Comments (14)
Looked in to it more, looks like the script mounts docker into /etc/letsencrypt
: https://github.com/sseemayer/dokku-letsencrypt/blob/master/functions#L59
You can either run docker with sudo or mount a different, dokku owned directory and use sudo to copy later.
from dokku-letsencrypt.
Also instead of copying the certs to $APP_SSL_PATH here: https://github.com/sseemayer/dokku-letsencrypt/blob/master/functions#L71 Letsencrypt recommends the script just symlinks to the live folder.
from dokku-letsencrypt.
Two excellent points!
- Regarding the chown to dokku: I was already aware of the problem and absolutely agree - things are the way they are currently because dokku plugins are being run as the 'dokku' user who does not have access to /etc/letsencrypt so access to the certs is denied by default. Two possible cleaner solutions that I can see would be to introduce a new user group to control access or to use ACLs (not installed by default on Ubuntu 14.04 LTS which is recommended by dokku and I'm not sure if it's reasonable to require ACLs as a dependency to the plugin). What are your thoughts on how to best secure this?
- Regarding the cert copy: Great suggestion and should be very easy to fix. I'll probably manage to work on this tomorrow or this could also be a nice pull request π
from dokku-letsencrypt.
As far as 1. goes, the script already uses sudo
to restart nginx. Sprinkling a couple more sudo
s around should be good enough. Adding a user group or ACLs doesn't really make access any more secure in my mind, but who knows.
from dokku-letsencrypt.
Regarding 1., the sudo
command reloading nginx is possible because of a special rule in /etc/sudoers.d/dokku-nginx.conf
:
%dokku ALL=(ALL) NOPASSWD:/etc/init.d/nginx reload, /usr/sbin/nginx -t
We could install something similar to grant access to sudo cp
although that would open an even bigger can of worms than giving read access to the dokku user and doesn't work in conjunction with 2. since the link destination needs to be readable for the dokku user. EDIT: I forgot about your remark that TLS certificates will be read by nginx as 'root'. The dokku certs:*
will probably have problems working on the certificate, though.
The best solution I can see so far is to grant read permissions to the certificates+keys to dokku. This is at least more secure than having dokku own the directory outright :)
from dokku-letsencrypt.
Lol, foiled! So, looking at how dokku already handles certs letting the dokku user have full control over the letsencrypt directory doesn't really change the existing security model. Unless there are other secrets in that directory, but looking at it there's just some extra metadata. Sticking to that model is probably for the best.
So scratch changing permissions then. People using dokku should just assume that user has full access to certs already.
However, the symlink is still probably worth doing so I'll change the ticket :)
from dokku-letsencrypt.
Another thought, if dokku is going to own the certs, it doesn't really matter where the script puts the volume you mount docker on. It seems like it would be more self contained to put the host letsencrypt folder in ~/dokku/letsencrypt
. That way it's obvious to users what the security implications are and as a bonus the script doesn't mess with any existing letsencrypt installs.
from dokku-letsencrypt.
This is a great idea and the commit above creates a dokku-specific letsencrypt working folder, gives only minimal rx permissions to some subdirectories to the dokku
group and symlinks from $APP_SSL_PATH
into the appropriate live
section of /home/dokku/letsencrypt
. What do you think?
from dokku-letsencrypt.
Cool. I left a couple of comments. The functions file looks great, only one suggestion. Mostly just suggestions to clean up install.
from dokku-letsencrypt.
I forked this so I could add better comments. One think I noticed is that all non-dot folders in $DOKKU_ROOT
are considered apps (shown in dokku apps
). I think the certs should be stored in $DOKKU_ROOT/.letsencrypt
to avoid this. I'll keep testing.
from dokku-letsencrypt.
So I got the plugin running on my live server, but I can't actually get it working. The main issue is that when the script mounts the container and letsencrypt runs, the container writes the keys to the host volume as root and dokku won't generate the SSL nginx config with those permissions. At least I think this is the issue.
Have you gotten this plugin to work at all?
from dokku-letsencrypt.
@blopker The plugin works fine for me. The issue is probably coming from your fork.
from dokku-letsencrypt.
Ah sorry, it does work, but not as it says in the README. I'm hoping to put together a PR to make the workflow easier.
from dokku-letsencrypt.
OK, PR is in!
from dokku-letsencrypt.
Related Issues (20)
- Error on adding cron job: new crontab file is missing newline before EOF, can't install HOT 4
- Is it possible to use a DNS-01 challenge for a non-wildcard domain? HOT 1
- Renewal fails with "Letsencrypt not enabled for app" HOT 10
- Error enable or update SSL HOT 11
- letsencrypt:report doesnβt show the dns-provider-* options
- Broken as of dokku 0.30.0 HOT 4
- Skip domain `_` (Nginx default domain name)
- Cloudflare DNS-01 howto HOT 2
- letsencrypt:cron-job --add does not add cronjob HOT 1
- Invalid response from acme-challenge HOT 16
- Cloudflare DNS: Failed to find zone HOT 1
- Can't Renew Ceritificate, returns Error: manifest for dokku/letsencrypt:0.1.0 not found: HOT 4
- Can't Renew SSL using dokku-letsencrypt: Manifest Unkown HOT 7
- set email for app is not possible HOT 1
- letsencrypt/internal-functions: line 84: syntax error near unexpected token `fi' HOT 6
- Running on old dokku installation HOT 1
- Unable to set email address HOT 2
- feature: Make it possible to enable letsencrypt by default HOT 1
- get_available_port: command not found HOT 1
- Wildcard SSL and Non-wildcard SSL for the same Dokku app HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dokku-letsencrypt.