The operating system my web server runs on is (include version): RHEL
The version of my client is: 1.22.0 (latest offered by RHEL repos)
Certbot logs are being created with 0644 permissions by default. The cybersecurity team would like us to follow the recommendations of the Center for Internet Security (CIS) to have all logs in /var/log/ to have permissions of 0640.
Does certbot have a configuration to set the umask of the log files it creates? I don't see the option in the docs (User Guide โ Certbot 2.11.0 documentation). Docs do mention using --max-log-backups 0 to disable log rotation, which I can then use rsyslog to set file perms on rotations, but I dont see a way to set that parameter that after a certificate has been issued.
On a separate note, why was it decided that default max log backups should be 1000? That's silly.
Someone else here may have ideas but one option is to use a --post-hook to set permissions of the log file just created.
But, this is probably better handled at the EFF's github for Certbot. We often help people use Certbot (and other ACME clients) to get and use Let's Encrypt certs. But, submitting feature requests for Certbot (or other clients) best done direct with the author.
That doesn't seem possible to set after a certificate is issued, or am I mistaken?
I thought this was the place for technical questions and the repo was for bugs/feature requests. I am not asking for changes, just trying to understand certbot's functionality.
I am already well aware of the command to change it as I mentioned it in my original post, my question wasn't about how to change it but why it was decided to be 1000. That is unusually high. I assumed this community included people who were close to the devs, I didnt want to bother the repo with that question.
Today, I can't just run sudo certbot --post-hook "chmod -R 640 /var/log/letsencrypt/*" --domain domain1.com to change the paramters Certbot uses next time it creates a log, or can I?
No, you are not changing what Certbot does, you are explicitly setting them. No different than if you ran a cronjob to chmod them each day at say 04:00.
But, yes, re-issuing that command will reset the renewal "profile" Certbot uses when renewing that cert. So, it should happen each time a "renew" command runs. See the /etc/letsencrypt/renewal folder for these profiles
And, as for tech questions, it is sometimes a fine line. We are focused on Let's Encrypt as a Certificate Authority. Certbot is just one of many ACME Clients used to get a cert. And, Certbot can get certs from other CAs. We often help with routine Certbot "stuff". But, this particular issue is not common. If you wanted Certbot to add a feature to set alternate perms on the log or just wonder about its design decisions it is best to post that to the Certbot dev team at the EFF github. Let's Encrypt does not develop or maintain Certbot.
You can change the logging configuration and permissions.
I don't think "silly" is a valid adjective in this case.
"Certbot logs are being created with 0644 permissions by default."
"The cybersecurity wants all logs in /var/log/ to have permissions of 0640."
So if it behooves you security team, you can create a post hook:
--post-hook "chmod 0640 /var/log/letsencrypt/letsencrypt.log"
(or/your/path/to/the /certbot/letsencrypt/logfile.log)