Make sure the rootCA file can be read by other.
It has to grant the other read, otherwise the websocket operator can not
start correctly.
Bug: 219816461
Test: acloud-dev create
Change-Id: Ie0b28bf69b5ee718be0f6cc8ad3e4e46c3b60f5c
diff --git a/setup/mkcert.py b/setup/mkcert.py
index ded7556..cc8065c 100644
--- a/setup/mkcert.py
+++ b/setup/mkcert.py
@@ -22,6 +22,7 @@
import os
import platform
import shutil
+import stat
from acloud.internal import constants
from acloud.internal.lib import utils
@@ -90,6 +91,9 @@
UnInstall()
utils.Popen(_CA_CMD, shell=True)
+ # The rootCA.pem file should grant READ permission to others.
+ if not os.stat(_CA_CRT_PATH).st_mode & stat.S_IROTH:
+ os.chmod(_CA_CRT_PATH, stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH)
utils.Popen(_TRUST_CA_COPY_CMD, shell=True)
utils.Popen(_UPDATE_TRUST_CA_CMD, shell=True)
utils.Popen(_TRUST_CHROME_CMD, shell=True)
@@ -130,6 +134,9 @@
logger.debug("Root SSL Certificate: %s, does not exist",
cert_file_name)
return False
+ # TODO: this check can be delete when the mkcert mechanism is stable.
+ if not os.stat(_TRUST_CA_PATH).st_mode & stat.S_IROTH:
+ return False
if not filecmp.cmp(_CA_CRT_PATH, _TRUST_CA_PATH):
logger.debug("The trusted CA %s file is not the same with %s ",