Certs permission #120

New Issue

adam · 2025-12-29T00:25:12+01:00

adam commented

2025-12-29 00:25:12 +01:00

Originally created by @mauron85 on GitHub (Jun 29, 2016).

Hi, firstly thanks for this amazing work.

I've question/suggestion related to cert permissions. I see that folder certs, domain subfolders and all keys and cert have very restrictive permissions. Basically only owner can access keys and certs. How do you set your nginx then? If nginx demon has no access to certs owned by letsencrypt user?

Originally created by @mauron85 on GitHub (Jun 29, 2016). Hi, firstly thanks for this amazing work. I've question/suggestion related to cert permissions. I see that folder **certs**, domain subfolders and all keys and cert have very restrictive permissions. Basically only owner can access keys and certs. How do you set your nginx then? If nginx demon has no access to certs owned by letsencrypt user?

adam closed this issue

2025-12-29 00:25:14 +01:00

adam commented

2025-12-29 00:25:14 +01:00

@lukas2511 commented on GitHub (Jun 29, 2016):

normally nginxs master process is running with root privileges and is able to bind to privileged ports (<1024) and load certificates, only workers are running with the user specified in nginx config, and those don't need (and should never have) direct access to certificate files.

if you are running a setup where nginx is never started as root i suggest to create a special group for cert-access or set up a hook script to set permissions

@lukas2511 commented on GitHub (Jun 29, 2016): normally nginxs master process is running with root privileges and is able to bind to privileged ports (<1024) and load certificates, only workers are running with the user specified in nginx config, and those don't need (and should never have) direct access to certificate files. if you are running a setup where nginx is never started as root i suggest to create a special group for cert-access or set up a hook script to set permissions

adam commented

2025-12-29 00:25:14 +01:00

@eNBeWe commented on GitHub (Aug 15, 2016):

I am currently trying to use the script with the prosody xmpp server. This server is never run as root so I need to give more access to the certificate.
I wanted to go with the "create a special group for cert-access" approach. I created the group and chgrped the cert dir and all files to the new group.
I then added the setgid bit to the directory to inherit the group to new files.
Due to umask 077 new files are still not readable by the group.
Could you maybe change the umask to 037? (I did that on my end but want to avoid having unclean changes)
For default setups it should be no more insecure as the directory is owned by something like root:root or letsencrypt:letsencrypt, right?

@eNBeWe commented on GitHub (Aug 15, 2016): I am currently trying to use the script with the prosody xmpp server. This server is never run as root so I need to give more access to the certificate. I wanted to go with the "create a special group for cert-access" approach. I created the group and chgrped the cert dir and all files to the new group. I then added the setgid bit to the directory to inherit the group to new files. Due to umask 077 new files are still not readable by the group. Could you maybe change the umask to 037? (I did that on my end but want to avoid having unclean changes) For default setups it should be no more insecure as the directory is owned by something like root:root or letsencrypt:letsencrypt, right?

adam commented

2025-12-29 00:25:15 +01:00

@seefood commented on GitHub (Aug 15, 2016):

This is what hooks are for, Have a look at the examples.

@seefood commented on GitHub (Aug 15, 2016): This is what hooks are for, Have a look at the examples.

adam commented

2025-12-29 00:25:16 +01:00

@grinapo commented on GitHub (Sep 6, 2018):

It's a bit convoluted to actually change the permissions (cutting dirpath and filenames and inserting timestamp), and it's a bit simpler if you intend to actually copy the files (and replace the symlink) and change the perms later.

@grinapo commented on GitHub (Sep 6, 2018): It's a bit convoluted to actually change the permissions (cutting dirpath and filenames and inserting timestamp), and it's a bit simpler if you intend to actually copy the files (and replace the symlink) and change the perms later.

adam commented

2025-12-29 00:25:16 +01:00

@mckaygerhard commented on GitHub (Jul 10, 2022):

for all here .. each one must create a hook (bash script) to do the move/copy to the prosody certs directory as MUST BE and not try to involve the dehydrated process in something that!

currently dehydrated put normal names for last valid certs on each domain, when you perform those operation must use "follow symlinks" mode of the copy command, and later change the owner..

means that change permission are not enough by example courier needs exclusive access and will exit if owner are not courier.. so if dehydrated put the owner or permission will not be enought

@mckaygerhard commented on GitHub (Jul 10, 2022): for all here .. each one must create a hook (bash script) to do the move/copy to the prosody certs directory as MUST BE and not try to involve the dehydrated process in something that! currently dehydrated put normal names for last valid certs on each domain, when you perform those operation must use "follow symlinks" mode of the copy command, and later change the owner.. **means that change permission are not enough by example courier needs exclusive access and will exit if owner are not courier.. so if dehydrated put the owner or permission will not be enought**

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/dehydrated#120