I’ve just successfully installed and set up certbot and successfully added SSL for my company website, https://www.fmp.com. First time, no errors, no failures. Congratulations on implementing smooth automation of a pretty complex process.
My question concerns file permissions. Certbot created four files which are the targets of symlinks referenced in the Apache conf files:
cert1.pem
chain1.pem
fullchain1.pem
privkey1.pem
All four of these were created mode 644. Shouldn’t the privkey1.pem file be set to mode 400? If so, how about the others?
Should I set up a --post-hook or --deploy-hook script to adjust these permissions?
Additionally, it doesn’t look as if certificate installation automatically restarts the web server, which needs to happen, and also, especially, for automatic renewals. Shouldn’t I include a restart in a --post-hook script?