How to securely use letsencrypt certs?

#1

I’m setting up TaskWarrior on my freedombox, with an unprivileged daemon account called taskd. TaskWarrior can use letsencrypt certs for communication, but the /etc/letsencrypt/live folder is owned by root, which kind of makes sense. However, I’d like to be able to load this material for use in my taskwarrior server without running taskwarrior as root. Here’s some Ideas i had:

  1. Option 1 - Somehow allow the taskwarrior instance to get to these files.
  2. Option 2 - Use the letsencrypt certs to create a sub-cert that is only for taskwarrior.

Obviously option 2 is kind of lame because the child keys and stuff will expire when the parent stuff expires.

How should I go about using these certs? In a perfect world, I wouldn’t need to give root to taskwarrior, and the certs will renew automatically with certbot.

thanks,
-neko

#2

If TaskWarrrier is HTTP only, then the best way to do it is by letting Apache take care of TLS. Simply create a configuration for TaskWarrier in /etc/apache2/conf-available/taskwarrior.conf and write a ProxyPass directive. See other configurations FreedomBox provides for examples. In this setup, Apache will handle TLS and pass on the request to TaskWarrier unencrypted running unprivileged.

If for some reason you do need a TLS certificate, best is to copy the certificate from Let’s Encrypt /live directory to TaskWarrior configuration directory, carefully set appropriate ownership/permissions and restart the taskwarrior daemon. Create a shell script for this, drop into /etc/letsencrypt/renewal-hooks/post/ and run it once manually for initial setup. There is some discussion on why we choose copy method here: https://salsa.debian.org/freedombox-team/plinth/issues/1125

1 Like
#3

Thanks for the tip sunil :slight_smile:

I belive taskwarrior requires the certs to run since it’s running its own application level communication over TLS, however I’ll be sure to look into how the ProxyPass thing works since that sounds quite interesting.

The hook feature is awesome! I didnt even think to check for that kind of thing.

Thank you! ^^

I’ll be writing a blog post about getting various other services running on freedom box, probably Turtl and TaskWarrior at least and Ill be sure to share it back to this community

2 Likes