diff --git a/backend/internal/certificate.js b/backend/internal/certificate.js index f2e845a24..e80717e51 100644 --- a/backend/internal/certificate.js +++ b/backend/internal/certificate.js @@ -536,27 +536,31 @@ const internalCertificate = { try { if (!fs.existsSync(dir)) { - fs.mkdirSync(dir); + fs.mkdirSync(dir, { mode: 0o700 }); } } catch (err) { reject(err); return; } - fs.writeFile(dir + '/fullchain.pem', certData, function (err) { + const fullchainPath = dir + '/fullchain.pem'; + fs.writeFile(fullchainPath, certData, { mode: 0o600 }, function (err) { if (err) { reject(err); } else { + try { fs.chmodSync(fullchainPath, 0o600); } catch (e) { /* ignore errors */ } resolve(); } }); }) .then(() => { return new Promise((resolve, reject) => { - fs.writeFile(dir + '/privkey.pem', certificate.meta.certificate_key, function (err) { + const privkeyPath = dir + '/privkey.pem'; + fs.writeFile(privkeyPath, certificate.meta.certificate_key, { mode: 0o600 }, function (err) { if (err) { reject(err); } else { + try { fs.chmodSync(privkeyPath, 0o600); } catch (e) { /* ignore errors */ } resolve(); } }); @@ -683,6 +687,7 @@ const internalCertificate = { checkPrivateKey: (private_key) => { return tempWrite(private_key, '/tmp') .then((filepath) => { + try { fs.chmodSync(filepath, 0o600); } catch (e) { /* ignore errors */ } return new Promise((resolve, reject) => { const failTimeout = setTimeout(() => { reject(new error.ValidationError('Result Validation Error: Validation timed out. This could be due to the key being passphrase-protected.')); @@ -716,6 +721,7 @@ const internalCertificate = { getCertificateInfo: (certificate, throw_expired) => { return tempWrite(certificate, '/tmp') .then((filepath) => { + try { fs.chmodSync(filepath, 0o600); } catch (e) { /* ignore errors */ } return internalCertificate.getCertificateInfoFromFile(filepath, throw_expired) .then((certData) => { fs.unlinkSync(filepath);