Hi all, I have a quick question. /etc/letsencrypt/live is set 0700 and so apps can’t read the key (e.g. fluentd, which starts as td-agent user). What is the best practice to expose the cert and private key to fluentd and other similar apps?
For example, nginx can read /etc/letsencrypt/live because the master process is run by root, but fluentd/td-agent starts itself under td-agent, and so it does not have read access to the certificates/private keys.
I was thinking I could create ssl user group and add td-agent to that group, then change /etc/letsencrypt to be owned by ssl group, but I am not sure if this is recommended.
I was wondering what others thought or had done in the past… thanks!
Well that was fast. Thanks for the speedy reply, I’ll look into those options ASAP.
Changing permissions or groups already raised a bunch of flags in my head which is why I wanted to ask and see how others tackled this issue.
Edit: Took a bit of time to understand what all those flags mean. I also had to run setfacl -m u:td-agent:rX /etc/letsencrypt/{live,archive} as that is the directory that td-agent had trouble getting into.
You can run them in either order, but it is important that you do not run the latter with -R as that would allow the added user (in this case, td-agent) read access to any other SSL certificates managed by Let’s Encrypt/Certbot.
.