Permissions on privkey1.pem

I’ve just successfully installed and set up certbot and successfully added SSL for my company website, First time, no errors, no failures. Congratulations on implementing smooth automation of a pretty complex process.

My question concerns file permissions. Certbot created four files which are the targets of symlinks referenced in the Apache conf files:


All four of these were created mode 644. Shouldn’t the privkey1.pem file be set to mode 400? If so, how about the others?

Should I set up a --post-hook or --deploy-hook script to adjust these permissions?

Additionally, it doesn’t look as if certificate installation automatically restarts the web server, which needs to happen, and also, especially, for automatic renewals. Shouldn’t I include a restart in a --post-hook script?

/etc/letsencrypt/archive (where the actual file contents are located) is mode 0700 aready.

It does if you specified the --installer (which is then persisted in the renewal configuration in /etc/letsencrypt/renewal).

1 Like

Including if you specified --apache, which implies --installer apache.

If not, you should use a --deploy-hook script to reload Apache, yes.

1 Like

Bingo on both points. Thank you.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.