when running show pki
Closed, ResolvedPublicBUG
Actions

Assigned To

Authored By

	manuel81
	May 21 2024, 4:40 PM

Description

Hello community

I did a docker-build from the sagitta-branch (when building still was possible), at Fri 15 Mar 2024 (near epa2). There are some certificates in my config - also an ACME-Cert:

manuel@fe73651:~$ show pki certificate  <tab>
Possible completions:
  <Enter>               Execute the current command
  fe73651               Show x509 certificate by name
  mvr01-srvdns     <--- the second one is my acme-cert
  ovpn1195
  sstp-test
  vyosacmev6

After issuing show pki certificate, there is an python-traceback - obviosly some permission-problems with the folder /letsencrypt/live

manuel@fe73651:~$ show pki certificate 
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/vyos/config.py", line 113, in config_dict_mangle_acme
    tmp = read_file(f'{vyos_certbot_dir}/live/{name}/cert.pem')
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/vyos/utils/file.py", line 44, in read_file
    raise e
  File "/usr/lib/python3/dist-packages/vyos/utils/file.py", line 38, in read_file
    with open(fname, 'r') as f:
         ^^^^^^^^^^^^^^^^
PermissionError: [Errno 13] Permission denied: '/config/auth/letsencrypt/live/mvr01-srvdns/cert.pem'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/pki.py", line 1075, in <module>
    show_certificate(None if args.certificate == 'all' else args.certificate, args.pem)
  File "/usr/libexec/vyos/op_mode/pki.py", line 882, in show_certificate
    certs = get_config_certificate()
            ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/libexec/vyos/op_mode/pki.py", line 88, in get_config_certificate
    pki[certificate] = config_dict_mangle_acme(certificate, pki[certificate])
                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/vyos/config.py", line 123, in config_dict_mangle_acme
    raise ConfigError(f'Unable to load ACME certificates for "{name}"!')
vyos.base.ConfigError: Unable to load ACME certificates for "mvr01-srvdns"!

I've tried already to search for a proper bug-report with "show pki certificate" or "Permission denied: '/config/auth/letsencrypt/", but there seems to be no bug-report yet.

Details

Difficulty level: Normal (likely a few hours)
Version: 1.4.0-epa2
Why the issue appeared?: Design mistake
Is it a breaking change?: Perfectly compatible
Issue type: Bug (incorrect behavior)

Related Objects
Search...

		Status	Subtype	Assigned	Task
		Resolved	BUG	c-po	T6377 PermissionError on /config/auth/letsencrypt/live/ when running show pki
		Resolved		c-po	T6480 PermissionError: [Errno 13] Permission denied: '/config/auth/letsencrypt/live/..../cert.pem

Event Timeline

manuel81 created this task.May 21 2024, 4:40 PM

pasik subscribed.May 21 2024, 5:41 PM

c-po claimed this task.May 25 2024, 6:25 AM

Reproduce

[email protected]:~$ show configuration commands | match pki
set pki ca STAGING-PEM certificate 'MIIFWzCCA0OgAwIBAgIQTfQrldHumzpMLrM7jRBd1jANBgkqhkiG9w0BAQsFADBmMQswCQYDVQQGEwJVUzEzMDEGA1UEChMqKFNUQUdJTkcpIEludGVybmV0IFNlY3VyaXR5IFJlc2VhcmNoIEdyb3VwMSIwIAYDVQQDExkoU1RBR0lORykgUHJldGVuZCBQZWFyIFgxMB4XDTIwMDkwNDAwMDAwMFoXDTI1MDkxNTE2MDAwMFowWTELMAkGA1UEBhMCVVMxIDAeBgNVBAoTFyhTVEFHSU5HKSBMZXQncyBFbmNyeXB0MSgwJgYDVQQDEx8oU1RBR0lORykgQXJ0aWZpY2lhbCBBcHJpY290IFIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu6TR8+74b46mOE1FUwBrvxzEYLck3iasmKrcQkb+gy/z9Jy7QNIAl0B9pVKp4YU76JwxF5DOZZhi7vK7SbCkK6FbHlyU5BiDYIxbbfvOL/jVGqdsSjNaJQTg3C3XrJja/HA4WCFEMVoT2wDZm8ABC1N+IQe7Q6FEqc8NwmTSnmmRQm4TQvr06DP+zgFK/MNubxWWDSbSKKTH5im5j2fZfg+j/tM1bGaczFWw8/lSnukyn5J2L+NJYnclzkXoh9nMFnyPmVbfyDPOc4Y25aTzVoeBKXa/cZ5MM+WddjdLbiWvm19f1sYn1aRaAIrkppv7kkn83vcth8XCG39qC2ZvaQIDAQABo4IBEDCCAQwwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBTecnpI3zHDplDfn4Uj31c3S10uZTAfBgNVHSMEGDAWgBS182Xy/rAKkh/7PH3zRKCsYyXDFDA2BggrBgEFBQcBAQQqMCgwJgYIKwYBBQUHMAKGGmh0dHA6Ly9zdGcteDEuaS5sZW5jci5vcmcvMCsGA1UdHwQkMCIwIKAeoByGGmh0dHA6Ly9zdGcteDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQBgt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCNDLam9yN0EFxxn/3p+ruWO6n/9goCAM5PT6cC6fkjMs4uas6UGXJjr5j7PoTQf3C1vuxiIGRJC6qxV7yc6U0X+w0Mj85sHI5DnQVWN5+D1er7mp13JJA0xbAbHa3Rlczny2Q82XKui8WHuWra0gb2KLpfboYj1Ghgkhr3gau83pC/WQ8HfkwcvSwhIYqTqxoZUq8HIf3M82qS9aKOZE0CEmSyR1zZqQxJUT7emOUapkUN9poJ9zGc+FgRZvdro0XByphWXDaqMYph0DxW/10ig5j4xmmNDjCRmqIKsKoWA52wBTKKXK1na2ty/lW5dhtAxkz5rVZFd4sgS4J0O+zm6d5GRkWsNJ4knotGXl8vtS3X40KXeb3A5+/3p0qaD215Xq8oSNORfB2oI1kQuyEAJ5xvPTdfwRlyRG3lFYodrRg6poUBD/8fNTXMtzydpRgyzUQZh/18F6B/iW6cbiRN9r2Hkh05Om+q0/6w0DdZe+8YrNpfhSObr/1eVZbKGMIYqKmyZbBNu5ysENIK5MPc14mUeKmFjpN840VR5zunoU52lqpLDua/qIM8idk86xGWxx2ml43DO/Ya/tVZVok0mO0TUjzJIfPqyvr455IsIut4RlCR9Iq0EDTve2/ZwCuGhSjpTUFGSiQrR2JK2Evp+o6AETUkBCO1aw0PpQBPDQ=='
set pki certificate vyos acme domain-name 'lr5.wue4.mybll.net'
set pki certificate vyos acme email '[email protected]'
set pki certificate vyos acme url 'https://acme-staging-v02.api.letsencrypt.org/directory'

[email protected]:~$ show pki certificate
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/vyos/config.py", line 111, in config_dict_mangle_acme
    tmp = read_file(f'{vyos_certbot_dir}/live/{name}/cert.pem')
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/vyos/utils/file.py", line 44, in read_file
    raise e
  File "/usr/lib/python3/dist-packages/vyos/utils/file.py", line 38, in read_file
    with open(fname, 'r') as f:
         ^^^^^^^^^^^^^^^^
PermissionError: [Errno 13] Permission denied: '/config/auth/letsencrypt/live/vyos/cert.pem'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/pki.py", line 1075, in <module>
    show_certificate(None if args.certificate == 'all' else args.certificate, args.pem)
  File "/usr/libexec/vyos/op_mode/pki.py", line 882, in show_certificate
    certs = get_config_certificate()
            ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/libexec/vyos/op_mode/pki.py", line 88, in get_config_certificate
    pki[certificate] = config_dict_mangle_acme(certificate, pki[certificate])
                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/vyos/config.py", line 121, in config_dict_mangle_acme
    raise ConfigError(f'Unable to load ACME certificates for "{name}"!')
vyos.base.ConfigError: Unable to load ACME certificates for "vyos"!

https://github.com/vyos/vyos-1x/pull/3517

c-po changed the task status from Open to In progress.May 25 2024, 7:29 PM

c-po triaged this task as Normal priority.

c-po added a project: VyOS 1.5 Circinus.

c-po changed Why the issue appeared? from Will be filled on close to Design mistake.

c-po moved this task from Need Triage to Finished on the VyOS 1.5 Circinus board.May 25 2024, 7:57 PM

c-po closed this task as Resolved.May 26 2024, 12:50 PM

c-po moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta (1.4.0-GA) board.

boevering mentioned this in T6480: PermissionError: [Errno 13] Permission denied: '/config/auth/letsencrypt/live/..../cert.pem.Jun 13 2024, 7:31 AM

c-po added a subtask: T6480: PermissionError: [Errno 13] Permission denied: '/config/auth/letsencrypt/live/..../cert.pem.Jun 14 2024, 10:32 AM

c-po closed subtask T6480: PermissionError: [Errno 13] Permission denied: '/config/auth/letsencrypt/live/..../cert.pem as Resolved.Jun 24 2024, 8:21 AM

PermissionError on /config/auth/letsencrypt/live/ when running show pkiClosed, ResolvedPublicBUGActions