https://redmine.replicant.us/https://redmine.replicant.us/favicon.ico?15984615062021-05-24T13:24:19ZReplicantReplicant infrastructure - Issue #2254: OpenSMTPd key permission changeshttps://redmine.replicant.us/issues/2254?journal_id=91262021-05-24T13:24:19ZDenis 'GNUtoo' CarikliGNUtoo@cyberdimension.org
<ul></ul><p>After doing the workaround in bug <a class="issue tracker-3 status-3 priority-21 priority-default" title="Issue: Multiple issues with certificates updates (New)" href="https://redmine.replicant.us/issues/2253">#2253</a> we had key issues:<br /><pre>
# systemctl status opensmtpd
● opensmtpd.service - OpenSMTPD SMTP server
Loaded: loaded (/lib/systemd/system/opensmtpd.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Mon 2021-05-24 09:17:37 EDT; 2min 19s ago
Docs: man:smtpd(8)
Process: 2087 ExecStop=/usr/sbin/smtpctl stop (code=exited, status=255)
Process: 2131 ExecStart=/usr/sbin/smtpd (code=exited, status=1/FAILURE)
Main PID: 592 (code=exited, status=0/SUCCESS)
May 24 09:17:37 replicantserver0 systemd[1]: Starting OpenSMTPD SMTP server...
May 24 09:17:37 replicantserver0 smtpd[2131]: warn: /etc/letsencrypt/live/mx1.replicant.us/privkey.pem: insecure permissions: must be at most rwxr-----
May 24 09:17:37 replicantserver0 smtpd[2131]: smtpd: load_pki_keys: failed to load key file
May 24 09:17:37 replicantserver0 systemd[1]: opensmtpd.service: Control process exited, code=exited status=1
May 24 09:17:37 replicantserver0 systemd[1]: opensmtpd.service: Failed with result 'exit-code'.
May 24 09:17:37 replicantserver0 systemd[1]: Failed to start OpenSMTPD SMTP server.
</pre></p>
<p>And looking at the keys:<br /><pre>
# ls -la /etc/letsencrypt/live/mx1.replicant.us/privkey.pem
lrwxrwxrwx 1 root root 43 May 22 12:14 /etc/letsencrypt/live/mx1.replicant.us/privkey.pem -> ../../archive/mx1.replicant.us/privkey4.pem
</pre></p>
<p>We had some permission issues:<br /><pre>
# ls -la /etc/letsencrypt/live/mx1.replicant.us/../../archive/mx1.replicant.us/privkey4.pem -l
-rw-r--r-- 1 root root 1704 May 22 12:14 /etc/letsencrypt/live/mx1.replicant.us/../../archive/mx1.replicant.us/privkey4.pem
</pre></p>
<p>So I also had to do a workaround:<br /><pre>
# chmod o-r /etc/letsencrypt/live/mx1.replicant.us/../../archive/mx1.replicant.us/privkey4.pem
# systemctl start opensmtpd
</pre></p>
<p>And the SMTP server started up again.</p> Replicant infrastructure - Issue #2254: OpenSMTPd key permission changeshttps://redmine.replicant.us/issues/2254?journal_id=91272021-05-24T13:26:57ZDenis 'GNUtoo' CarikliGNUtoo@cyberdimension.org
<ul></ul><p>So like with bug <a class="issue tracker-3 status-3 priority-21 priority-default" title="Issue: Multiple issues with certificates updates (New)" href="https://redmine.replicant.us/issues/2253">#2253</a>, we probably need to look into hooks.</p>
<p>To test if it works fine after a certbot renew we could use the following commands (which here shows how they are supposed to fail):<br /><pre>
root@replicantserver0:~# systemctl restart opensmtpd
Job for opensmtpd.service failed because the control process exited with error code.
See "systemctl status opensmtpd.service" and "journalctl -xe" for details.
# systemctl status opensmtpd
● opensmtpd.service - OpenSMTPD SMTP server
Loaded: loaded (/lib/systemd/system/opensmtpd.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Mon 2021-05-24 09:17:37 EDT; 2min 19s ago
Docs: man:smtpd(8)
Process: 2087 ExecStop=/usr/sbin/smtpctl stop (code=exited, status=255)
Process: 2131 ExecStart=/usr/sbin/smtpd (code=exited, status=1/FAILURE)
Main PID: 592 (code=exited, status=0/SUCCESS)
May 24 09:17:37 replicantserver0 systemd[1]: Starting OpenSMTPD SMTP server...
May 24 09:17:37 replicantserver0 smtpd[2131]: warn: /etc/letsencrypt/live/mx1.replicant.us/privkey.pem: insecure permissions: must be at most rwxr-----
May 24 09:17:37 replicantserver0 smtpd[2131]: smtpd: load_pki_keys: failed to load key file
May 24 09:17:37 replicantserver0 systemd[1]: opensmtpd.service: Control process exited, code=exited status=1
May 24 09:17:37 replicantserver0 systemd[1]: opensmtpd.service: Failed with result 'exit-code'.
May 24 09:17:37 replicantserver0 systemd[1]: Failed to start OpenSMTPD SMTP server.
</pre></p>