Unbound

提供:FirstWiki
ナビゲーションに移動 検索に移動

DNS over TLS

Let's Encrypt

It's not a permission issue per se, as Unbound reads the files as root before dropping privileges. You can leave letsencrypt certificate files as root:root and they would still work.

What's preventing unbound from reading the certificates is AppArmor. Debian(and many other distros) restrict server binaries for security purposes. You can see the default AppArmor config at /etc/apparmor.d/usr.sbin.unbound, it doesn't allow reading outside of /etc/unbound, /var/lib/unbound/, /etc/openssl(through #include <abstractions/openssl> directive), and some other directories. Because your letsencrypt certificates are in another directory, it's not accessible to unbound, even when running as root.

You can work around this by allowing unbound to read the certificate files (and "live" links pointing to them). Here's a local override config for AppArmor, this file is included from the main file. 

$ cat /etc/apparmor.d/local/usr.sbin.unbound
/etc/letsencrypt/archive/** r,
/etc/letsencrypt/live/** r,

Once you change this file, you'll need to activate the changes by running: 

$ apparmor_parser --replace /etc/apparmor.d/usr.sbin.unbound
https://www.fatyas.com/w/index.php?title=Unbound&oldid=1358」から取得