I use certbot to issue certificates that will be used by an IRC server. The IRC server runs as an unprivileged role user, so it can’t simply read the private key from /etc/letsencrypt
. Instead, I use the following script (invoked from a post-renewal hook) to copy the certificate and private key for the ircd’s use:
#!/bin/bash
# usage:
# install-lecerts irc.example.com ircd ircd /var/ircd
set -eu
DOMAIN=$1
TARGET_USER=$2
TARGET_GROUP=$3
BASEDIR=$4
CHAIN=${BASEDIR}/fullchain.pem
PRIVKEY=${BASEDIR}/privkey.pem
CHAINTMP=${BASEDIR}/$(uuidgen)
PRIVKEYTMP=${BASEDIR}/$(uuidgen)
LE_SOURCEDIR=${LE_SOURCEDIR-/etc/letsencrypt/live}
# world-readable directory:
mkdir -p "$BASEDIR"
# containing 0600 files:
umask 077
cp "${LE_SOURCEDIR}/${DOMAIN}/fullchain.pem" "$CHAINTMP"
cp "${LE_SOURCEDIR}/${DOMAIN}/privkey.pem" "$PRIVKEYTMP"
chown "$TARGET_USER:$TARGET_GROUP" "$CHAINTMP" "$PRIVKEYTMP"
# atomicity isn't really possible here; as long as the server ends up doing
# two separate open(2) calls to read the certificate and the private key,
# it is possible for it to see a mismatched cert and key.
mv "$CHAINTMP" "$CHAIN"
mv "$PRIVKEYTMP" "$PRIVKEY"
exit 0
The essential aspects of this are copying the certificates and handling the changes of owner/group and permissions. The less essential aspect is the attempt to perform the operation as atomically as possible (although this still isn’t perfect).
Would it make sense for certbot to provide this functionality via a subcommand, e.g., certbot install
? I would probably be able to submit a pull request for this.
Thanks for your time?