cert.pem
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	boevering
	Jun 13 2024, 7:31 AM

Description

Hey Guys,

Found a nice bug while using ACME to get SSL certificates. I'm running VyOS 1.4 LTS

Version:          VyOS 1.4.0
Release train:    sagitta
Release flavor:   generic
Built by:         Sentrium S.L.
Built on:         Tue 04 Jun 2024 09:23 UTC
Build UUID:       5e6ae0c4-4d17-4b69-9247-b4ba44a3e3c2
Build commit ID:  35dd8ae6522c78-dirty
Architecture:     x86_64
Boot via:         installed image
System type:      VMware guest

I've put to following configuration for pki

set pki certificate <name> acme domain-name xxxxxx.xxx.xx
set pki certificate <name> acme email '[email protected]'
set pki certificate <name> acme listen-address 'xxx.xxx.xx.xxx'
set pki certificate <name> acme rsa-key-size '4096'

When requesting the show pki to following error shows up.

show pki
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/vyos/config.py", line 111, in config_dict_mangle_acme
Certificate Authorities:
Name    Subject    Issuer CN    Issued    Expiry    Private Key    Parent
------  ---------  -----------  --------  --------  -------------  --------
    tmp = read_file(f'{vyos_certbot_dir}/live/{name}/cert.pem')
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/vyos/utils/file.py", line 44, in read_file
    raise e
  File "/usr/lib/python3/dist-packages/vyos/utils/file.py", line 38, in read_file
    with open(fname, 'r') as f:
         ^^^^^^^^^^^^^^^^
PermissionError: [Errno 13] Permission denied: '/config/auth/letsencrypt/live/..../cert.pem'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/pki.py", line 1080, in <module>
    show_certificate()
  File "/usr/libexec/vyos/op_mode/pki.py", line 882, in show_certificate
    certs = get_config_certificate()
            ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/libexec/vyos/op_mode/pki.py", line 88, in get_config_certificate
    pki[certificate] = config_dict_mangle_acme(certificate, pki[certificate])
                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/vyos/config.py", line 121, in config_dict_mangle_acme
    raise ConfigError(f'Unable to load ACME certificates for "{name}"!')
vyos.base.ConfigError: Unable to load ACME certificates for "...."!

For now I've fixed it by chmod -R 775 /config/auth/lets/letsencrypt but I don't think thats the right way to do it. https://vyos.dev/T6377 looks to be roughtly the same.

Details

Difficulty level: Unknown (require assessment)
Version: 1.4.0
Why the issue appeared?: Will be filled on close
Is it a breaking change?: Unspecified (possibly destroys the router)
Issue type: Bug (incorrect behavior)

Related Objects
Search...

		Status	Subtype	Assigned	Task
		Resolved	BUG	c-po	T6377 PermissionError on /config/auth/letsencrypt/live/ when running show pki
		Resolved		c-po	T6480 PermissionError: [Errno 13] Permission denied: '/config/auth/letsencrypt/live/..../cert.pem