Update Socket.IO deployment documentation to include SSL certificate permissions setup
This commit revises the deployment documentation for the Socket.IO backend, adding a new section on setting SSL certificate permissions. It introduces a script to manage certificate access for the Node.js process, ensuring proper functionality of the HTTPS server on port 3051. The order of sections has also been adjusted for clarity, enhancing the overall deployment guidance.
This commit is contained in:
Torsten Schulz (local)
65
backend/scripts/fixCertPermissions.sh
Normal file
65
backend/scripts/fixCertPermissions.sh
Normal file
@@ -0,0 +1,65 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Skript zum Fixen der SSL-Zertifikat-Berechtigungen für Node.js
|
||||
|
||||
CERT_DIR="/etc/letsencrypt/live/tt-tagebuch.de"
|
||||
CERT_GROUP="ssl-cert" # Standard-Gruppe für SSL-Zertifikate
|
||||
|
||||
# Prüfe, ob Zertifikate existieren
|
||||
if [ ! -d "$CERT_DIR" ]; then
|
||||
echo "❌ Zertifikat-Verzeichnis nicht gefunden: $CERT_DIR"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Prüfe, ob ssl-cert-Gruppe existiert
|
||||
if ! getent group "$CERT_GROUP" > /dev/null 2>&1; then
|
||||
echo "⚠️ Gruppe '$CERT_GROUP' existiert nicht. Erstelle sie..."
|
||||
sudo groupadd "$CERT_GROUP"
|
||||
fi
|
||||
|
||||
# Prüfe, welcher Benutzer den systemd-Service ausführt
|
||||
SERVICE_USER=$(systemctl show -p User tt-tagebuch.service 2>/dev/null | cut -d= -f2)
|
||||
|
||||
if [ -z "$SERVICE_USER" ]; then
|
||||
echo "⚠️ Konnte Service-Benutzer nicht ermitteln. Verwende 'www-data' als Standard."
|
||||
SERVICE_USER="www-data"
|
||||
fi
|
||||
|
||||
echo "🔧 Konfiguriere SSL-Zertifikat-Berechtigungen..."
|
||||
echo " Service-Benutzer: $SERVICE_USER"
|
||||
echo " Zertifikat-Verzeichnis: $CERT_DIR"
|
||||
|
||||
# Füge Service-Benutzer zur ssl-cert-Gruppe hinzu
|
||||
sudo usermod -a -G "$CERT_GROUP" "$SERVICE_USER"
|
||||
|
||||
# Setze Gruppen-Berechtigungen für Zertifikate
|
||||
echo "📜 Setze Berechtigungen für Zertifikate..."
|
||||
|
||||
# Setze Gruppe für das Verzeichnis
|
||||
sudo chgrp -R "$CERT_GROUP" "$CERT_DIR"
|
||||
|
||||
# Setze Berechtigungen: Owner (root) kann lesen/schreiben, Gruppe kann lesen
|
||||
sudo chmod 640 "$CERT_DIR/privkey.pem"
|
||||
sudo chmod 644 "$CERT_DIR/fullchain.pem"
|
||||
sudo chmod 644 "$CERT_DIR/cert.pem"
|
||||
sudo chmod 644 "$CERT_DIR/chain.pem"
|
||||
|
||||
# Setze auch für das archive-Verzeichnis (wo die Symlinks hinzeigen)
|
||||
ARCHIVE_DIR="/etc/letsencrypt/archive/tt-tagebuch.de"
|
||||
if [ -d "$ARCHIVE_DIR" ]; then
|
||||
sudo chgrp -R "$CERT_GROUP" "$ARCHIVE_DIR"
|
||||
sudo chmod 640 "$ARCHIVE_DIR/privkey*.pem"
|
||||
sudo chmod 644 "$ARCHIVE_DIR/fullchain*.pem"
|
||||
sudo chmod 644 "$ARCHIVE_DIR/cert*.pem"
|
||||
sudo chmod 644 "$ARCHIVE_DIR/chain*.pem"
|
||||
fi
|
||||
|
||||
echo "✅ Berechtigungen gesetzt!"
|
||||
echo ""
|
||||
echo "⚠️ WICHTIG: Der Service muss neu gestartet werden, damit die Gruppenänderung wirksam wird:"
|
||||
echo " sudo systemctl restart tt-tagebuch"
|
||||
echo ""
|
||||
echo "📋 Prüfe Berechtigungen:"
|
||||
ls -la "$CERT_DIR/privkey.pem"
|
||||
ls -la "$CERT_DIR/fullchain.pem"
|
||||
|
||||
Reference in New Issue
Block a user