Crin2 certificate access

[peter]

When attempting to use Drush, when not root, we are not able to access the certificate.

SSL error: Unable to get certificate from '/etc/ssl/cacert/crin1_cert.pem'

How should we manage access to certificates?
Should we create a developers group?

[chris]

Replying to peter:

When attempting to use Drush, when not root, we are not able to access the certificate.

SSL error: Unable to get certificate from '/etc/ssl/cacert/crin1_cert.pem'

Ah ha! This could explain the problems I have documented here:

• https://trac.crin.org.archived.website/trac/ticket/18

How should we manage access to certificates?
Should we create a developers group?

I don't think it is a big security issue if all users on the server have access to the CAcert certs so I have done this on both servers (perviously they were only readable by root and mysql:

chmod 755 /etc/ssl/cacert
chmod 644 /etc/ssl/cacert/*.pem

I'd also be happy to restrict permissions if you think it is necessary, these certs and keys are used by MySQL and also non-public sites like the ​Munin stats to save on the cost of commercial certs, if you install the ​CAcert root certificates then you won't get browser security warnings.

[chris]

See also ticket:18#comment:4 -- all users on Crin2 need a ~/.my.cnf containing:

[client]
host=crin1
ssl-cipher=DHE-RSA-AES256-SHA
ssl-ca=/etc/ssl/cacert/cacert.pem
ssl-cert=/etc/ssl/cacert/crin1_cert.pem
ssl-key=/etc/ssl/cacert/crin1_yassl_privatekey.pem

For them to be able to use drush, I have created /var/www/.my.cnf so that the www-user user can be used for running drush commands.

Peter -- please close this ticket if you think the issue is resolved.

[peter]

Yes, this is working.