Feature :: Add ability to specify ownership and umask on created files

[nickcmaynard]

The default, extremely restrictive umask works for many circumstances, but some situations (ie. Debian's exim) cannot work with this - in this example the process reading the key & cert files is not root.

To make this possible the admin has only one choice right now - manually fix the permissions. This cannot be the final solution, as subsequent cert refreshes may cancel these changes and leave the system in a broken state.

The request, therefore, is as follows:

1. Add an option to specify the ownership/umask on created files, ie.
   • DOMAIN_CHAIN_LOCATION
   • DOMAIN_KEY_LOCATION
2. Add an option to specify the ownership/umask on the domain directory, ie.
   • DOMAIN_DIR

[QuingKhaos]

ad 1) These should be able to be configured seperately? ie specify ownership/umask for certs and keys seperately.

ad 2) The reason why it is need would be interesting? The domain dir should be only used by getssl and certs should be copied out from it with the location variables.

[respencer]

We ran into this issue last night too. slapd failed to restart as the permissions on the key file were wrong. The correct permissions for slapd in our case are ownership root:ssl-cert and umask 0640.

What is needed in order for the issue to be resolved?

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.