Credentials configuration file having 'unsafe permissions'

Like it says on the tin, certbot is working fine, but I'm trying to secure my API token for Cloudflare. I -thought- chmod 600 was what I wanted (working from memory for doing SMB credentials in fstab), but it threw this error, so clearly I modded the file wrong.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials ~/.certbot.ini --dns-cloudflare-propagation-seconds 60 -d -d *

It produced this output (certificate generated just fine):

Renewing an existing certificate for and *
Unsafe permissions on credentials configuration file: /home/heatheriac/.certbot.ini

My web server is (include version): apache 2.4.46

The operating system my web server runs on is (include version): 5.4.0-150-generic #167-Ubuntu SMP Mon May 15 17:35:05 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

My hosting provider, if applicable, is: Self

I can login to a root shell on my machine (yes or no, or I don't know):Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.6.0


Is there a specific question you'd like to address? Because the warning message is pretty clear it seems.

Please note that for renewals you should be able to simply run sudo certbot renew. If you only want to renew a single certificate among many, you could use the --cert-name option.


I'm trying to figure out what the proper permissions value is for the credentials file. I thought it was 600, but since it's giving that error, I clearly messed up somewhere

What's the owner of the file?


my user account: heatheriac/heatheriac

Oh ... wait. that's supposed to be root/root, isn't it.

1 Like

Yupz :slight_smile:

Certbot usually runs as root. Certbot will complain if the owner of the file isn't the user running the Certbot process.


Yeah .,.. things should be better now. Part of the problem I have is I run multiple domains (so have to repeat this process regularly) and the last time I renewed a cert I had to move from apt's version to snap and rebuild a lot of stuff from the ground up.

I'm hoping this domain set is done and dusted, and just have to do the other domains once each (since I can do full wildcards), so having the credential file is beneficial for me in the future anyway.

Thanks for the rubber duck programming!

1 Like

By the way, I searched the standard Certbot documentation and couldn't find anything about this warning, but it seems to be mentioned in the DNS plugin documentation: Welcome to certbot-dns-cloudflare’s documentation! — certbot-dns-cloudflare 0 documentation


Thanks, I remember looking around for this when it first happened (technically this issue was a few weeks old, just been busy) and couldn't find anything. But I also have a tendency to do niche things being self hosted and such

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.