Is changing ownership on the downloaded certificate files for easier access from non-root users a good idea?

niujh · April 29, 2021, 11:46pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:hqyc1973.com

I ran this command:chrown ubuntu cert.pem

It produced this output:nothing

My web server is (include version):cherrypy

The operating system my web server runs on is (include version):ubuntu 18.04

My hosting provider, if applicable, is:aws

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):latest

I tried to use command line to change the ownership of the downloaded four certificate files so my application can access them more freely. I typed in below command:
root@ip-172-31-28-106:/original_volume/home/ubuntu/live/from-dawn.com# chown ubuntu cert.pem
root@ip-172-31-28-106:/original_volume/home/ubuntu/live/from-dawn.com# ls -l
total 4
-rw-r--r-- 1 root root 692 Apr 29 23:20 README
lrwxrwxrwx 1 root root 37 Apr 29 23:20 cert.pem -> ../../archive/from-dawn.com/cert1.pem
lrwxrwxrwx 1 root root 38 Apr 29 23:20 chain.pem -> ../../archive/from-dawn.com/chain1.pem
lrwxrwxrwx 1 root root 42 Apr 29 23:20 fullchain.pem -> ../../archive/from-dawn.com/fullchain1.pem
lrwxrwxrwx 1 root root 40 Apr 29 23:20 privkey.pem -> ../../archive/from-dawn.com/privkey1.pem

As shown above, after the chown command, there is no effect.

How can I change those files' ownership? Is such chaning considered bad practice?

bruncsak · April 30, 2021, 6:22am

When you use the command chown on a symbolic link, it changes the ownership of the file the symbolic link points to. If you want to change the link's ownership itself, please use the -h flag on chown to avoid doing dereference.

It is another story, is it a good idea or not to change ownership in the actual situation?

niujh · April 30, 2021, 6:26am

If these files under live/ directory are just symbolic link, then where are the real files stored? I thought they are real themselves.

Also, is it a good idea to change ownership other than root to make access easier?

bruncsak · April 30, 2021, 6:30am

They are real files. The symbolic link itself tells where their are located; in ../../archive. If you add the -L flag to the command ls -l it will show you the real files.

niujh · April 30, 2021, 6:43am

This problem arises when I downloaded those certicate files by specifying --config-dir. By specifying this parameter I can downloaded those (symbolic links to the) files to my application's root.
Instead, I could have just copied those files from the default directory to my application's root.
Which solution is a better idea?

system · May 30, 2021, 6:43am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.