File permissions incorrect

[thernstig]

See https://docs.docker.com/engine/security/https/#create-a-ca-server-and-client-keys-with-openssl

generate_client_certs.yml and generate_server_certs.yml does not set the same permission as specified in the above link.

0400 should be set on all keys
0444 should be set on all certs

As such, both .yml files need to split the file permission step into two tasks to handle this.

[bk203]

So like this, if i correctly understand the problem:

generate_client_certs.yml

- name: Set file permissions for keys
  file:
    path: "{{ dds_client_cert_path }}/{{ item }}"
    mode: 0400
  with_items:
    - key.pem

- name: Set file permissions for certificates
  file:
    path: "{{ dds_client_cert_path }}/{{ item }}"
    mode: 0444
  with_items:
    - ca.pem
    - cert.pem

generate_server_certs.yml

- name: Set file permissions for keys
  file:
    path: "{{ dds_server_cert_path }}/{{ item }}"
    mode: 0400
  with_items:
    - server-key.pem

- name: Set file permissions for certificates
  file:
    path: "{{ dds_server_cert_path }}/{{ item }}"
    mode: 0444
  with_items:
    - ca.pem
    - server-cert.pem

[thernstig]

@msmit1993 Correct, so not a big change. With the addition that ca-key.pem should possibly also get 0400 in main.yml, as I suppose one wants to save that file as well to create new CSR's in the future.

It is quite bad as it is now that key.pem gets 0444, that is definitely a problem.