In my setup client.pem was owned by user and group root, so adding g+r didn't help, the daemons still couldn't read it. So probably it'll be also necessary to change the user/group of the certificate file to "gnt-daemons" or something like that. (And I'm not sure if this won't it be some kind of a security issue.)
On Thu, Feb 20, 2014 at 2:00 PM, Helga Velroyen <[email protected]> wrote: > This patch sets the permissions of the client SSL > certificate to 440 (instead of 400), because otherwise > the master daemon cannot read it in split-user-mode > and thus cannot make RPC calls. The permissions are then > the same as for the server certificate. > > Signed-off-by: Helga Velroyen <[email protected]> > --- > lib/utils/x509.py | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/lib/utils/x509.py b/lib/utils/x509.py > index a20162e..2437017 100644 > --- a/lib/utils/x509.py > +++ b/lib/utils/x509.py > @@ -307,7 +307,7 @@ def GenerateSelfSignedSslCert(filename, serial_no, > (key_pem, cert_pem) = GenerateSelfSignedX509Cert( > common_name, validity * 24 * 60 * 60, serial_no) > > - utils_io.WriteFile(filename, mode=0400, data=key_pem + cert_pem) > + utils_io.WriteFile(filename, mode=0440, data=key_pem + cert_pem) > return (key_pem, cert_pem) > > > -- > 1.9.0.rc1.175.g0b1dcb5 > >
