diff --git a/backend/internal/certificate.js b/backend/internal/certificate.js index f2e845a24..18e327d74 100644 --- a/backend/internal/certificate.js +++ b/backend/internal/certificate.js @@ -536,27 +536,33 @@ const internalCertificate = { try { if (!fs.existsSync(dir)) { - fs.mkdirSync(dir); + fs.mkdirSync(dir, { mode: 0o700 }); } } catch (err) { reject(err); return; } - fs.writeFile(dir + '/fullchain.pem', certData, function (err) { + const fullchainPath = dir + '/fullchain.pem'; + fs.writeFile(fullchainPath, certData, { mode: 0o600 }, function (err) { if (err) { reject(err); } else { + // Ensure permissions are correct + try { fs.chmodSync(fullchainPath, 0o600); } catch (e) { /* ignore errors */ } resolve(); } }); }) .then(() => { return new Promise((resolve, reject) => { - fs.writeFile(dir + '/privkey.pem', certificate.meta.certificate_key, function (err) { + const privkeyPath = dir + '/privkey.pem'; + fs.writeFile(privkeyPath, certificate.meta.certificate_key, { mode: 0o600 }, function (err) { if (err) { reject(err); } else { + // Ensure permissions are correct + try { fs.chmodSync(privkeyPath, 0o600); } catch (e) { /* ignore errors */ } resolve(); } }); @@ -683,6 +689,8 @@ const internalCertificate = { checkPrivateKey: (private_key) => { return tempWrite(private_key, '/tmp') .then((filepath) => { + // Ensure temp file is 0600 + try { fs.chmodSync(filepath, 0o600); } catch (e) { /* ignore errors */} return new Promise((resolve, reject) => { const failTimeout = setTimeout(() => { reject(new error.ValidationError('Result Validation Error: Validation timed out. This could be due to the key being passphrase-protected.')); @@ -716,6 +724,8 @@ const internalCertificate = { getCertificateInfo: (certificate, throw_expired) => { return tempWrite(certificate, '/tmp') .then((filepath) => { + // Ensure temp file is 0600 + try { fs.chmodSync(filepath, 0o600); } catch (e) { /* ignore errors */ } return internalCertificate.getCertificateInfoFromFile(filepath, throw_expired) .then((certData) => { fs.unlinkSync(filepath);