TLS certificate permission checks
inn-workers at ml.th-h.de
Sat Oct 29 13:50:07 UTC 2016
Russ Allbery schrieb:
> In another group I read, someone was setting up a TLS certificate for use
> with nnrpd using Let's Encrypt, and they ran into a ton of trouble because
> of the very tight permission checks in nnrpd before it's willing to use
> the certificate.
Yes. Currently, you have to copy certificate and key (for INN and
Exim) and change owner and permissions (for INN only), AFAIS.
> I think we may be a bit too aggressive about this. We're trying to
> protect people against mistakes that could leak the key to other users on
> the same host, but it's increasingly uncommon for a news server to run on
> the same box as untrusted people, so I'm not sure how much this matters.
> And it causes some friction when people are setting up automatic
> certificate renewal.
More information about the inn-workers