If aegir doesn't have permissions to read the SSL certificates, it just emits a warning and keeps on going. This affects at least migrate and verify.

In my opinion, this should provoke a full failure as it could disable a site during migration.

Extract from the verify task log:

Generated config encrypted virtual host configuration
SSL Certificate directory for example.com on ceres path /var/aegir/config/server_master/ssl.d/example.com exists.
SSL Certificate directory for example.com on ceres ownership of /var/aegir/config/server_master/ssl.d/example.com has been changed to aegir.
SSL Certificate directory for example.com on ceres permissions of /var/aegir/config/server_master/ssl.d/example.com have been changed to 700.
SSL Certificate directory for example.com on ceres path /var/aegir/config/server_master/ssl.d/example.com is writable.
WD php: copy(/var/aegir/config/ssl.d/example.com/openssl.key): failed to open stream: Permission denied in /srv/aegir/.drush/provision/provision.file.inc on line 38.
apache on ceres could not be restarted. Changes might not be available until this has been done. (error: Syntax error on line 18 of /var/aegir/config/server_master/apache/vhost.d/www.example.com: SSLCertificateKeyFile: file '/var/aegir/config/server_master/ssl.d/example.com/openssl.key' does not exist or is empty)
copy(/var/aegir/config/ssl.d/example.com/openssl.key): failed to open stream: Permission denied in /srv/aegir/.drush/provision/provision.file.inc on line 38.
Cleared all caches

Comments

anarcat’s picture

anarcat commented
Version: » 6.x-1.9
Assigned: Unassigned » anarcat
Status: Active » Needs work

I am going to deal with this, thanks to webscope.co.nz

anarcat’s picture

anarcat commented
Status: Needs work » Patch (to be ported)

I have done a bunch of patches to improve SSL certificate handling on 2.x. After some testing, it is reasonable to merge this in 1.x, I believe, as there is no API change (apart from the fact that we generate 2048 bit keys by default instead of 1024 now).

steven jones’s picture

steven jones commented

Feel free to backport this when you get a chance (I'm agreeing that it should go into 1.x too)

anarcat’s picture

anarcat commented
Status: Patch (to be ported) » Fixed

merged in 1.x.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.