Keyfile is group/world readable (not really but sendmail believes so)


I know it is not a security issue per se, but certain applications (hello sendmail) will refuse to use a group (or world) readable keyfile.

Dec 7 15:03:20 lupus sendmail[17357]: STARTTLS=server: file /etc/letsencrypt/live/ unsafe: World readable file

It does not matter that the parent directory is not accessible, it actually checks the permissions of the key-file itself.
So currently the permissions in the archive directory is:

drwxr-xr-x. 2 root root 4096 Dec 6 15:44 .
drwx------. 7 root root 4096 Dec 6 15:44 …
-rw-r–r--. 1 root root 1809 Dec 6 15:44 cert1.pem
-rw-r–r--. 1 root root 1675 Dec 6 15:44 chain1.pem
-rw-r–r--. 1 root root 3484 Dec 6 15:44 fullchain1.pem
-rw-r–r--. 1 root root 1708 Dec 6 15:44 privkey1.pem

Removing the r-bit from privkey1.pem:

chmod 600 privkey1.pem

will make sendmail happy again.



Found this request which is about the same issue: