Hi all, I have a quick question.
/etc/letsencrypt/live is set 0700 and so apps can’t read the key (e.g. fluentd, which starts as
td-agent user). What is the best practice to expose the cert and private key to fluentd and other similar apps?
For example, nginx can read
/etc/letsencrypt/live because the master process is run by root, but fluentd/td-agent starts itself under
td-agent, and so it does not have read access to the certificates/private keys.
I was thinking I could create
ssl user group and add
td-agent to that group, then change
/etc/letsencrypt to be owned by
ssl group, but I am not sure if this is recommended.
I was wondering what others thought or had done in the past… thanks!