https://trac.crin.org/trac/ticket/27 <p> When attempting to use Drush, when not root, we are not able to access the certificate. </p> <p> SSL error: Unable to get certificate from '/etc/ssl/cacert/crin1_cert.pem' </p> <p> How should we manage access to certificates? Should we create a developers group? </p> en-us https://trac.crin.org/trac/chrome/site/logo.gif https://trac.crin.org/trac/ticket/27 Trac 1.0.2 chris Mon, 06 Jul 2015 16:42:48 GMT https://trac.crin.org/trac/ticket/27#comment:1 https://trac.crin.org/trac/ticket/27#comment:1 <ul> <li><strong>hours</strong> changed from <em>0</em> to <em>0.15</em> </li> <li><strong>totalhours</strong> set to <em>0.15</em> </li> <li><strong>component</strong> changed from <em>backups</em> to <em>crin2</em> </li> </ul> <p> Replying to <a class="closed ticket" href="https://trac.crin.org/trac/ticket/27" title="defect: Crin2 certificate access (closed: fixed)">peter</a>: </p> <blockquote class="citation"> <p> When attempting to use Drush, when not root, we are not able to access the certificate. </p> <p> SSL error: Unable to get certificate from '/etc/ssl/cacert/crin1_cert.pem' </p> </blockquote> <p> Ah ha! This could explain the problems I have documented here: </p> <ul><li><a href="https://trac.crin.org/trac/ticket/18">https://trac.crin.org/trac/ticket/18</a> </li></ul><blockquote class="citation"> <p> How should we manage access to certificates? Should we create a developers group? </p> </blockquote> <p> I don't think it is a big security issue if all users on the server have access to the CAcert certs so I have done this on both servers (previously they were only readable by <tt>root</tt> and <tt>mysql</tt>: </p> <pre class="wiki">chmod 755 /etc/ssl/cacert chmod 644 /etc/ssl/cacert/*.pem </pre><p> I'd also be happy to restrict permissions if you think it is necessary, these certs and keys are used by MySQL and also non-public sites like the <a class="ext-link" href="https://munin.crin.org/"><span class="icon">​</span>Munin stats</a> to save on the cost of commercial certs, if you install the <a class="ext-link" href="https://www.cacert.org/index.php?id=3"><span class="icon">​</span>CAcert root certificates</a> then you won't get browser security warnings. </p> Ticket chris Mon, 06 Jul 2015 17:18:22 GMT https://trac.crin.org/trac/ticket/27#comment:2 https://trac.crin.org/trac/ticket/27#comment:2 <ul> <li><strong>hours</strong> changed from <em>0</em> to <em>0.02</em> </li> <li><strong>totalhours</strong> changed from <em>0.15</em> to <em>0.17</em> </li> </ul> <p> See also <a class="closed ticket" href="https://trac.crin.org/trac/ticket/18#comment:4" title="defect: Drush (closed: fixed)">ticket:18#comment:4</a> -- all users on <a class="wiki" href="https://trac.crin.org/trac/wiki/Crin2">Crin2</a> need a <tt>~/.my.cnf</tt> containing: </p> <pre class="wiki">[client] host=crin1 ssl-cipher=DHE-RSA-AES256-SHA ssl-ca=/etc/ssl/cacert/cacert.pem ssl-cert=/etc/ssl/cacert/crin1_cert.pem ssl-key=/etc/ssl/cacert/crin1_yassl_privatekey.pem </pre><p> For them to be able to use <tt>drush</tt>, I have created <tt>/var/www/.my.cnf</tt> so that the <tt>www-user</tt> user can be used for running <tt>drush</tt> commands. </p> <p> Peter -- please close this ticket if you think the issue is resolved. </p> Ticket peter Mon, 06 Jul 2015 17:23:25 GMT https://trac.crin.org/trac/ticket/27#comment:3 https://trac.crin.org/trac/ticket/27#comment:3 <ul> <li><strong>status</strong> changed from <em>new</em> to <em>closed</em> </li> <li><strong>resolution</strong> set to <em>fixed</em> </li> </ul> <p> Yes, this is working. </p> Ticket