git » chasquid » commit 567ad35

docker: Only do setfacl if we issued the certificates

author Alberto Bertogli
2022-08-23 22:48:35 UTC
committer Alberto Bertogli
2022-08-23 22:48:35 UTC
parent b779941f90e55b35a9ee84c2a7a307494c6c1011
docker: Only do setfacl if we issued the certificates

Today, we do setfacl unconditionally; this can be a problem for
user-provided certificates because they may be located somewhere else.

This patch fixes the problem by only doing setfacl after renewing the
certificates.

Externally provided certificates will be untouched, and the user is
responsible for ensuring that chasquid can read them.

Thanks to Alex Ellwein (aellwein@github) for reporting this in
https://github.com/albertito/chasquid/issues/29!
docker/entrypoint.sh +4 -4 
diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh
index 3bb9e9f..e5a5451 100755
--- a/docker/entrypoint.sh
+++ b/docker/entrypoint.sh
@@ -46,6 +46,10 @@ if [ "$AUTO_CERTS" != "" ]; then
 	# Note this requires you to restart every week or so, to make sure
 	# your certificate does not expire.
 	certbot renew
+
+	# Give chasquid access to the certificates.
+	# Dovecot does not need this as it reads them as root.
+	setfacl -R -m u:chasquid:rX /etc/letsencrypt/{live,archive}
 fi
 
 CERT_DOMAINS=""
@@ -66,10 +70,6 @@ if [ "$CERT_DOMAINS" == "" ]; then
 	exit 1
 fi
 
-# Give chasquid access to the certificates.
-# Dovecot does not need this as it reads them as root.
-setfacl -R -m u:chasquid:rX /etc/letsencrypt/{live,archive}
-
 # Give chasquid access to the data directory.
 mkdir -p /data/chasquid/data
 chown -R chasquid /data/chasquid/