Symlink certs to /etc/letsencrypt/ instead of copying about dokku-letsencrypt HOT 14 CLOSED

Looked in to it more, looks like the script mounts docker into /etc/letsencrypt: https://github.com/sseemayer/dokku-letsencrypt/blob/master/functions#L59

You can either run docker with sudo or mount a different, dokku owned directory and use sudo to copy later.

from dokku-letsencrypt.

Also instead of copying the certs to $APP_SSL_PATH here: https://github.com/sseemayer/dokku-letsencrypt/blob/master/functions#L71 Letsencrypt recommends the script just symlinks to the live folder.

from dokku-letsencrypt.

Two excellent points!

1. Regarding the chown to dokku: I was already aware of the problem and absolutely agree - things are the way they are currently because dokku plugins are being run as the 'dokku' user who does not have access to /etc/letsencrypt so access to the certs is denied by default. Two possible cleaner solutions that I can see would be to introduce a new user group to control access or to use ACLs (not installed by default on Ubuntu 14.04 LTS which is recommended by dokku and I'm not sure if it's reasonable to require ACLs as a dependency to the plugin). What are your thoughts on how to best secure this?
2. Regarding the cert copy: Great suggestion and should be very easy to fix. I'll probably manage to work on this tomorrow or this could also be a nice pull request 😉

from dokku-letsencrypt.

As far as 1. goes, the script already uses sudo to restart nginx. Sprinkling a couple more sudos around should be good enough. Adding a user group or ACLs doesn't really make access any more secure in my mind, but who knows.

from dokku-letsencrypt.

Regarding 1., the sudo command reloading nginx is possible because of a special rule in /etc/sudoers.d/dokku-nginx.conf:

%dokku ALL=(ALL) NOPASSWD:/etc/init.d/nginx reload, /usr/sbin/nginx -t

We could install something similar to grant access to sudo cp although that would open an even bigger can of worms than giving read access to the dokku user and doesn't work in conjunction with 2. since the link destination needs to be readable for the dokku user. EDIT: I forgot about your remark that TLS certificates will be read by nginx as 'root'. The dokku certs:* will probably have problems working on the certificate, though.

The best solution I can see so far is to grant read permissions to the certificates+keys to dokku. This is at least more secure than having dokku own the directory outright :)

from dokku-letsencrypt.

Lol, foiled! So, looking at how dokku already handles certs letting the dokku user have full control over the letsencrypt directory doesn't really change the existing security model. Unless there are other secrets in that directory, but looking at it there's just some extra metadata. Sticking to that model is probably for the best.

So scratch changing permissions then. People using dokku should just assume that user has full access to certs already.

However, the symlink is still probably worth doing so I'll change the ticket :)

from dokku-letsencrypt.

Another thought, if dokku is going to own the certs, it doesn't really matter where the script puts the volume you mount docker on. It seems like it would be more self contained to put the host letsencrypt folder in ~/dokku/letsencrypt. That way it's obvious to users what the security implications are and as a bonus the script doesn't mess with any existing letsencrypt installs.

from dokku-letsencrypt.

This is a great idea and the commit above creates a dokku-specific letsencrypt working folder, gives only minimal rx permissions to some subdirectories to the dokku group and symlinks from $APP_SSL_PATH into the appropriate live section of /home/dokku/letsencrypt. What do you think?

from dokku-letsencrypt.

Cool. I left a couple of comments. The functions file looks great, only one suggestion. Mostly just suggestions to clean up install.

from dokku-letsencrypt.

I forked this so I could add better comments. One think I noticed is that all non-dot folders in $DOKKU_ROOT are considered apps (shown in dokku apps). I think the certs should be stored in $DOKKU_ROOT/.letsencrypt to avoid this. I'll keep testing.

from dokku-letsencrypt.

So I got the plugin running on my live server, but I can't actually get it working. The main issue is that when the script mounts the container and letsencrypt runs, the container writes the keys to the host volume as root and dokku won't generate the SSL nginx config with those permissions. At least I think this is the issue.

Have you gotten this plugin to work at all?

from dokku-letsencrypt.

@blopker The plugin works fine for me. The issue is probably coming from your fork.

from dokku-letsencrypt.

Ah sorry, it does work, but not as it says in the README. I'm hoping to put together a PR to make the workflow easier.

from dokku-letsencrypt.

OK, PR is in!

from dokku-letsencrypt.