You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've considered having a separate chown command, but order would not be expected to be the same and that solution seems brittle. Post-hooks in acme.sh are run before deploy hooks in acme.sh so that won't work either. Also changing the deploy hook in acme.sh is very specific to OPNsense and will possibly not be accepted in the distribution (which would be fair). So I think the above would be the best place to fix this.
The text was updated successfully, but these errors were encountered:
Thank you for getting to the bottom of it. I noticed some weirdness with the certificate deployment as well in recent versions but didn't think much of it.
Either acme.sh or Unifi changed the user they are running under.
I proposed an addition to the upstream project. If that finds support, I am going to fix it there.
Maybe we'll get around changing anything here then.
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
Describe the bug
When deploy an certificate obtained via acme-client, the permissions on the key store are wrong. Also see here: https://forum.opnsense.org/index.php?topic=43556.msg216736#msg216736
To Reproduce
(using the Unifi plugin from the mimugmail repo)
Expected behavior
Expected to have a clean reload
Suggested fix
What could help is to change this line here:
plugins/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeUnifi.php
Line 42 in 80c2623
$this->acme_env['DEPLOY_UNIFI_RELOAD'] = 'service unifi restart';
change into
$this->acme_env['DEPLOY_UNIFI_RELOAD'] = 'chown unifi:wheel ' + (string)$this->config->acme_unifi_keystore + '; service unifi restart'
I've considered having a separate
chown
command, but order would not be expected to be the same and that solution seems brittle. Post-hooks in acme.sh are run before deploy hooks in acme.sh so that won't work either. Also changing the deploy hook in acme.sh is very specific to OPNsense and will possibly not be accepted in the distribution (which would be fair). So I think the above would be the best place to fix this.The text was updated successfully, but these errors were encountered: