Accessing *pems for non-root user running apps


#1

Hi guys,

I’m on Debian Jessie and I installed certbot as per documentation .

I have a question regarding pem files generated by certbot. How to access them as app running by non-root account?

I am not that familiar with this as I am no sysadmin, and I’ve seen many approaches, but hard to say which one is “good” (in terms of security and so on):

  • chmod and chown directories and files (many different permissions used)
  • copying keys to place where nonroot user can access them
  • creating/reusing some another group that can access files

Another concern is: how does it cooperate with certbot renewal? From what I can see, people usually write scripts doing steps mentioned before. But the stuff I found about it is sometimes more than year old, so maybe there are some changes that make the whole process easier?

Thanks!


#2

There’s no perfect answer to this yet, but I’d recommend not modifying the files in /etc/letsencrypt in any way (it’s easy to break renewal doing that) but rather copying them somewhere else and modifying the permissions as needed. I’d probably do this manually for the initial issuance, and use --renew-hook with a small bash script for renewal.


#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.