Permission Denied


#1

My domain is: msazure.developatribe.com
I followed these instructions to install certbot - https://certbot.eff.org/lets-encrypt/ubuntubionic-other
I attempted to start my Mattermost server but it reported that ‘permission denied’ to the certificates. I was unable to access the ‘live’ directory until I changed to root; and I am therefore assuming that my mattermost user is unable to access that directory and therefore the app won’t start. Is there a simple way to allow the user from the mattermost application access without changing the permissions on the directory to give full read access to the private key in the same directory? Or move the certs to a more suitable directory with the right permissions? Thanks.

My web server is (include version): Mattermost 5.5
The operating system my web server runs on is (include version): Ubuntu 18.04
I can login to a root shell on my machine (yes or no, or I don’t know): Yes
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.28.0


#2

Yup:

setfacl -R -m u:mattermost:rX /etc/letsencrypt/

You have to keep in mind that this will expose your ACME private key as well, so it might be better to do it only to /live and /archive/.

You can also use a --deploy-hook to copy the private key and certificate to a completely different location.


#3

Thanks for the quick reply, that solved the issue.

I took your advice and only applied it to the live and archive directory.

Are there any security implications I should be aware of making that change, or is it good practice? Also, should I have done something differently in the setup to avoid this issue?


#4

I don’t think so. Web servers like Apache and nginx commonly start as root (so they automatically have access to private keys owned by root), and drop their privilege level as they fork the actual workers.

Since mattermost doesn’t seem to work this way, you would always need to take the extra task of implementing one of the two approaches I outlined above.

The only security implication I can think of is that mattermost will be able to read the private keys for your other domains (if they exist). You could have addressed this by by only giving access to /etc/letsencrypt/{archive,live}/yourdomain/, but it’s kind of a “meh” threat.


#5

Thanks again for the answers. Much appreciated.