Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
self hosted, on the mac
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you're using Certbot): 1.21.0
I have a question regarding permissions of certs + privkeys on osx..
I am running a local dev environment on my mac with dnsmasq to test backups and restores of existing sites.. This works wonderfully and is great for local development but now i have a need to run a small test / dev server publicly for short periods at a time..
Obviously this requires ssl and I can make it work but i am not happy with how.
certbot creates certs and puts them (by default) in /etc/letsencrypt/**
this is unreadable by non-root user and nginx in my case is not running as root, nor would i want it to.
Its my understanding that the important bit, is that the privkey is readable only by root.
currently server (nginx) complains that privkey is not accessible - permissions denied.
what i have done in the past is to cp -r /etc/letsencrypt ~/homebrew/etc/letsencrypt, then own with the user that runs the server and point to the new readable location in the config..
I know this works but it's not good and i wondered what everyone else was doing or if there was a more logical approach!
So far i have copied the letsencrypt folder from /etc/letsencrypt to ~/homebrew/etc/letsencrypt and owned only the parent directories the certs live in. The certs themselves are still with default perms, owned by root, and they work!
but the privkey cannot be read by nginx as its only readable by root..
Bit of a messy post. If any info is needed please feel free to ask and thanks for helping!