Tectonic Installer: How come client certificates are not chowned to etcd?

[Arve Knudsen]

I'm porting Tectonic Installer to DigitalOcean, and one issue I discovered just now is that the etcd-member service fails because /etc/ssl/etcd/client.crt is unreadable due to being only readable by the root user. The reason is that the Terraform configuration only chowns peer.* and server.* in that directory to etcd. I modeled this after the AWS implementation of Tectonic Installer. 

My question is, why does Tectonic Installer for AWS not chown client certificates to etcd? I found out that for the etcd-member service to work on DigitalOcean at least, also client certificates must be readable by the etcd user.

Thanks,

Arve

[sergiusz...@coreos.com]

Hi,

Thanks for trying things out on DigitalOcean! :-) I think we have been already in contact over there.

Regarding your question: The peer.* and server.* certificates are only consumed by the etcd systemd service which runs as the etcd user (UID 232), whereas the client.* certs are only consumed by the locksmithd systemd service which runs as root.