Bug 1911003

Summary: dovecot-init.service using incorrect hard-coded certificate path
Product: Red Hat Enterprise Linux 8 Reporter: Chris <tech>
Component: dovecotAssignee: Michal Hlavinka <mhlavink>
Status: CLOSED NOTABUG QA Contact: CS System Management SST QE <rhel-cs-system-management-subsystem-qe>
Severity: medium Docs Contact:
Priority: unspecified    
Version: CentOS StreamCC: bstinson, carl, jwboyer
Target Milestone: rc   
Target Release: 8.0   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-21 23:13:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Chris 2020-12-26 21:45:55 UTC 
Description of problem: dovecot-init.service using incorrect hard-coded certificate path


The path the the certificates resides in the dovecot configuration files in /etc/dovecot/*  (which might, but not always, include /etc/dovecot/conf.d/10-ssl.conf )

Somewhere in the above files, will be a line similar to the following, which is where the real location of certificates is defined:-

ssl_cert = </etc/letsencrypt/live/mycerts.com/cert.pem

However, the simplistic dovecot-init.service script has hard-coded paths as follows:-


ConditionPathExists=|!/etc/pki/dovecot/certs/dovecot.pem


The script needs fixing to properly parse the dovecot configs to find the actual cert
Comment 1 Chris 2020-12-26 21:51:58 UTC 
Same problem for other products as well I expect:-


# grep -r pem /usr/lib/systemd/
/usr/lib/systemd/system/unbound-anchor.service:ExecStart=/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem -f /etc/resolv.conf -R
/usr/lib/systemd/system/cyrus-imapd-init.service:ConditionPathExists=!/etc/pki/cyrus-imapd/cyrus-imapd.pem
/usr/lib/systemd/system/cyrus-imapd-init.service:ConditionPathExists=!/etc/pki/cyrus-imapd/cyrus-imapd-key.pem
/usr/lib/systemd/system/cyrus-imapd-init.service:ConditionPathExists=!/etc/pki/cyrus-imapd/cyrus-imapd-ca.pem
/usr/lib/systemd/system/cyrus-imapd-init.service:ExecStart=/usr/bin/sscg --package cyrus-imapd --cert-file /etc/pki/cyrus-imapd/cyrus-imapd.pem --cert-key-file /etc/pki/cyrus-imapd/cyrus-imapd-key.pem --ca-file /etc/pki/cyrus-imapd/cyrus-imapd-ca.pem --cert-key-mode=0640


Your scripts need to honor the actual certificate locations of the product configuration files ALWAYS - hardcoded locations are never the right decision.
Comment 2 Chris 2020-12-26 21:53:45 UTC 
(Do you have a system to work out which of your staff wrote the above scripts?  *All* of their work almost certainly needs a review - these kinds of quick-and-dirty shortcut hacks suggest that they have a dangerous work ethic which almost certainly will be causing other problems in the other stuff they've been involved with...)
Comment 3 Michal Hlavinka 2021-02-21 23:13:52 UTC 
Letsencrypt is your choice for certificate and you have to configure that to make it work.

ANY real crypto and security needs proper configuration, before it can be deployed in production environment. It just contains default values to make it somewhat work out of the box. 

systemd unit files are part of a configuration, it's not hardcored data,it just contains default values. If you don't use it or want to use something different, you can change that.