From 2906ec3045799183db0de631cc60cee73d9dcaef Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 1 Oct 2017 11:26:20 +0300 Subject: [PATCH] Fix SSL-renewal problem caused by incorrect permissions --- roles/matrix-server/tasks/setup_ssl.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/roles/matrix-server/tasks/setup_ssl.yml b/roles/matrix-server/tasks/setup_ssl.yml index d6c297ba..c7f5da98 100644 --- a/roles/matrix-server/tasks/setup_ssl.yml +++ b/roles/matrix-server/tasks/setup_ssl.yml @@ -24,11 +24,18 @@ docker_image: name: willwill/acme-docker +# Granting +rx to others as well, because the `nginx` user from within +# matrix-nginx-proxy needs to be able to read the acme-challenge files inside +# for renewal purposes. +# +# This should not be causing security trouble outside of the container, +# as the parent directory (/matrix) does not allow "others" to access it or any of its children. +# Still, it works when the /ssl subtree is mounted in the container. - name: Ensure SSL certificates path exists file: path: "{{ matrix_ssl_certs_path }}" state: directory - mode: 0770 + mode: 0775 owner: "{{ matrix_user_username }}" group: "{{ matrix_user_username }}"