Skip to content

Commit

Permalink
Merge pull request #731 from antobinary/port-688
Browse files Browse the repository at this point in the history 
Security fix: Avoid making certificate key world-readable on renewal.(port)
  • Loading branch information
@antobinary
antobinary authored Feb 24, 2024
2 parents fc40d50 + 61562d6 commit 4f659ef
Showing 1 changed file with 3 additions and 1 deletion.
4 changes: 3 additions & 1 deletion bbb-install.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -816,9 +816,11 @@ END
cat > /etc/letsencrypt/renewal-hooks/deploy/haproxy <<HERE
#!/bin/bash -e
touch /etc/haproxy/certbundle.pem.new
chmod 0640 /etc/haproxy/certbundle.pem.new
{ cat /etc/letsencrypt/live/$HOST/fullchain.pem; echo; cat /etc/letsencrypt/live/$HOST/privkey.pem; } > /etc/haproxy/certbundle.pem.new
chown root:haproxy /etc/haproxy/certbundle.pem.new
chmod 0640 /etc/haproxy/certbundle.pem.new
mv /etc/haproxy/certbundle.pem.new /etc/haproxy/certbundle.pem
systemctl reload haproxy
HERE
Expand Down

0 comments on commit 4f659ef

Please sign in to comment.