Actions
Issue #2254
openOpenSMTPd key permission changes
Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
05/24/2021
Due date:
% Done:
0%
Estimated time:
Hosting infrastructure:
VM @ FSF
Type of work:
System administration
Updated by Denis 'GNUtoo' Carikli over 3 years ago
After doing the workaround in bug #2253 we had key issues:
# systemctl status opensmtpd ● opensmtpd.service - OpenSMTPD SMTP server Loaded: loaded (/lib/systemd/system/opensmtpd.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Mon 2021-05-24 09:17:37 EDT; 2min 19s ago Docs: man:smtpd(8) Process: 2087 ExecStop=/usr/sbin/smtpctl stop (code=exited, status=255) Process: 2131 ExecStart=/usr/sbin/smtpd (code=exited, status=1/FAILURE) Main PID: 592 (code=exited, status=0/SUCCESS) May 24 09:17:37 replicantserver0 systemd[1]: Starting OpenSMTPD SMTP server... May 24 09:17:37 replicantserver0 smtpd[2131]: warn: /etc/letsencrypt/live/mx1.replicant.us/privkey.pem: insecure permissions: must be at most rwxr----- May 24 09:17:37 replicantserver0 smtpd[2131]: smtpd: load_pki_keys: failed to load key file May 24 09:17:37 replicantserver0 systemd[1]: opensmtpd.service: Control process exited, code=exited status=1 May 24 09:17:37 replicantserver0 systemd[1]: opensmtpd.service: Failed with result 'exit-code'. May 24 09:17:37 replicantserver0 systemd[1]: Failed to start OpenSMTPD SMTP server.
And looking at the keys:
# ls -la /etc/letsencrypt/live/mx1.replicant.us/privkey.pem lrwxrwxrwx 1 root root 43 May 22 12:14 /etc/letsencrypt/live/mx1.replicant.us/privkey.pem -> ../../archive/mx1.replicant.us/privkey4.pem
We had some permission issues:
# ls -la /etc/letsencrypt/live/mx1.replicant.us/../../archive/mx1.replicant.us/privkey4.pem -l -rw-r--r-- 1 root root 1704 May 22 12:14 /etc/letsencrypt/live/mx1.replicant.us/../../archive/mx1.replicant.us/privkey4.pem
So I also had to do a workaround:
# chmod o-r /etc/letsencrypt/live/mx1.replicant.us/../../archive/mx1.replicant.us/privkey4.pem # systemctl start opensmtpd
And the SMTP server started up again.
Updated by Denis 'GNUtoo' Carikli over 3 years ago
So like with bug #2253, we probably need to look into hooks.
To test if it works fine after a certbot renew we could use the following commands (which here shows how they are supposed to fail):
root@replicantserver0:~# systemctl restart opensmtpd Job for opensmtpd.service failed because the control process exited with error code. See "systemctl status opensmtpd.service" and "journalctl -xe" for details. # systemctl status opensmtpd ● opensmtpd.service - OpenSMTPD SMTP server Loaded: loaded (/lib/systemd/system/opensmtpd.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Mon 2021-05-24 09:17:37 EDT; 2min 19s ago Docs: man:smtpd(8) Process: 2087 ExecStop=/usr/sbin/smtpctl stop (code=exited, status=255) Process: 2131 ExecStart=/usr/sbin/smtpd (code=exited, status=1/FAILURE) Main PID: 592 (code=exited, status=0/SUCCESS) May 24 09:17:37 replicantserver0 systemd[1]: Starting OpenSMTPD SMTP server... May 24 09:17:37 replicantserver0 smtpd[2131]: warn: /etc/letsencrypt/live/mx1.replicant.us/privkey.pem: insecure permissions: must be at most rwxr----- May 24 09:17:37 replicantserver0 smtpd[2131]: smtpd: load_pki_keys: failed to load key file May 24 09:17:37 replicantserver0 systemd[1]: opensmtpd.service: Control process exited, code=exited status=1 May 24 09:17:37 replicantserver0 systemd[1]: opensmtpd.service: Failed with result 'exit-code'. May 24 09:17:37 replicantserver0 systemd[1]: Failed to start OpenSMTPD SMTP server.
Actions