Access mode of privkey.pem


#1

Greetings, colleagues!

I ask to help me solve the problem, which gives me noticeable inconvenience.

Each time the certificate is received, the mode of accessing the privkey.pem file is 0644. Meanwhile, the access mode must be 0600.

This situation leads to the fact that, firstly, any user can copy this key, and secondly, most programs refuse to accept a key with this access mode and stop working.

After receiving the certificate, I have to set the right mode of access to the file manually. It is not comfortable.

Can I force certbot to automatically set the correct access code for the privkey.pem file?

Thankful in advance for the answer to the question,
Ogogon.


#2

Certbot’s /etc/letsencrypt/archive/ and /etc/letsencrypt/live/ (and /etc/letsencrypt/keys/) directories are all 0700, so the loose permissions on the files underneath do not compromise security. It’s weird, but harmless.

If you want to adjust the permissions, you could put chmod in a deploy hook, but the files would stil momentarily have the default permissions.

There’s an issue open about changing the default permissions, but it’s not a priority.


#3

Certbot’s /etc/letsencrypt/archive/ and /etc/letsencrypt/live/ (and /etc/letsencrypt/keys/) directories are all 0700, so the loose permissions on the files underneath do not compromise security. It’s weird, but harmless.

I believe that this does not apply to my case.
I use certbot on the FreeBSD platform. It is installed in the regular way.

ogogon@server:/usr/local/etc/letsencrypt/archive/ogogon.org# uname -v
FreeBSD 10.4-RELEASE #0 r324094: Fri Sep 29 01:45:44 UTC 2017     root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC 
ogogon@server:/usr/local/etc/letsencrypt/archive/ogogon.org# pkg info py27-certbot
py27-certbot-0.22.0,1
Name           : py27-certbot
Version        : 0.22.0,1
Installed on   : Fri Mar  9 23:30:21 2018 MSK
Origin         : security/py-certbot
Architecture   : FreeBSD:10:*
Prefix         : /usr/local
Categories     : security python
Licenses       : APACHE20
Maintainer     : python@FreeBSD.org
WWW            : https://github.com/certbot/certbot
Comment        : Let's Encrypt client
Annotations    :
	flavor         : py27
Flat size      : 3.06MiB
Description    :
In short: getting and installing SSL/TLS certificates made easy.

Certbot is a tool to automatically receive and install
X.509 certificates to enable TLS on servers. The client will
interoperate with the Let's Encrypt CA which will be issuing
browser-trusted certificates for free.

It's all automated:

The tool will prove domain control to the CA and submit a CSR
(Certificate Signing Request).

If domain control has been proven, a certificate will get issued and
the tool will automatically install it.

WWW: https://github.com/certbot/certbot

ogogon@server:/usr/local/etc/letsencrypt/archive/ogogon.org# 

I did not change any default settings in it.

The first time you receive a certificate, in the /usr/local/etc/letsencrypt/archive/ogogon.org directory, this is what:
total 24
drwxr-xr-x 2 root wheel 512 10 янв 05:09 .
drwx------ 3 root wheel 512 10 янв 05:09 …
-rw-r–r-- 1 root wheel 2041 10 янв 04:03 cert1.pem
-rw-r–r-- 1 root wheel 1647 10 янв 04:03 chain1.pem
-rw-r–r-- 1 root wheel 3688 10 янв 04:03 fullchain1.pem
-rw-r–r-- 1 root wheel 1704 10 янв 04:03 privkey1.pem

All files had access mode 0644.


#4

Maybe I misunderstood you, but why put this plugin on if its result is immediately corrected to its original value?

Is it possible to switch the default access mode for the key file? At 0600?
Is there really no such setting?

Ogogon.


#5

If you “ls -l /usr/local/etc/letsencrypt/”, the archive/, keys/ and live/ directories are 0700, aren’t they?

There is no such setting, yet. It’s not necessary.


#6
ogogon@server:/usr/local/etc/letsencrypt/archive# ls -Ralg /usr/local/etc/letsencrypt/archive/
total 18
drwx------  3 root  wheel   3 13 апр 03:28 .
drwxr-xr-x  9 root  wheel  14  9 апр 13:36 ..
drwxr-xr-x  2 root  wheel  10  9 апр 13:36 ogogon.org

/usr/local/etc/letsencrypt/archive/ogogon.org:
total 45
drwxr-xr-x  2 root  wheel    10  9 апр 13:36 .
drwx------  3 root  wheel     3 13 апр 03:28 ..
-rw-r--r--  1 root  wheel  2041 10 янв 04:03 cert1.pem
-rw-r--r--  1 root  wheel  2451  9 апр 13:36 cert2.pem
-rw-r--r--  1 root  wheel  1647 10 янв 04:03 chain1.pem
-rw-r--r--  1 root  wheel  1647  9 апр 13:36 chain2.pem
-rw-r--r--  1 root  wheel  3688 10 янв 04:03 fullchain1.pem
-rw-r--r--  1 root  wheel  4098  9 апр 13:36 fullchain2.pem
-rw-------  1 root  wheel  1704 10 янв 04:03 privkey1.pem
-rw-------  1 root  wheel  1704  9 апр 13:36 privkey2.pem
ogogon@server:/usr/local/etc/letsencrypt/archive# 

Important: I had to install the access mode for files privkeyN.pem manually. Initially, it was like all other files in this directory!

ogogon@server:/usr/local/etc/letsencrypt# ls -Ralg /usr/local/etc/letsencrypt/keys/ /usr/local/etc/letsencrypt/live/
/usr/local/etc/letsencrypt/keys/:
total 23
drwx------  2 root  wheel     5  9 апр 13:36 .
drwxr-xr-x  9 root  wheel    14  9 апр 13:36 ..
-rw-------  1 root  wheel  1704 10 янв 04:03 0000_key-certbot.pem
-rw-------  1 root  wheel  1704  9 апр 13:29 0001_key-certbot.pem
-rw-------  1 root  wheel  1704  9 апр 13:36 0002_key-certbot.pem

/usr/local/etc/letsencrypt/live/:
total 18
drwx------  3 root  wheel   3 10 янв 04:03 .
drwxr-xr-x  9 root  wheel  14  9 апр 13:36 ..
drwxr-xr-x  2 root  wheel   7  9 апр 13:36 ogogon.org

/usr/local/etc/letsencrypt/live/ogogon.org:
total 16
drwxr-xr-x  2 root  wheel    7  9 апр 13:36 .
drwx------  3 root  wheel    3 10 янв 04:03 ..
-rw-r--r--  1 root  wheel  543 10 янв 04:03 README
lrwxr-xr-x  1 root  wheel   34  9 апр 13:36 cert.pem -> ../../archive/ogogon.org/cert2.pem
lrwxr-xr-x  1 root  wheel   35  9 апр 13:36 chain.pem -> ../../archive/ogogon.org/chain2.pem
lrwxr-xr-x  1 root  wheel   39  9 апр 13:36 fullchain.pem -> ../../archive/ogogon.org/fullchain2.pem
lrwxr-xr-x  1 root  wheel   37  9 апр 13:36 privkey.pem -> ../../archive/ogogon.org/privkey2.pem
ogogon@server:/usr/local/etc/letsencrypt# 

I think it’s time to do it!

Ogogon.


#7

As @mnordhoff points out, the 0700 mode on the /usr/local/etc/letsencrypt/{archive,keys,accounts} directories enforce root-only access to the sensitive key files.

That the files themselves are 0644 (vs 0600) is not important. That there are no restrictive permissions on the symlinks in live is also not important.

You can verify this by lowering yourself to a non-privileged user and trying to access any of the private keys, it’s not possible.


#8

I, perhaps, will agree with this logic. But my sendmail absolutely does not want to.
Its ssl-stack formally checks the keyfile access mode and refuses to accept connections using the so-configured certificate.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.