Permissions for deploy script

soundsessential · April 17, 2021, 12:46pm

I'm trying to set up a deploy script to import a renewed certificate into a Java keystore and seem to be running into permissions issues. The code being run is:

#!/bin/bash

# Convert the private key and certificate to a PKCS12 file
openssl pkcs12 -export -in /etc/letsencrypt/live/ **DOMAIN_SUBDOMAIN** /fullchain.pem -inkey /etc/letsencrypt/live/ **DOMAIN_SUBDOMAIN** /privkey.pem -out /etc/letsencrypt/live/ **DOMAIN_SUBDOMAIN** /pkcs.p12 -name **KEYCLOAK_SSL_ALIAS** -passout pass: **KEYCLOAK_SSL_PASSWORD**

# Remove the old certificate from our keystore
keytool -delete -noprompt -alias **KEYCLOAK_SSL_ALIAS** -keystore /opt/keycloak/current/standalone/configuration/keycloak.jks -storepass **KEYSTORE_PASSWORD**

# Import the new certificate to our keystore
keytool -importkeystore -deststorepass **KEYSTORE_PASSWORD** -destkeypass **KEYCLOAK_SSL_PASSWORD** -destkeystore /opt/keycloak/current/standalone/configuration/keycloak.jks -srckeystore /etc/letsencrypt/live/ **DOMAIN_SUBDOMAIN** /pkcs.p12 -srcstoretype PKCS12 -srcstorepass **KEYCLOAK_SSL_PASSWORD** -alias **KEYCLOAK_SSL_ALIAS**

# Restart Keycloak
systemctl restart keycloak

The file is executable. For testing I have put this in the post folder. If I run
sudo certbot renew --dry-run

I get:
Error output from post-hook command new-cert-to-keystore.sh:
Importing keystore /etc/letsencrypt/live/my.domain.com/pkcs.p12 to /opt/keycloak/current/standalone/configuration/keycloak.jks...

But no actual detail.

If I run the script directly with:
sudo ./new-cert-to-keystore.sh

it works fine.

This is on Ubuntu 20.04. How should Certbot and this script be set up/installed/permissions applied for the script to run successfully? Many thanks for any pointers.

Osiris · April 17, 2021, 12:51pm

That's not a certbot issue, but an issue of the commands in your script. The only thing certbot does, is relay the output of the script.

Not sure, maybe keytool requires some specific environment (variables?) not present when ran through certbot?

soundsessential · April 17, 2021, 1:45pm

No there are no variables missing. Would this script be running as root if Certbot is triggering it to run?

If I run it without sudo I get a bunch of permissions issues which would be expected.

Osiris · April 17, 2021, 9:51pm

It would be running as the same user as certbot.

schoen · April 18, 2021, 3:33am

@soundsessential, you could consider including

set -x

in the script to make bash show all of the full command lines as they're run.

Are the ** things like **KEYCLOAK_SSL_PASSWORD** literally part of the script, or do they represent a redaction on your part of things that you didn't want to share here on the forum? If they're literally in this form in the script, then I wouldn't expect them to work because bash wouldn't have a way of figuring out what each of these values is supposed to be.

soundsessential · April 18, 2021, 7:36pm

Thanks for the replies. I figured it out, this is not actually an error even though it says it is. All’s good!

system · May 18, 2021, 7:37pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Importing LetsEncrypt into Java and Glassfish Server	17	23267	August 26, 2018
Export to .pkcs12 \| keystore password incorrect Help	7	2097	April 6, 2024
Creating certificate for Keycloak server Help	6	3727	March 11, 2021
[resolved] Why is live subdirectory permissions 700? Server	5	1616	October 26, 2017
Setup LetsEncrypt with macOS 10.11.4+ and Server.app 5.1 Server	1	3330	September 11, 2016

Permissions for deploy script

Related topics