I ask to help me solve the problem, which gives me noticeable inconvenience.
Each time the certificate is received, the mode of accessing the privkey.pem file is 0644. Meanwhile, the access mode must be 0600.
This situation leads to the fact that, firstly, any user can copy this key, and secondly, most programs refuse to accept a key with this access mode and stop working.
After receiving the certificate, I have to set the right mode of access to the file manually. It is not comfortable.
Can I force certbot to automatically set the correct access code for the privkey.pem file?
Thankful in advance for the answer to the question,
Ogogon.
Certbot’s /etc/letsencrypt/archive/ and /etc/letsencrypt/live/ (and /etc/letsencrypt/keys/) directories are all 0700, so the loose permissions on the files underneath do not compromise security. It’s weird, but harmless.
If you want to adjust the permissions, you could put chmod in a deploy hook, but the files would stil momentarily have the default permissions.
There’s an issue open about changing the default permissions, but it’s not a priority.
Certbot’s /etc/letsencrypt/archive/ and /etc/letsencrypt/live/ (and /etc/letsencrypt/keys/) directories are all 0700, so the loose permissions on the files underneath do not compromise security. It’s weird, but harmless.
I believe that this does not apply to my case.
I use certbot on the FreeBSD platform. It is installed in the regular way.
ogogon@server:/usr/local/etc/letsencrypt/archive/ogogon.org# uname -v
FreeBSD 10.4-RELEASE #0 r324094: Fri Sep 29 01:45:44 UTC 2017 root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC
ogogon@server:/usr/local/etc/letsencrypt/archive/ogogon.org# pkg info py27-certbot
py27-certbot-0.22.0,1
Name : py27-certbot
Version : 0.22.0,1
Installed on : Fri Mar 9 23:30:21 2018 MSK
Origin : security/py-certbot
Architecture : FreeBSD:10:*
Prefix : /usr/local
Categories : security python
Licenses : APACHE20
Maintainer : python@FreeBSD.org
WWW : https://github.com/certbot/certbot
Comment : Let's Encrypt client
Annotations :
flavor : py27
Flat size : 3.06MiB
Description :
In short: getting and installing SSL/TLS certificates made easy.
Certbot is a tool to automatically receive and install
X.509 certificates to enable TLS on servers. The client will
interoperate with the Let's Encrypt CA which will be issuing
browser-trusted certificates for free.
It's all automated:
The tool will prove domain control to the CA and submit a CSR
(Certificate Signing Request).
If domain control has been proven, a certificate will get issued and
the tool will automatically install it.
WWW: https://github.com/certbot/certbot
ogogon@server:/usr/local/etc/letsencrypt/archive/ogogon.org#
I did not change any default settings in it.
The first time you receive a certificate, in the /usr/local/etc/letsencrypt/archive/ogogon.org directory, this is what:
total 24
drwxr-xr-x 2 root wheel 512 10 янв 05:09 .
drwx------ 3 root wheel 512 10 янв 05:09 ..
-rw-r--r-- 1 root wheel 2041 10 янв 04:03 cert1.pem
-rw-r--r-- 1 root wheel 1647 10 янв 04:03 chain1.pem
-rw-r--r-- 1 root wheel 3688 10 янв 04:03 fullchain1.pem
-rw-r--r-- 1 root wheel 1704 10 янв 04:03 privkey1.pem
As @mnordhoff points out, the 0700 mode on the /usr/local/etc/letsencrypt/{archive,keys,accounts} directories enforce root-only access to the sensitive key files.
That the files themselves are 0644 (vs 0600) is not important. That there are no restrictive permissions on the symlinks in live is also not important.
You can verify this by lowering yourself to a non-privileged user and trying to access any of the private keys, it's not possible.
I, perhaps, will agree with this logic. But my sendmail absolutely does not want to.
Its ssl-stack formally checks the keyfile access mode and refuses to accept connections using the so-configured certificate.