[GH-ISSUE #3878] Permission error on a not related certificate when migrating from 2.6.2 to 2.6.3 #1925

New issue

Closed

opened 2026-02-27 11:19:55 +03:00 by kerem · 4 comments

kerem commented 2026-02-27 11:19:55 +03:00

Owner

Copy link

Originally created by @olaf7 on GitHub (Jan 12, 2026).
Original GitHub issue: https://github.com/modoboa/modoboa/issues/3878

I am upgrading Modoboa 2.6.0 to 2.6.5 on Debian Trixie with a virtual environment. It is a manual installation.
Upgrading went fine until 2.6.2
When upgrading to 2.6.3 the command

> python manage.py migrate

Gave a permission error:

(env) modoboa@f1:~/env/instance$ python manage.py migrate
Traceback (most recent call last):
  File "/srv/modoboa/env/instance/manage.py", line 22, in <module>
    execute_from_command_line(sys.argv)
    ~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^
  File "/srv/modoboa/env/lib/python3.13/site-packages/django/core/management/__init__.py", line 442, in execute_from_command_line
    utility.execute()
    ~~~~~~~~~~~~~~~^^
  File "/srv/modoboa/env/lib/python3.13/site-packages/django/core/management/__init__.py", line 416, in execute
    django.setup()
    ~~~~~~~~~~~~^^
  File "/srv/modoboa/env/lib/python3.13/site-packages/django/__init__.py", line 24, in setup
    apps.populate(settings.INSTALLED_APPS)
    ~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/srv/modoboa/env/lib/python3.13/site-packages/django/apps/registry.py", line 124, in populate
    app_config.ready()
    ~~~~~~~~~~~~~~~~^^
  File "/srv/modoboa/env/lib/python3.13/site-packages/modoboa/contacts/apps.py", line 13, in ready
    load_settings()
    ~~~~~~~~~~~~~^^
  File "/srv/modoboa/env/lib/python3.13/site-packages/modoboa/contacts/app_settings.py", line 46, in load_settings
    from modoboa.contacts import serializers
  File "/srv/modoboa/env/lib/python3.13/site-packages/modoboa/contacts/serializers.py", line 9, in <module>
    from . import tasks
  File "/srv/modoboa/env/lib/python3.13/site-packages/modoboa/contacts/tasks.py", line 5, in <module>
    from .lib import carddav
  File "/srv/modoboa/env/lib/python3.13/site-packages/modoboa/contacts/lib/carddav.py", line 32, in <module>
    from caldav import elements
  File "/srv/modoboa/env/lib/python3.13/site-packages/caldav/__init__.py", line 13, in <module>
    from .davclient import DAVClient
  File "/srv/modoboa/env/lib/python3.13/site-packages/caldav/davclient.py", line 19, in <module>
    import niquests as requests
  File "/srv/modoboa/env/lib/python3.13/site-packages/niquests/__init__.py", line 76, in <module>
    from .api import delete, get, head, options, patch, post, put, request
  File "/srv/modoboa/env/lib/python3.13/site-packages/niquests/api.py", line 15, in <module>
    from . import sessions
  File "/srv/modoboa/env/lib/python3.13/site-packages/niquests/sessions.py", line 24, in <module>
    from ._constant import (
    ...<4 lines>...
    )
  File "/srv/modoboa/env/lib/python3.13/site-packages/niquests/_constant.py", line 17, in <module>
    DEFAULT_CA_BUNDLE: str = wassima.generate_ca_bundle()
                             ~~~~~~~~~~~~~~~~~~~~~~~~~~^^
  File "/srv/modoboa/env/lib/python3.13/site-packages/wassima/__init__.py", line 59, in generate_ca_bundle
    return "\n\n".join(root_pem_certificates())
                       ~~~~~~~~~~~~~~~~~~~~~^^
  File "/srv/modoboa/env/lib/python3.13/site-packages/wassima/__init__.py", line 48, in root_pem_certificates
    for bin_cert in root_der_certificates():
                    ~~~~~~~~~~~~~~~~~~~~~^^
  File "/srv/modoboa/env/lib/python3.13/site-packages/wassima/__init__.py", line 30, in root_der_certificates
    certificates = _root_der_certificates()
  File "/srv/modoboa/env/lib/python3.13/site-packages/wassima/_os/_linux.py", line 51, in root_der_certificates
    if not filepath.is_file():  # Skip directories
           ~~~~~~~~~~~~~~~~^^
  File "/usr/lib/python3.13/pathlib/_abc.py", line 482, in is_file
    return S_ISREG(self.stat(follow_symlinks=follow_symlinks).st_mode)
                   ~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.13/pathlib/_local.py", line 517, in stat
    return os.stat(self, follow_symlinks=follow_symlinks)
           ~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
PermissionError: [Errno 13] Permission denied: '/usr/local/share/ca-certificates/auth.jitsi.example.net.crt'

Modoboa should stay away from files which it has no relevance on.
My Modoboa server runs on a server with other software installed on it as well. This interaction is not desired. The subdomain in the certificate name is not registered with Modoboa, nor the file is.

Originally created by @olaf7 on GitHub (Jan 12, 2026). Original GitHub issue: https://github.com/modoboa/modoboa/issues/3878 I am upgrading Modoboa 2.6.0 to 2.6.5 on Debian Trixie with a virtual environment. It is a manual installation. Upgrading went fine until 2.6.2 When upgrading to 2.6.3 the command ```shell > python manage.py migrate ``` Gave a permission error: ``` (env) modoboa@f1:~/env/instance$ python manage.py migrate Traceback (most recent call last): File "/srv/modoboa/env/instance/manage.py", line 22, in <module> execute_from_command_line(sys.argv) ~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^ File "/srv/modoboa/env/lib/python3.13/site-packages/django/core/management/__init__.py", line 442, in execute_from_command_line utility.execute() ~~~~~~~~~~~~~~~^^ File "/srv/modoboa/env/lib/python3.13/site-packages/django/core/management/__init__.py", line 416, in execute django.setup() ~~~~~~~~~~~~^^ File "/srv/modoboa/env/lib/python3.13/site-packages/django/__init__.py", line 24, in setup apps.populate(settings.INSTALLED_APPS) ~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^ File "/srv/modoboa/env/lib/python3.13/site-packages/django/apps/registry.py", line 124, in populate app_config.ready() ~~~~~~~~~~~~~~~~^^ File "/srv/modoboa/env/lib/python3.13/site-packages/modoboa/contacts/apps.py", line 13, in ready load_settings() ~~~~~~~~~~~~~^^ File "/srv/modoboa/env/lib/python3.13/site-packages/modoboa/contacts/app_settings.py", line 46, in load_settings from modoboa.contacts import serializers File "/srv/modoboa/env/lib/python3.13/site-packages/modoboa/contacts/serializers.py", line 9, in <module> from . import tasks File "/srv/modoboa/env/lib/python3.13/site-packages/modoboa/contacts/tasks.py", line 5, in <module> from .lib import carddav File "/srv/modoboa/env/lib/python3.13/site-packages/modoboa/contacts/lib/carddav.py", line 32, in <module> from caldav import elements File "/srv/modoboa/env/lib/python3.13/site-packages/caldav/__init__.py", line 13, in <module> from .davclient import DAVClient File "/srv/modoboa/env/lib/python3.13/site-packages/caldav/davclient.py", line 19, in <module> import niquests as requests File "/srv/modoboa/env/lib/python3.13/site-packages/niquests/__init__.py", line 76, in <module> from .api import delete, get, head, options, patch, post, put, request File "/srv/modoboa/env/lib/python3.13/site-packages/niquests/api.py", line 15, in <module> from . import sessions File "/srv/modoboa/env/lib/python3.13/site-packages/niquests/sessions.py", line 24, in <module> from ._constant import ( ...<4 lines>... ) File "/srv/modoboa/env/lib/python3.13/site-packages/niquests/_constant.py", line 17, in <module> DEFAULT_CA_BUNDLE: str = wassima.generate_ca_bundle() ~~~~~~~~~~~~~~~~~~~~~~~~~~^^ File "/srv/modoboa/env/lib/python3.13/site-packages/wassima/__init__.py", line 59, in generate_ca_bundle return "\n\n".join(root_pem_certificates()) ~~~~~~~~~~~~~~~~~~~~~^^ File "/srv/modoboa/env/lib/python3.13/site-packages/wassima/__init__.py", line 48, in root_pem_certificates for bin_cert in root_der_certificates(): ~~~~~~~~~~~~~~~~~~~~~^^ File "/srv/modoboa/env/lib/python3.13/site-packages/wassima/__init__.py", line 30, in root_der_certificates certificates = _root_der_certificates() File "/srv/modoboa/env/lib/python3.13/site-packages/wassima/_os/_linux.py", line 51, in root_der_certificates if not filepath.is_file(): # Skip directories ~~~~~~~~~~~~~~~~^^ File "/usr/lib/python3.13/pathlib/_abc.py", line 482, in is_file return S_ISREG(self.stat(follow_symlinks=follow_symlinks).st_mode) ~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.13/pathlib/_local.py", line 517, in stat return os.stat(self, follow_symlinks=follow_symlinks) ~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ PermissionError: [Errno 13] Permission denied: '/usr/local/share/ca-certificates/auth.jitsi.example.net.crt' ``` Modoboa should stay away from files which it has no relevance on. My Modoboa server runs on a server with other software installed on it as well. This interaction is not desired. The subdomain in the certificate name is not registered with Modoboa, nor the file is.

kerem 2026-02-27 11:19:55 +03:00

• closed this issue
• added the
  help-needed
  label

kerem commented 2026-02-27 11:19:56 +03:00

Author

Owner

Copy link

@tonioo commented on GitHub (Jan 13, 2026):

@olaf7 This error is not raised by Modoboa but by a dependency => niquests and wassima.
Wassima is a package to access local certificates store, and it is probably used by niquests to do certificate validation and verification.
I'm pretty sure you should allow read access on certificates that are located in your server store.

<!-- gh-comment-id:3742715844 --> @tonioo commented on GitHub (Jan 13, 2026): @olaf7 This error is not raised by Modoboa but by a dependency => niquests and wassima. Wassima is a package to access local certificates store, and it is probably used by niquests to do certificate validation and verification. I'm pretty sure you should allow read access on certificates that are located in your server store.

kerem commented 2026-02-27 11:19:56 +03:00

Author

Owner

Copy link

@olaf7 commented on GitHub (Jan 13, 2026):

We can have a debate on security (settings) and requirements of various software components and the complications that get introduced by them, Regardless the issue remains a file gets accessed which should not have been accessed as it has nothing to do with Modoboa, This prevents a successful migration. Changing permissions in a more or less secure way will be a struggle as I experienced before. This should not be needed when only relevant files would be accessed.
How can we fix this without making all certificates world readable?

<!-- gh-comment-id:3746491419 --> @olaf7 commented on GitHub (Jan 13, 2026): We can have a debate on security (settings) and requirements of various software components and the complications that get introduced by them, Regardless the issue remains a file gets accessed which should not have been accessed as it has nothing to do with Modoboa, This prevents a successful migration. Changing permissions in a more or less secure way will be a struggle as I experienced before. This should not be needed when only relevant files would be accessed. How can we fix this without making all certificates world readable?

kerem commented 2026-02-27 11:19:56 +03:00

Author

Owner

Copy link

@tonioo commented on GitHub (Jan 14, 2026):

Here is function generating this issue: https://github.com/jawah/wassima/blob/main/src/wassima/init.py#L54.
I'm afraid there no other way to fix this one than replacing the dependency and honestly, good luck to find one that is maintained.

Anyway, I don't see why it is a security issue to make public certificates readable by everyone...

<!-- gh-comment-id:3749518783 --> @tonioo commented on GitHub (Jan 14, 2026): Here is function generating this issue: https://github.com/jawah/wassima/blob/main/src/wassima/__init__.py#L54. I'm afraid there no other way to fix this one than replacing the dependency and honestly, good luck to find one that is maintained. Anyway, I don't see why it is a security issue to make public certificates readable by everyone...

kerem commented 2026-02-27 11:19:56 +03:00

Author

Owner

Copy link

@olaf7 commented on GitHub (Jan 19, 2026):

Thank you. After checking the code I see it recursively links PEM certs. Why this is needed for Modoboa is not clear to me. I still think software should not try to handle files it does not need. The library does also a bad job, by reporting a permission error on, in my case, a dangling symlink.
I fixed my instance and are no longer bothered by this error. And as it is a third party library and not part of Modoboa I suggest to close this issue.

<!-- gh-comment-id:3770341782 --> @olaf7 commented on GitHub (Jan 19, 2026): Thank you. After checking the code I see it recursively links PEM certs. Why this is needed for Modoboa is not clear to me. I still think software should not try to handle files it does not need. The library does also a bad job, by reporting a permission error on, in my case, a dangling symlink. I fixed my instance and are no longer bothered by this error. And as it is a third party library and not part of Modoboa I suggest to close this issue.

kerem referenced this issue 2026-02-27 12:10:38 +03:00

[PR #1925] [CLOSED] Translate '/modoboa/relaydomains/locale/en/LC_MESSAGES/djangojs.po' in 'br' #2357

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

fix/sievefilters-allow-email-in-rule-name

dependabot/npm_and_yarn/frontend/axios-1.15.0

translations_04c0b653215cb5fa48ab101eae1a1917_ja_JP

translations_5d93982e9fd6dab991db4faf93ce9ded_ja_JP

fix/login-issue-3995

fix/sievefilters-issues

add-vitepress-openapi

2974-dmarc-empty-email

2.3.x

updated-doc-2.3.0

feature/OIDC

delete-all-alarms

translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_af_ZA

translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_ar

translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_ca

1.x

translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_sk

translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_tr

translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_es_ES

translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_uk

translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_zh_CN

translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_de_DE

translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_da_DK

1.8.x

1.7.x

1.6.x

1.4.x

1.3.x

1.2.x

2.8.2

2.8.1

2.8.0

2.7.2

2.7.1

2.7.0

2.6.5

2.6.4

2.6.3

2.6.2

2.6.1

2.6.0

2.5.1

2.5.0

2.4.11

2.4.10

2.4.9

2.4.8

2.4.7

2.4.6

2.4.5

2.4.4

2.4.3

2.4.2

2.4.1

2.4.0

2.3.6

2.3.5

2.3.4

2.3.3

2.3.2

2.3.1

2.3.0

2.3.0-beta.4

2.3.0-beta.3

2.3.0-beta.2

2.3.0-beta.1

2.2.4

2.2.3

2.2.2

2.2.1

2.2.0

2.1.2

2.1.1

2.1.0

2.0.5

2.0.4

2.0.3

2.0.2

2.0.1

2.0.0

2.0.0-beta.3

2.0.0-beta.2

2.0.0-beta.1

1.17.0

1.16.1

1.16.0

1.15.0

1.14.0

1.13.1

1.13.0

1.12.2

1.12.1

1.12.0

1.11.1

1.11.0

1.10.7

1.10.6

1.10.5

1.10.4

1.10.3

1.10.2

1.10.1

1.10.0

1.9.1

1.9.0

1.8.3

1.8.2

1.8.1

1.8.0

1.7.4

1.7.3

1.7.2

1.7.1

1.7.0

1.6.3

1.6.2

1.6.1

1.6.0

1.5.3

1.5.2

1.5.1

1.5.0

1.4.5

1.4.4

1.4.3

1.4.2

1.4.1

1.4.0

1.3.5

1.3.4

1.2.2

1.3.3

1.3.2

1.3.1

1.3.0

1.2.1

1.2.0

1.2.0-rc2

1.2.0-rc1

1.1.7

1.1.6

1.1.5

1.1.4

1.1.3

1.1.2

1.1.1

1.1.0

1.0.1

1.0.0

0.9.5

0.9.4

0.9.3

0.9.2

0.9.1

0.9

0.8.8

0.8.7

0.8.6.1

0.8.6

0.8.5

0.8.4

0.8.3

0.8.3-rc1

0.8.2

0.8.1

0.8

0.8-rc2

0.8-rc1

0.7.2

0.7.1

0.7

0.6.1

0.6

0.5

0.3

0.2

0.1

Labels

Clear labels   

bug

  

bug

  

dependencies

  

design

  

documentation

  

duplicate

  

enhancement

  

enhancement

  

enhancement

  

feedback-needed

  

help-needed

  

help-needed

  

installer

  

invalid

  

looking-for-sponsors

  

modoboa-contacts

  

new-ui

  

new-ui

  

pr

  

pull-request

Mirrored from GitHub Pull Request

  

pyconfr

  

python

  

question

  

security

  

stale

  

webmail

  

wontfix

No labels

bug

bug

dependencies

design

documentation

duplicate

enhancement

enhancement

enhancement

feedback-needed

help-needed

help-needed

installer

invalid

looking-for-sponsors

modoboa-contacts

new-ui

new-ui

pr

pull-request

pyconfr

python

question

security

stale

webmail

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/modoboa-modoboa#1925

No description provided.