Certbot and Cert file permissions

volundmush · August 23, 2021, 2:42am

Hello all you happy people! I'm a mostly happy user of Let's Encrypt. I've figured out... a pretty fair chunk of how getting certificates works, keeping my certbot maintained... it's not too difficult.

However, I'm working on a project that wants to add TLS support to a few Python programs and so, those kinda need access to the files created by certbot...

By default, certbot creates a file structure under /etc/letsencrypt where the main domain then has symbolic links to the current valid certificates, but the permissions on these folders are highly restrictive. Sure, I can use setfacl to force my way in for a particular user that's not running with root permissions but something about this approach doesn't feel right....

Am I missing something? What is the 'proper' way of granting an ordinary user access to their keys/certs?

rg305 · August 23, 2021, 2:48am

Hi @volundmush, welcome to the LE community forum

A simpler way to resolve this might be to copy the new certs from the secure location to another location that your python programs do have access to.
That copy can be triggered by certbot with the --deploy-hook.
Which can copy the files and trigger a restart to whatever services use them.

system · September 22, 2021, 2:48am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Newbie qestions: certbot wants access to /etc/letsencrypt	2	5231	June 16, 2016
Some help for a noob (albeit a noob that had this working!) Help	5	840	June 3, 2018
Certbot Hardlink Mode Feature Requests	7	1581	January 31, 2019
Letsencrypt in Trusty Help	6	1051	May 9, 2019
Recommended permissions on files distributed by Lets Encrypt Help	4	18088	November 17, 2019

Certbot and Cert file permissions

Related topics