One can use letsencypt post-renewal hooks as such and probably copy the
certs to a folder with permissions for the users.
-------------------------------------------
This is the hook file
cat /etc/letsencrypt/renewal-hooks/post/renew-ssl.sh
Hook file content
cat "/etc/letsencrypt/live/domainfullchain.pem"
"/etc/letsencrypt/live/domain/privkey.pem" | sudo -u leon tee
/home/leon/containers/portfolio/haproxy/sslcerts/domain > /dev/null
-------------------------------------------
I also add a systemctl reload so that the container can reread the SSL.
Not sure if this is what you're looking for.
On Thu, Sep 15, 2022 at 3:18 PM Daniel Walsh <dwalsh(a)redhat.com> wrote:
On 9/14/22 17:24, Mikhaël MYARA wrote:
dear all,
I work on a podman container for postfix + dovecot. On my host, the
encrypt keys (including the private key) are stored in
/etc/letsencrypt/live/xxxxx.xxx/, and these keys have to be used by both
postfix and dovecot.
However the "/etc/letsencrypt/live" folder is only accessible by root,
so that when I share the /etc/letsencrypt folder using the -v option, the
container has no access to the live folder. Of course, if I do awful things
like chmod 777 on the /etc/letsencrypt/live folder everything is ok. But of
course it is not a good way for that.
I wanted to know what I should do to avoid this chmod 777 while working
with a rootless container. Can I map the volume using root ? (and if so is
it a good idea ?) Should I play with groups on the host (= a group called
like "encrypters", that may contain only root and the user that runs the
container ?) Or a root process that performs copies of the keys ?
I also have seen the "--secret" option for podman I did not understad
If it would solve my problem. Please also notice that the "let's encrypt"
keys are re-generated sometimes because they have a 1 month lifetime.
If there is some guideline somewhere about this topic please show me.
My host is ubuntu 22.04, and the podman version is 3.4.4. I don't use SE
linux for now.
Thanks a lot,
Mike
_______________________________________________
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io
I guess if the goal is to change the /etc/letsencrypt/live on the host via
a container, then you will have to make the directory writable by the non
root user running the container.
This can be done using group access or ACLs. Inside of the container the
files will look like they are owned by the nobody user.
If you want the files read from the host but only writeable from within
the container, IE they don't effect the host at all, you could try to mount
the volume as an Overlay volume.
-v /etc/letsencrypt/live:/etc/letsencrypt/live:O
Note the values here will be private to the container and will be removed
when the container is destroyed.
If you don't want values read from the host at all, but just the container
to use secrets, then you could use secrets
_______________________________________________
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io