Skip to content

Commit

Permalink
Merge pull request #688 from datenritter/security-fix
Browse files Browse the repository at this point in the history 
Security fix: Avoid making certificate key world-readable on renewal.
  • Loading branch information
@antobinary
antobinary authored Oct 17, 2023
2 parents e2a3463 + 79b3777 commit f11f57f
Showing 1 changed file with 3 additions and 1 deletion.
4 changes: 3 additions & 1 deletion bbb-install.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -831,9 +831,11 @@ END
cat > /etc/letsencrypt/renewal-hooks/deploy/haproxy <<HERE
#!/bin/bash -e
touch /etc/haproxy/certbundle.pem.new
chmod 0640 /etc/haproxy/certbundle.pem.new
{ cat /etc/letsencrypt/live/$HOST/fullchain.pem; echo; cat /etc/letsencrypt/live/$HOST/privkey.pem; } > /etc/haproxy/certbundle.pem.new
chown root:haproxy /etc/haproxy/certbundle.pem.new
chmod 0640 /etc/haproxy/certbundle.pem.new
mv /etc/haproxy/certbundle.pem.new /etc/haproxy/certbundle.pem
systemctl reload haproxy
HERE
Expand Down

0 comments on commit f11f57f

Please sign in to comment.