With the 700 settings of /etc/letsencrypt/live/ and /etc/letsencrypt/archives/, I’m getting TLS errors from exim4
e.g. 2015-11-18 12:11:01 TLS error on connection from mail-io0-f170.google.com [209.85.223.170] (cert/key setup: cert=/etc/exim4/exim.crt│key=/etc/exim4/exim.key): Error while reading file.
Normal rights for those files are 640 root.Debian-exim
(taken from another system):
-rw-r----- 1 root Debian-exim 749 avr 30 2009 exim.crt
-rw-r----- 1 root Debian-exim 887 avr 30 2009 exim.key
At first I’ve changed /etc/letsencrypt/archives/ to 755 and restarted exim but I’m still getting the error.
1 Like
That's incredibly dangerous as anybody on your server will be able to read your private keys.
I'm working around the issue by simply copying the certificate to /etc/exim4
folder before restarting exim
cp /etc/letsencrypt/live/smtp.example.com/{fullchain,privkey}.pem /etc/exim4/
chown root:Debian-exim /etc/exim4/*.pem
chmod 640 /etc/exim4/*.pem
service exim4 reload
Note that to avoid certificates being briefly world readable between the first two commands, I removed world readable on the /etc/exim4/
folder. here are the permissions in the folder
# ls -la /etc/exim4/
total 132
drwxr-x--- 3 root Debian-exim 4096 Nov 19 03:30 .
drwxr-xr-x 153 root root 12288 Nov 13 07:49 ..
drwxr-xr-x 9 root root 4096 Feb 25 2012 conf.d
-rw-r--r-- 1 root root 77168 Feb 17 2015 exim4.conf.template
-rw-r----- 1 root Debian-exim 3489 Nov 17 07:30 fullchain.pem
-rw-r----- 1 root Debian-exim 204 May 12 2011 passwd.client
-rw-r----- 1 root Debian-exim 1712 Nov 17 07:30 privkey.pem
-rw-r--r-- 1 root root 17712 Dec 26 2011 sa-exim.conf
-rw-r--r-- 1 root root 1091 Oct 3 12:01 update-exim4.conf.conf
1 Like
Thank you vmeurisse.
Yeah, I’m aware of the danger. However it’s a dedicated server and I’m the only one having access.
Just reporting the issue at this stage. Maybe LE team will like to work around the issue.
I like your approach however and it’s probably what I’ll do if LE team does nothing about it. Append your script to my bi-monthly renewal script.
any update to this? I have similar problem