Debian jessie possible permission issue for exim4


With the 700 settings of /etc/letsencrypt/live/ and /etc/letsencrypt/archives/, I’m getting TLS errors from exim4

e.g. 2015-11-18 12:11:01 TLS error on connection from [] (cert/key setup: cert=/etc/exim4/exim.crt│key=/etc/exim4/exim.key): Error while reading file.

Normal rights for those files are 640 root.Debian-exim
(taken from another system):
-rw-r----- 1 root Debian-exim 749 avr 30 2009 exim.crt
-rw-r----- 1 root Debian-exim 887 avr 30 2009 exim.key

At first I’ve changed /etc/letsencrypt/archives/ to 755 and restarted exim but I’m still getting the error.


That’s incredibly dangerous as anybody on your server will be able to read your private keys.

I’m working around the issue by simply copying the certificate to /etc/exim4 folder before restarting exim

cp /etc/letsencrypt/live/{fullchain,privkey}.pem /etc/exim4/
chown root:Debian-exim /etc/exim4/*.pem
chmod 640 /etc/exim4/*.pem
service exim4 reload

Note that to avoid certificates being briefly world readable between the first two commands, I removed world readable on the /etc/exim4/ folder. here are the permissions in the folder

# ls -la /etc/exim4/
total 132
drwxr-x---   3 root Debian-exim  4096 Nov 19 03:30 .
drwxr-xr-x 153 root root        12288 Nov 13 07:49 ..
drwxr-xr-x   9 root root         4096 Feb 25  2012 conf.d
-rw-r--r--   1 root root        77168 Feb 17  2015 exim4.conf.template
-rw-r-----   1 root Debian-exim  3489 Nov 17 07:30 fullchain.pem
-rw-r-----   1 root Debian-exim   204 May 12  2011 passwd.client
-rw-r-----   1 root Debian-exim  1712 Nov 17 07:30 privkey.pem
-rw-r--r--   1 root root        17712 Dec 26  2011 sa-exim.conf
-rw-r--r--   1 root root         1091 Oct  3 12:01 update-exim4.conf.conf


Thank you vmeurisse.

Yeah, I’m aware of the danger. However it’s a dedicated server and I’m the only one having access.

Just reporting the issue at this stage. Maybe LE team will like to work around the issue.

I like your approach however and it’s probably what I’ll do if LE team does nothing about it. Append your script to my bi-monthly renewal script.


any update to this? I have similar problem