Hi, Thanks for trying things out on DigitalOcean! :-) I think we have been already in contact over there.
Regarding your question: The peer.* and server.* certificates are only consumed by the etcd systemd service which runs as the etcd user (UID 232), whereas the client.* certs are only consumed by the locksmithd systemd service which runs as root. On Friday, July 21, 2017 at 9:09:38 AM UTC+2, Arve Knudsen wrote: > > I'm porting Tectonic Installer to DigitalOcean, and one issue I discovered > just now is that the etcd-member service fails because > /etc/ssl/etcd/client.crt is unreadable due to being only readable by the > root user. The reason is that the Terraform configuration only chowns > peer.* and server.* in that directory to etcd. I modeled this after the AWS > implementation of Tectonic Installer. > > My question is, why does Tectonic Installer for AWS not chown client > certificates to etcd > <https://github.com/coreos/tectonic-installer/commit/34db444369fbb4eb06a25f4a155147027bb0a3d6#diff-f955cb18790baeb714b182b33f01836eR51>? > > I found out that for the etcd-member service to work on DigitalOcean at > least, also client certificates must be readable by the etcd user. > > Thanks, > Arve >
