Page MenuHomeVyOS Platform
Create Task
Maniphest T6480

PermissionError: [Errno 13] Permission denied: '/config/auth/letsencrypt/live/..../cert.pem
Closed, ResolvedPublic
Actions

Description

Hey Guys,

Found a nice bug while using ACME to get SSL certificates. I'm running VyOS 1.4 LTS

Version:          VyOS 1.4.0
Release train:    sagitta
Release flavor:   generic
Built by:         Sentrium S.L.
Built on:         Tue 04 Jun 2024 09:23 UTC
Build UUID:       5e6ae0c4-4d17-4b69-9247-b4ba44a3e3c2
Build commit ID:  35dd8ae6522c78-dirty
Architecture:     x86_64
Boot via:         installed image
System type:      VMware guest

I've put to following configuration for pki

set pki certificate <name> acme domain-name xxxxxx.xxx.xx
set pki certificate <name> acme email '....@.....nl'
set pki certificate <name> acme listen-address 'xxx.xxx.xx.xxx'
set pki certificate <name> acme rsa-key-size '4096'

When requesting the show pki to following error shows up.

show pki
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/vyos/config.py", line 111, in config_dict_mangle_acme
Certificate Authorities:
Name    Subject    Issuer CN    Issued    Expiry    Private Key    Parent
------  ---------  -----------  --------  --------  -------------  --------
    tmp = read_file(f'{vyos_certbot_dir}/live/{name}/cert.pem')
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/vyos/utils/file.py", line 44, in read_file
    raise e
  File "/usr/lib/python3/dist-packages/vyos/utils/file.py", line 38, in read_file
    with open(fname, 'r') as f:
         ^^^^^^^^^^^^^^^^
PermissionError: [Errno 13] Permission denied: '/config/auth/letsencrypt/live/..../cert.pem'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/pki.py", line 1080, in <module>
    show_certificate()
  File "/usr/libexec/vyos/op_mode/pki.py", line 882, in show_certificate
    certs = get_config_certificate()
            ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/libexec/vyos/op_mode/pki.py", line 88, in get_config_certificate
    pki[certificate] = config_dict_mangle_acme(certificate, pki[certificate])
                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/vyos/config.py", line 121, in config_dict_mangle_acme
    raise ConfigError(f'Unable to load ACME certificates for "{name}"!')
vyos.base.ConfigError: Unable to load ACME certificates for "...."!

For now I've fixed it by chmod -R 775 /config/auth/lets/letsencrypt but I don't think thats the right way to do it. https://vyos.dev/T6377 looks to be roughtly the same.

Details

Version
1.4.0
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Related Objects
Search...

Event Timeline

boevering created this task.Jun 13 2024, 7:31 AM
boevering triaged this task as Normal priority.
boevering created this object in space S1 VyOS Public.
pasik subscribed.Jun 13 2024, 9:01 AM
c-po changed the task status from Open to In progress.Jun 14 2024, 10:32 AM
c-po claimed this task.
c-po added a project: VyOS 1.4 Sagitta (1.4.1).
c-po changed Version from 1.4 to 1.4.0.
c-po added a parent task: T6377: PermissionError on /config/auth/letsencrypt/live/ when running show pki.
c-po added a comment.Jun 14 2024, 10:39 AM

https://github.com/vyos/vyos-1x/pull/3645

c-po moved this task from Open to Finished on the VyOS 1.5 Circinus board.Jun 14 2024, 10:40 AM
c-po moved this task from Backlog to In Progress on the VyOS 1.4 Sagitta (1.4.1) board.Jun 14 2024, 12:11 PM
Restricted Repository Identity mentioned this in rVYOSONEXf3d3b0fc0280: Merge pull request #3645 from c-po/pki-T6480.Jun 14 2024, 8:53 PM
c-po mentioned this in rVYOSONEX9456113a202f: op-mode: T6480: must call pki.py helper as root to work with ACME certificates.Jun 14 2024, 8:53 PM
Restricted Repository Identity mentioned this in rVYOSONEX833b33403f17: op-mode: T6480: must call pki.py helper as root to work with ACME certificates.Jun 14 2024, 8:54 PM
c-po moved this task from In Progress to Finished on the VyOS 1.4 Sagitta (1.4.1) board.Jun 15 2024, 5:56 AM
Restricted Repository Identity mentioned this in rVYOSONEX8d3f5d1c69c9: op-mode: T6480: must call pki.py helper as root to work with ACME certificates.Jun 17 2024, 5:50 PM
Restricted Repository Identity mentioned this in rVYOSONEX9ec0d19e472c: Merge pull request #3676 from vyos/mergify/bp/sagitta-stream/pr-3645.Jun 17 2024, 7:09 PM
c-po moved this task from Finished to In Progress on the VyOS 1.4 Sagitta (1.4.1) board.Jun 23 2024, 6:08 AM
Restricted Repository Identity mentioned this in rVYOSONEX1ab97c5714d0: Merge pull request #3651 from vyos/mergify/bp/sagitta/pr-3645.Jun 24 2024, 7:55 AM
c-po closed this task as Resolved.Jun 24 2024, 8:21 AM
c-po moved this task from In Progress to Finished on the VyOS 1.4 Sagitta (1.4.1) board.
dmbaturin mentioned this in 1.4.1.Dec 31 2024, 1:23 AM