Opened 3 years ago

Closed 3 years ago

#27 closed defect (fixed)

Crin2 certificate access

Reported by: peter Owned by: chris
Priority: major Milestone: Maintenance
Component: crin2 Version:
Keywords: Cc:
Estimated Number of Hours: 0 Add Hours to Ticket: 0
Billable?: yes Total Hours: 0.17

Description

When attempting to use Drush, when not root, we are not able to access the certificate.

SSL error: Unable to get certificate from '/etc/ssl/cacert/crin1_cert.pem'

How should we manage access to certificates?
Should we create a developers group?

Change History (3)

comment:1 in reply to: ↑ description Changed 3 years ago by chris

  • Add Hours to Ticket changed from 0 to 0.15
  • Component changed from backups to crin2
  • Total Hours set to 0.15

Replying to peter:

When attempting to use Drush, when not root, we are not able to access the certificate.

SSL error: Unable to get certificate from '/etc/ssl/cacert/crin1_cert.pem'

Ah ha! This could explain the problems I have documented here:

How should we manage access to certificates?
Should we create a developers group?

I don't think it is a big security issue if all users on the server have access to the CAcert certs so I have done this on both servers (previously they were only readable by root and mysql:

chmod 755 /etc/ssl/cacert
chmod 644 /etc/ssl/cacert/*.pem

I'd also be happy to restrict permissions if you think it is necessary, these certs and keys are used by MySQL and also non-public sites like the Munin stats to save on the cost of commercial certs, if you install the CAcert root certificates then you won't get browser security warnings.

Last edited 3 years ago by chris (previous) (diff)

comment:2 Changed 3 years ago by chris

  • Add Hours to Ticket changed from 0 to 0.02
  • Total Hours changed from 0.15 to 0.17

See also ticket:18#comment:4 -- all users on Crin2 need a ~/.my.cnf containing:

[client]
host=crin1
ssl-cipher=DHE-RSA-AES256-SHA
ssl-ca=/etc/ssl/cacert/cacert.pem
ssl-cert=/etc/ssl/cacert/crin1_cert.pem
ssl-key=/etc/ssl/cacert/crin1_yassl_privatekey.pem

For them to be able to use drush, I have created /var/www/.my.cnf so that the www-user user can be used for running drush commands.

Peter -- please close this ticket if you think the issue is resolved.

comment:3 Changed 3 years ago by peter

  • Resolution set to fixed
  • Status changed from new to closed

Yes, this is working.

Note: See TracTickets for help on using tickets.