution is, but I found that setting the group owner to Debian-exim on the archive/ and live/ dirs did the trick:

server:/etc/letsencrypt# ls -al
total 16
drwxr-xr-x   8 root root         111 Oct 16 15:50 .
drwxr-xr-x 131 root root        8192 Oct 16 15:47 ..
drwx------   3 root root          41 Oct 16 15:49 accounts
drwxr-x---   3 root Debian-exim   24 Oct 16 17:43 archive
drwxr-xr-x   2 root root         114 Oct 16 17:32 csr
drwx------   2 root root         114 Oct 16 17:32 keys
drwxr-x---   3 root Debian-exim   24 Oct 16 17:43 live
-rw-r--r--   1 root root        1389 Oct 16 15:47 options-ssl-apache.conf
drwxr-xr-x   2 root root          29 Oct 16 17:43 renewal

-Paul