Best practice for exposing private key to locally installed programs?

Hi all, I have a quick question. /etc/letsencrypt/live is set 0700 and so apps can’t read the key (e.g. fluentd, which starts as td-agent user). What is the best practice to expose the cert and private key to fluentd and other similar apps?

For example, nginx can read /etc/letsencrypt/live because the master process is run by root, but fluentd/td-agent starts itself under td-agent, and so it does not have read access to the certificates/private keys.

I was thinking I could create ssl user group and add td-agent to that group, then change /etc/letsencrypt to be owned by ssl group, but I am not sure if this is recommended.

I was wondering what others thought or had done in the past… thanks!

--deploy-hook to make a copy of the certificate and private key with suitable permissions.

Or filesystem ACLs:

setfacl -R -m u:td-agent:rX /etc/letsencrypt/{live,archive}/

Don’t change the group/owner of /etc/letsencrypt.


Well that was fast. Thanks for the speedy reply, I’ll look into those options ASAP.

Changing permissions or groups already raised a bunch of flags in my head which is why I wanted to ask and see how others tackled this issue.

Edit: Took a bit of time to understand what all those flags mean. I also had to run setfacl -m u:td-agent:rX /etc/letsencrypt/{live,archive} as that is the directory that td-agent had trouble getting into.


Nice catch - admittedly I’m running with a very open rX on the entire /etc/letsencrypt hierarchy :fearful:.


In case this topic becomes searchable and others find this helpful, I need to clarify:

The commands to run are:

  • setfacl -R -m u:td-agent:rX /etc/letsencrypt/{live,archive}/, and then
  • setfacl -m u:td-agent:rX /etc/letsencrypt/{live,archive}

You can run them in either order, but it is important that you do not run the latter with -R as that would allow the added user (in this case, td-agent) read access to any other SSL certificates managed by Let’s Encrypt/Certbot.

Thanks @_az for the assist!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.