Feature request: subcommand for safely copying certificates

I use certbot to issue certificates that will be used by an IRC server. The IRC server runs as an unprivileged role user, so it can’t simply read the private key from /etc/letsencrypt. Instead, I use the following script (invoked from a post-renewal hook) to copy the certificate and private key for the ircd’s use:

#!/bin/bash

# usage:
# install-lecerts irc.example.com ircd ircd /var/ircd

set -eu

DOMAIN=$1

TARGET_USER=$2
TARGET_GROUP=$3

BASEDIR=$4

CHAIN=${BASEDIR}/fullchain.pem
PRIVKEY=${BASEDIR}/privkey.pem
CHAINTMP=${BASEDIR}/$(uuidgen)
PRIVKEYTMP=${BASEDIR}/$(uuidgen)

LE_SOURCEDIR=${LE_SOURCEDIR-/etc/letsencrypt/live}

# world-readable directory:
mkdir -p "$BASEDIR"
# containing 0600 files:
umask 077
cp "${LE_SOURCEDIR}/${DOMAIN}/fullchain.pem" "$CHAINTMP"
cp "${LE_SOURCEDIR}/${DOMAIN}/privkey.pem" "$PRIVKEYTMP"
chown "$TARGET_USER:$TARGET_GROUP" "$CHAINTMP" "$PRIVKEYTMP"
# atomicity isn't really possible here; as long as the server ends up doing
# two separate open(2) calls to read the certificate and the private key,
# it is possible for it to see a mismatched cert and key.
mv "$CHAINTMP" "$CHAIN"
mv "$PRIVKEYTMP" "$PRIVKEY"

exit 0

The essential aspects of this are copying the certificates and handling the changes of owner/group and permissions. The less essential aspect is the attempt to perform the operation as atomically as possible (although this still isn’t perfect).

Would it make sense for certbot to provide this functionality via a subcommand, e.g., certbot install? I would probably be able to submit a pull request for this.

Thanks for your time?

1 Like

Certbot already sports its own concept of authenticators and installers: https://certbot.eff.org/docs/contributing.html#installer

The approach there would be to write your own third-party Certbot plugin which implements an installer for your ircd, or indeed a generic “copy” installer which can be used for any server that doesn’t have privileged access. (Maybe it could become part of the core Certbot distribution if it fills a big need).

Other approaches include deploy hooks or changing group ownership on the private key, which is preserved through renewal since Certbot 0.29.0.

1 Like

That makes sense, thanks.

I had previously been imagining this functionality as a “utility function” that could be invoked from a deploy hook, but I’ll look into the possibility of a generic “copy installer” that would work with the existing certbot install command.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.