Certbot and Cert file permissions

Hello all you happy people! I'm a mostly happy user of Let's Encrypt. I've figured out... a pretty fair chunk of how getting certificates works, keeping my certbot maintained... it's not too difficult.

However, I'm working on a project that wants to add TLS support to a few Python programs and so, those kinda need access to the files created by certbot...

By default, certbot creates a file structure under /etc/letsencrypt where the main domain then has symbolic links to the current valid certificates, but the permissions on these folders are highly restrictive. Sure, I can use setfacl to force my way in for a particular user that's not running with root permissions but something about this approach doesn't feel right....

Am I missing something? What is the 'proper' way of granting an ordinary user access to their keys/certs?

Hi @volundmush, welcome to the LE community forum :slight_smile:

A simpler way to resolve this might be to copy the new certs from the secure location to another location that your python programs do have access to.
That copy can be triggered by certbot with the --deploy-hook.
Which can copy the files and trigger a restart to whatever services use them.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.