Can you explain the folder permission of let's encrypt on ubuntu?

Server
1

I want to understand how folder permission works, I found that the standard permissions of l.e. folders are:

drwxr-xr-x   8 root root 4096 feb  6 22:27 .
drwxr-xr-x. 86 root root 4096 mar  9 22:11 ..
drwx------   3 root root 4096 feb  6 22:26 accounts
drwx------   4 root root 4096 mar  9 22:12 archive
drwxr-xr-x   2 root root 4096 mar  9 22:12 csr
drwx------   2 root root 4096 mar  9 22:12 keys
drwx------   4 root root 4096 mar  9 22:12 live
drwxr-xr-x   2 root root 4096 mar  9 22:12 renewal

Ad far as I know the folder /etc/letsencrypt/live is not accessible from other but root user.

Then I looked into Apache configuration and I found this:

<IfModule mod_ssl.c>
<VirtualHost *:443>
	#...
	
SSLCertificateFile /etc/letsencrypt/live/test.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/test.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
</IfModule>

Here the path are absolute, but the apache user is www-data and not root user.
So, how can apache reads certs in that folder?
This configuration works, but I cannot understand why.

2

Hi @tobiascapin,

Apache starts as root, principally to be able to bind the web server on ports below 1024 (usually 80 and 443), by default, only root is able to bind to these ports. After that, it automatically switches to the normal user, httpd, www-data, whatever. That is the reason Apache is able to read files in /etc/letsencrypt/.

Cheers,
sahsanu

1 Like
3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.