Hey Guys,
Found a nice bug while using ACME to get SSL certificates. I'm running VyOS 1.4 LTS
Version: VyOS 1.4.0 Release train: sagitta Release flavor: generic Built by: Sentrium S.L. Built on: Tue 04 Jun 2024 09:23 UTC Build UUID: 5e6ae0c4-4d17-4b69-9247-b4ba44a3e3c2 Build commit ID: 35dd8ae6522c78-dirty Architecture: x86_64 Boot via: installed image System type: VMware guest
I've put to following configuration for pki
set pki certificate <name> acme domain-name xxxxxx.xxx.xx set pki certificate <name> acme email '....@.....nl' set pki certificate <name> acme listen-address 'xxx.xxx.xx.xxx' set pki certificate <name> acme rsa-key-size '4096'
When requesting the show pki to following error shows up.
show pki Traceback (most recent call last): File "/usr/lib/python3/dist-packages/vyos/config.py", line 111, in config_dict_mangle_acme Certificate Authorities: Name Subject Issuer CN Issued Expiry Private Key Parent ------ --------- ----------- -------- -------- ------------- -------- tmp = read_file(f'{vyos_certbot_dir}/live/{name}/cert.pem') ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/vyos/utils/file.py", line 44, in read_file raise e File "/usr/lib/python3/dist-packages/vyos/utils/file.py", line 38, in read_file with open(fname, 'r') as f: ^^^^^^^^^^^^^^^^ PermissionError: [Errno 13] Permission denied: '/config/auth/letsencrypt/live/..../cert.pem' During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/libexec/vyos/op_mode/pki.py", line 1080, in <module> show_certificate() File "/usr/libexec/vyos/op_mode/pki.py", line 882, in show_certificate certs = get_config_certificate() ^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/libexec/vyos/op_mode/pki.py", line 88, in get_config_certificate pki[certificate] = config_dict_mangle_acme(certificate, pki[certificate]) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/vyos/config.py", line 121, in config_dict_mangle_acme raise ConfigError(f'Unable to load ACME certificates for "{name}"!') vyos.base.ConfigError: Unable to load ACME certificates for "...."!
For now I've fixed it by chmod -R 775 /config/auth/lets/letsencrypt but I don't think thats the right way to do it. https://vyos.dev/T6377 looks to be roughtly the same.