Updating certs requires file write permissions for edge-router/nginx

Hi

We were trying to update one of our certs which is expiring. Here are the steps we followed.

1. Created a new keystore with renewed cert.

2. Created a keystore reference to use in virtualhost

3. Updated the virtualhost to use new keystore reference.

After this we don't see the new cert updated on router. When we checked the edge-router system logs, we saw this error

2018-02-07 15:52:15,270 Apigee-Main-5 ERROR LB-SYNC - FileWriter.write() : Reason java.io.FileNotFoundException: /opt/nginx/conf.d/{certfile} (Permission denied)

Edge-router is running with apigee user and all the files under /opt/nginx are also owned by apigee user. But the cert file had 400 permissions. so apigee user was not able to open the cert file with write permissions to update its content. We changed the file permissions to 600 and then did the step 3 once again. Now the cert file got updated without errors and we can see the renewed cert on router.

So whenever we want to update a cert, should we give write permission to respective cert so it can update itself? Is there a way the update api call can give write permission to cert file or force write the contents without any manual intervention?

1 4 343
4 REPLIES 4

michaelveit
Participant III

We are running into the very same issue. using 4.19.01.00.

Due to heavy, globally distributes infrastructure with manual setup of 48 servers over 9 data centers in 5 network zones, we cannot easily update to a newer Apigee version.

Not applicable

You can use Ansible and do this. Apigee update is zero down time. You can do activities in each system at a time.

Did we run into an issue, which is fixed in a newer Apigee version?

Is there any out-of-the-box workaround for 4.19.01.00?

I know, we could do our own engineering, installing a cron job, which updates all file permissions in that folder e.g. every 10 minutes...

I went through all release notes of all subsequent Apigee versions, but did not find any hint regarding such a bugfix.

Diving into implementation details (should usually not be required!) of edge-router, I found a location where to address this issue:

/opt/apigee/edge-router/token/default.properties

##
# Pattern for nginx custom headers
##
conf_load_balancing_load.balancing.driver.nginx.key.permissions=400

Hence trying to fix the Apigee bug by myself, tracing that we need to modify Apigee files manually after once we are upgrading to newer Apigee version:

  • Add a new property for all R/MP nodes
  • Restart edge-router, which will re-create all existing cert files with correct permissions

Do this for all >50 R/MP instances across all locations / stages / test environments...

How to run the update, properly using customer folder for customized config:

# Add new customer config with permission 640. Append to existing or create missing file. Enrure to have r/w access
echo '' >> /opt/apigee/customer/application/router.properties
echo '# Enable VHost webserver cert update on-the-fly' >> /opt/apigee/customer/application/router.properties
echo 'conf_load_balancing_load.balancing.driver.nginx.key.permissions=640' >> /opt/apigee/customer/application/router.properties
chmod 640 /opt/apigee/customer/application/router.properties
 
# Restart edge-router. This will remove all certificates and write them again, having latest cert and correct file permissions.
apigee-service edge-router restart