Opened 3 years ago
Closed 3 years ago
#27 closed defect (fixed)
Crin2 certificate access
Reported by: | peter | Owned by: | chris |
---|---|---|---|
Priority: | major | Milestone: | Maintenance |
Component: | crin2 | Version: | |
Keywords: | Cc: | ||
Estimated Number of Hours: | 0 | Add Hours to Ticket: | 0 |
Billable?: | yes | Total Hours: | 0.17 |
Description
When attempting to use Drush, when not root, we are not able to access the certificate.
SSL error: Unable to get certificate from '/etc/ssl/cacert/crin1_cert.pem'
How should we manage access to certificates?
Should we create a developers group?
Change History (3)
comment:1 in reply to: ↑ description Changed 3 years ago by chris
- Add Hours to Ticket changed from 0 to 0.15
- Component changed from backups to crin2
- Total Hours set to 0.15
comment:2 Changed 3 years ago by chris
- Add Hours to Ticket changed from 0 to 0.02
- Total Hours changed from 0.15 to 0.17
See also ticket:18#comment:4 -- all users on Crin2 need a ~/.my.cnf containing:
[client] host=crin1 ssl-cipher=DHE-RSA-AES256-SHA ssl-ca=/etc/ssl/cacert/cacert.pem ssl-cert=/etc/ssl/cacert/crin1_cert.pem ssl-key=/etc/ssl/cacert/crin1_yassl_privatekey.pem
For them to be able to use drush, I have created /var/www/.my.cnf so that the www-user user can be used for running drush commands.
Peter -- please close this ticket if you think the issue is resolved.
comment:3 Changed 3 years ago by peter
- Resolution set to fixed
- Status changed from new to closed
Yes, this is working.
Note: See
TracTickets for help on using
tickets.
Replying to peter:
Ah ha! This could explain the problems I have documented here:
I don't think it is a big security issue if all users on the server have access to the CAcert certs so I have done this on both servers (previously they were only readable by root and mysql:
I'd also be happy to restrict permissions if you think it is necessary, these certs and keys are used by MySQL and also non-public sites like the Munin stats to save on the cost of commercial certs, if you install the CAcert root certificates then you won't get browser security warnings.