NixOS ACME / LetsEncrypt - Public Room Timeline

	NixOS ACME / LetsEncrypt	110 Members
	Another day, another cert renewal	44 Servers

You have reached the beginning of time (for this room).

Sender Message Time

5 Mar 2022

Sender	Message	Time
5 Mar 2022
m1cr0man	Yeah honestly I think that would be a good idea :) There will be some things to note however. Firstly, we have weak values for group set on a cert used by nginx/httpd (example: https://github.com/m1cr0man/nixpkgs/blob/674cfc91c7432662fc8ab96a6d17819f5517ddb8/nixos/modules/services/web-servers/nginx/default.nix#L967). It _might_ be necessary to check that the user/group for the web server isn't already in the cert's group, however knowing Systemd if you specify SupplementalGroups the user already has it'll probably no-op and be grand. Secondly there was in the past some concern raised around granting acme group to other services because it would grant that service access to more certs than you may want. You might get some backlash in that regard. In reality, this is hard to operate around and for wildcard certs you're likely to only have 1 cert shared across multiple services anyway. Lastly there was still some cases where people/services wanted root as the owner and before the `useRoot` option was added to acme, `LoadCredential` was the only solution here: https://github.com/NixOS/nixpkgs/pull/123261 (WOW just noticed this hasn't been merged). I bring this up because LoadCredential would also be a valid solution instead of SupplementalGroups, but because credentials are not re-read from disk when they change which is bad for ACME usage, I don't think it's preferred.	14:45:35
m1cr0man	Point 2 is really why your assertion was acceptable in the first place. We're letting users know that the permissions are incorrect and they have to decide how to solve it, rather than us just blanket-granting access to certs which may or may not be what the user expects	14:46:52

m1cr0man

Yeah honestly I think that would be a good idea :) There will be some things to note however.

Firstly, we have weak values for group set on a cert used by nginx/httpd (example:
https://github.com/m1cr0man/nixpkgs/blob/674cfc91c7432662fc8ab96a6d17819f5517ddb8/nixos/modules/services/web-servers/nginx/default.nix#L967). It _might_ be necessary to check that the user/group for the web server isn't already in the cert's group, however knowing Systemd if you specify SupplementalGroups the user already has it'll probably no-op and be grand.

Secondly there was in the past some concern raised around granting acme group to other services because it would grant that service access to more certs than you may want. You might get some backlash in that regard. In reality, this is hard to operate around and for wildcard certs you're likely to only have 1 cert shared across multiple services anyway.

Lastly there was still some cases where people/services wanted root as the owner and before the useRoot option was added to acme, LoadCredential was the only solution here: https://github.com/NixOS/nixpkgs/pull/123261 (WOW just noticed this hasn't been merged). I bring this up because LoadCredential would also be a valid solution instead of SupplementalGroups, but because credentials are not re-read from disk when they change which is bad for ACME usage, I don't think it's preferred.

14:45:35

m1cr0man Point 2 is really why your assertion was acceptable in the first place. We're letting users know that the permissions are incorrect and they have to decide how to solve it, rather than us just blanket-granting access to certs which may or may not be what the user expects 14:46:52

Show newer messages

Back to Room ListRoom Version: 6