Granting a nonroot-owned systemd service sufficient 'usage' permissions on letsencrypt's SSL key/cert pair











up vote
0
down vote

favorite












Unrealircd is not allowed access to ssl key/cert pair, ircd-owned systemd service unit fails miserably. The files are managed by lets-encrypt's certbot and root-owned:



-rw-r--r-- 1 root root 3.5K Dec  8 10:40 fullchain1.pem

-rw------- 1 root root 1.7K Dec  8 10:40 privkey1.pem


If the ownership and/or permissions of key/cert are altered the systemd unit starts fine. What is the most sensible and prefereable way of proceeding?






permissions systemd letsencrypt ownership certbot







share|improve this question




















  • 1




    How did you install Unrealirc ? Was it compiled from source? Which user is running the server process? ... Usually it is not advisable to alter the permissions on the private key for any cryptographic protocol. When I compiled Unrealirc from source, it generated self-signed keys and put them in unrealircd/conf/ssl ... so you might try creating a symbolic link in that directory to your LetsEncrypt key and cert.
    – RubberStamp
    yesterday










  • That was the first thing I did actually (symbolic link'em). The package came pre-compiled from the official repositories. Systemd service runs under ircd user and that seems to be the problem accessing the files.
    – soocki
    20 hours ago










  • Well... I'm not sure if there are any chroot options... However other server programs like apache, for example, read the private key before the chroot operation. This way the process is run by an unpriviledged user but TLS still functions... The recommendation from the documentation for unrealirc is to run as a unpriviledged user... which is correct. So, the easiest way to go forward is probably to create a group and add the ircd user, change permissions. However, this is not ideal and will probably revert with each new key set.
    – RubberStamp
    18 hours ago










  • And of course... Here are the instructions for using LetsEncrypt with Unrealirc
    – RubberStamp
    17 hours ago










  • Nice find :) Pretty relevant. It suggests copying the files and changing their ownership to the ircd user, which was the second thing I did but it did not feel right. It feels like a nasty workaround and I thought a better way should be in order but perhaps I am wrong or maybe there is we just not aware of it.
    – soocki
    10 hours ago

















up vote
0
down vote

favorite












Unrealircd is not allowed access to ssl key/cert pair, ircd-owned systemd service unit fails miserably. The files are managed by lets-encrypt's certbot and root-owned:



-rw-r--r-- 1 root root 3.5K Dec  8 10:40 fullchain1.pem

-rw------- 1 root root 1.7K Dec  8 10:40 privkey1.pem


If the ownership and/or permissions of key/cert are altered the systemd unit starts fine. What is the most sensible and prefereable way of proceeding?






permissions systemd letsencrypt ownership certbot







share|improve this question




















  • 1




    How did you install Unrealirc ? Was it compiled from source? Which user is running the server process? ... Usually it is not advisable to alter the permissions on the private key for any cryptographic protocol. When I compiled Unrealirc from source, it generated self-signed keys and put them in unrealircd/conf/ssl ... so you might try creating a symbolic link in that directory to your LetsEncrypt key and cert.
    – RubberStamp
    yesterday










  • That was the first thing I did actually (symbolic link'em). The package came pre-compiled from the official repositories. Systemd service runs under ircd user and that seems to be the problem accessing the files.
    – soocki
    20 hours ago










  • Well... I'm not sure if there are any chroot options... However other server programs like apache, for example, read the private key before the chroot operation. This way the process is run by an unpriviledged user but TLS still functions... The recommendation from the documentation for unrealirc is to run as a unpriviledged user... which is correct. So, the easiest way to go forward is probably to create a group and add the ircd user, change permissions. However, this is not ideal and will probably revert with each new key set.
    – RubberStamp
    18 hours ago










  • And of course... Here are the instructions for using LetsEncrypt with Unrealirc
    – RubberStamp
    17 hours ago










  • Nice find :) Pretty relevant. It suggests copying the files and changing their ownership to the ircd user, which was the second thing I did but it did not feel right. It feels like a nasty workaround and I thought a better way should be in order but perhaps I am wrong or maybe there is we just not aware of it.
    – soocki
    10 hours ago















up vote
0
down vote

favorite









up vote
0
down vote

favorite











Unrealircd is not allowed access to ssl key/cert pair, ircd-owned systemd service unit fails miserably. The files are managed by lets-encrypt's certbot and root-owned:



-rw-r--r-- 1 root root 3.5K Dec  8 10:40 fullchain1.pem

-rw------- 1 root root 1.7K Dec  8 10:40 privkey1.pem


If the ownership and/or permissions of key/cert are altered the systemd unit starts fine. What is the most sensible and prefereable way of proceeding?






permissions systemd letsencrypt ownership certbot







share|improve this question















Unrealircd is not allowed access to ssl key/cert pair, ircd-owned systemd service unit fails miserably. The files are managed by lets-encrypt's certbot and root-owned:



-rw-r--r-- 1 root root 3.5K Dec  8 10:40 fullchain1.pem

-rw------- 1 root root 1.7K Dec  8 10:40 privkey1.pem


If the ownership and/or permissions of key/cert are altered the systemd unit starts fine. What is the most sensible and prefereable way of proceeding?






permissions systemd letsencrypt ownership certbot




permissions systemd letsencrypt ownership certbot






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited 18 hours ago

























asked 2 days ago









soocki

358




358








  • 1




    How did you install Unrealirc ? Was it compiled from source? Which user is running the server process? ... Usually it is not advisable to alter the permissions on the private key for any cryptographic protocol. When I compiled Unrealirc from source, it generated self-signed keys and put them in unrealircd/conf/ssl ... so you might try creating a symbolic link in that directory to your LetsEncrypt key and cert.
    – RubberStamp
    yesterday










  • That was the first thing I did actually (symbolic link'em). The package came pre-compiled from the official repositories. Systemd service runs under ircd user and that seems to be the problem accessing the files.
    – soocki
    20 hours ago










  • Well... I'm not sure if there are any chroot options... However other server programs like apache, for example, read the private key before the chroot operation. This way the process is run by an unpriviledged user but TLS still functions... The recommendation from the documentation for unrealirc is to run as a unpriviledged user... which is correct. So, the easiest way to go forward is probably to create a group and add the ircd user, change permissions. However, this is not ideal and will probably revert with each new key set.
    – RubberStamp
    18 hours ago










  • And of course... Here are the instructions for using LetsEncrypt with Unrealirc
    – RubberStamp
    17 hours ago










  • Nice find :) Pretty relevant. It suggests copying the files and changing their ownership to the ircd user, which was the second thing I did but it did not feel right. It feels like a nasty workaround and I thought a better way should be in order but perhaps I am wrong or maybe there is we just not aware of it.
    – soocki
    10 hours ago
















  • 1




    How did you install Unrealirc ? Was it compiled from source? Which user is running the server process? ... Usually it is not advisable to alter the permissions on the private key for any cryptographic protocol. When I compiled Unrealirc from source, it generated self-signed keys and put them in unrealircd/conf/ssl ... so you might try creating a symbolic link in that directory to your LetsEncrypt key and cert.
    – RubberStamp
    yesterday










  • That was the first thing I did actually (symbolic link'em). The package came pre-compiled from the official repositories. Systemd service runs under ircd user and that seems to be the problem accessing the files.
    – soocki
    20 hours ago










  • Well... I'm not sure if there are any chroot options... However other server programs like apache, for example, read the private key before the chroot operation. This way the process is run by an unpriviledged user but TLS still functions... The recommendation from the documentation for unrealirc is to run as a unpriviledged user... which is correct. So, the easiest way to go forward is probably to create a group and add the ircd user, change permissions. However, this is not ideal and will probably revert with each new key set.
    – RubberStamp
    18 hours ago










  • And of course... Here are the instructions for using LetsEncrypt with Unrealirc
    – RubberStamp
    17 hours ago










  • Nice find :) Pretty relevant. It suggests copying the files and changing their ownership to the ircd user, which was the second thing I did but it did not feel right. It feels like a nasty workaround and I thought a better way should be in order but perhaps I am wrong or maybe there is we just not aware of it.
    – soocki
    10 hours ago










1




1




How did you install Unrealirc ? Was it compiled from source? Which user is running the server process? ... Usually it is not advisable to alter the permissions on the private key for any cryptographic protocol. When I compiled Unrealirc from source, it generated self-signed keys and put them in unrealircd/conf/ssl ... so you might try creating a symbolic link in that directory to your LetsEncrypt key and cert.
– RubberStamp
yesterday




How did you install Unrealirc ? Was it compiled from source? Which user is running the server process? ... Usually it is not advisable to alter the permissions on the private key for any cryptographic protocol. When I compiled Unrealirc from source, it generated self-signed keys and put them in unrealircd/conf/ssl ... so you might try creating a symbolic link in that directory to your LetsEncrypt key and cert.
– RubberStamp
yesterday












That was the first thing I did actually (symbolic link'em). The package came pre-compiled from the official repositories. Systemd service runs under ircd user and that seems to be the problem accessing the files.
– soocki
20 hours ago




That was the first thing I did actually (symbolic link'em). The package came pre-compiled from the official repositories. Systemd service runs under ircd user and that seems to be the problem accessing the files.
– soocki
20 hours ago












Well... I'm not sure if there are any chroot options... However other server programs like apache, for example, read the private key before the chroot operation. This way the process is run by an unpriviledged user but TLS still functions... The recommendation from the documentation for unrealirc is to run as a unpriviledged user... which is correct. So, the easiest way to go forward is probably to create a group and add the ircd user, change permissions. However, this is not ideal and will probably revert with each new key set.
– RubberStamp
18 hours ago




Well... I'm not sure if there are any chroot options... However other server programs like apache, for example, read the private key before the chroot operation. This way the process is run by an unpriviledged user but TLS still functions... The recommendation from the documentation for unrealirc is to run as a unpriviledged user... which is correct. So, the easiest way to go forward is probably to create a group and add the ircd user, change permissions. However, this is not ideal and will probably revert with each new key set.
– RubberStamp
18 hours ago












And of course... Here are the instructions for using LetsEncrypt with Unrealirc
– RubberStamp
17 hours ago




And of course... Here are the instructions for using LetsEncrypt with Unrealirc
– RubberStamp
17 hours ago












Nice find :) Pretty relevant. It suggests copying the files and changing their ownership to the ircd user, which was the second thing I did but it did not feel right. It feels like a nasty workaround and I thought a better way should be in order but perhaps I am wrong or maybe there is we just not aware of it.
– soocki
10 hours ago






Nice find :) Pretty relevant. It suggests copying the files and changing their ownership to the ircd user, which was the second thing I did but it did not feel right. It feels like a nasty workaround and I thought a better way should be in order but perhaps I am wrong or maybe there is we just not aware of it.
– soocki
10 hours ago

















active

oldest

votes











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f486765%2fgranting-a-nonroot-owned-systemd-service-sufficient-usage-permissions-on-letse%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown






























active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes
















draft saved

draft discarded




















































Thanks for contributing an answer to Unix & Linux Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.





Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


Please pay close attention to the following guidance:


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f486765%2fgranting-a-nonroot-owned-systemd-service-sufficient-usage-permissions-on-letse%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Accessing regular linux commands in Huawei's Dopra Linux

Image
4 Backstory: I have a Huawei HG8245 router in my house and I want to change the default username/password. I've tried following this guide but the config file always gets reset. My ISP isn't helping either so I'm looking for other ways to accomplish this. The router has telnet access so this seems like a way to change the credentials. The first shell I gain access to looks like this: WAP> Pressing "?" gives me a list of available commands which I've pasted here, the two interesting ones are "su" and "shell". I can't seem to get su access, even after logging in as root (challenge password prompt, and then nothing happens), but shell gives me a proper linux shell. WAP>shell BusyBox v1.18.4 (2017-12-26 17:06:34 CST) built-in shell (ash) Enter 'hel
Read more

Can't connect RFCOMM socket: Host is down

Image
up vote 3 down vote favorite I have bluez 5.4.3 and I am attempting to communicate with a ble device through minicom. These two deceives (my computer and a bluno nano) are alreadt paired and this has been my method so far. #bluetoothctl # pair xx:xx:xx:xx:xx:xx # exit Everything is working well so far then... #sudo rfcomm connect /dev/rfcomm0 xx:xx:xx:xx:xx:xx 1 & [1] 3665 Can't connect RFCOMM socket: Host is down Does anyone know how to resolve this issue? Any help would be very much appreciated. bluetooth bluez share | improve this question asked Feb 9 '17 at 18:46 Brandon Knape 46 2
Read more

Kernel panic - not syncing: Fatal Exception in Interrupt

Image
0 Every day this error occured on my pc, kernel panic error on interrupt, what will be the problem? linux-mint share asked 6 mins ago Vinod Selvin Vinod Selvin 1 1 New contributor Vinod Selvin is a new contributor to this site. Take care in asking for clarification, commenting, and answering. Check out our Code of Conduct. add a comment
Read more