My opnsense letsencrypt cert renewed 2 days ago, and the ACME automation updates the cert in the UniFi keystore, as it always does.
I recently update the UniFi plugin, maybe that's related.
These are some logs I can see under /usr/local/share/java/unifi/logs/server.log:
[2024-10-21T17:37:45,968+02:00] <main> INFO system - [internal] unable to set file permission on /usr/local/share/java/unifi/data/keystore: /usr/local/share/java/unifi/data/keystore: Operation not permitted
[2024-10-21T17:37:45,984+02:00] <main> INFO system - [internal] unable to set file permission on /usr/local/share/java/unifi/data/keystore_original: /usr/local/share/java/unifi/data/keystore_original: Operation not permitted
[...]
[2024-10-21T17:39:42,557+02:00] <ble-load-keystore> WARN blebridge - unable to load local keystore for BLE bridge /usr/local/share/java/unifi/data/keystore (Permission denied)
I noticed the keystore is owned by root:wheel somehow, while other files in the same directory are owned by user unifi:
root@opn:~ # ll /usr/local/share/java/unifi/data/
total 86
drwx------ 3 unifi wheel 5 Oct 15 14:03 backup/
drwx------ 4 unifi wheel 365 Oct 21 17:55 db/
drwx------ 3 unifi wheel 4 May 18 03:54 firmware/
-rw------- 1 unifi wheel 26177 Oct 21 17:40 firmware.json
-rw-r----- 1 root wheel 3029 Oct 19 00:01 keystore
-rw-r----- 1 root wheel 3029 Oct 19 00:01 keystore_original
-rw------- 1 unifi wheel 1424 Oct 21 17:39 model_lifecycles.json
drwx------ 3 unifi wheel 3 May 19 10:06 sites/
-rw------- 1 unifi wheel 1393 Oct 21 17:39 system.properties
-rw------- 1 unifi wheel 1393 Oct 21 17:39 system.properties.bk
-rw------- 1 unifi wheel 76067 Oct 19 01:03 uidb.json
I ran
chown unifi:wheel /usr/local/share/java/unifi/data/keystore
chown unifi:wheel /usr/local/share/java/unifi/data/keystore_original
restarted the unifi service and it seems to fix the issue.
My problem is, the next cert renewal in 2 months will cause this to fail again I expect.
I would like to check the command used to update the keystore but I'm not sure where this is defined. Pointers welcome.
The unifi keystore is updated via acme.sh. Seeh https://github.com/acmesh-official/acme.sh/blob/master/deploy/unifi.sh (around line 120-123. The problem is that a new keystore is made by the user running the command (being root).
What could help is to change this line: https://github.com/opnsense/plugins/blob/80c2623bd581f4586b09eb54ae30b2e0965cf60c/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeAutomation/AcmeUnifi.php#L42
`$this->acme_env['DEPLOY_UNIFI_RELOAD'] = 'service unifi restart';` into something like `$this->acme_env['DEPLOY_UNIFI_RELOAD'] = 'chown unifi:wheel ' + (string)$this->config->acme_unifi_keystore + '; service unifi restart'
I've submitted a bug report and a suggested fix here: https://github.com/opnsense/plugins/issues/4417
It appears the fix (https://github.com/acmesh-official/acme.sh) is now included in acme.sh 3.1.1
I don't think I understand how to create a PR to have this version included in the next opnsense.
The software versions for the acme plugin listed here (https://github.com/opnsense/plugins/tree/master/security/acme-client) are different, hence I think I'm missing something. Is there another way to ask for this version bump?