I have a question in regards to the permissions of
/etc/letsencrypt/ archive and live folders and the
.pem files within.
I have a radicale server for CalDAV (calendars & to-do) and CarDAV on my Raspberry Pi. This server is installed using
python3 -m pip, where you have two options:
- Install it as root for a systemwide installation
- Installing using --user for just the current user.
When I created it, without having a domain and knowing nothing about servers and how to remote access them, etc... I chose
--user option. The config file was way simpler and I didn't have to worry setting any permission's structure on the config...
Now I have a domain name and I have managed to configure the server to be accessed from the outside. So I wanted to configure SSL to secure the connection.
According with radicale docs, I only have to put this on the config:
[server] ssl = True certificate = /path/to/server_cert.pem key = /path/to/server_key.pem certificate_authority = /path/to/client_cert.pem
So I did. And run into permissions problems.
That's when I read this documentation on certbot.eff.org, and tried to change the directories
/etc/letsencrypt/archive and live permissions to
0755. But, of course, my server is just under my regular user and the
privkey.pem is with
0700 permissions and therefore I get this error on the log:
RuntimeError: Invalid filepath value for option 'key' in section 'server' in config file '/home/pi/.config/radicale/config': '/etc/letsencrypt/live/domain.com/privkey.pem' ([Errno 13] Permission denied: '/etc/letsencrypt/live/domain.com/privkey.pem')
The documentation suggests for servers that "drop root privileges before attempting to read the private key file" to change the group and
0640 the file.
Now I wonder the following:
- Are there any risks on
chgrpwith the group
pi(my server is on my pi user (of course strong password), owned by
pi:pi) so it can has access?
- Should I uninstall and remove the server... and start from the beginning installing it as root?
I don't really have the knowledge to understand the consequences of setting the privkey group as
pi, so I don't want to make changes before having some info.
For now, the server will stay just on "local network" (which I can access with my personal vpn).
Thanks for the help!!
P.S.: As why I started a server from a regular user, this is what I thought at that time: "I don't have any network/security knowledge, so if I ever make this available throgh a domain name from the outside, I don't want to expose anything that is running with root privilegies" (because I don't know what the f* I'm doing). So it seemed "less risky" to my not-knowing brain to just install it under my regular user.