Permissions on privkey1.pem

I’ve just successfully installed and set up certbot and successfully added SSL for my company website, https://www.fmp.com. First time, no errors, no failures. Congratulations on implementing smooth automation of a pretty complex process.

My question concerns file permissions. Certbot created four files which are the targets of symlinks referenced in the Apache conf files:

cert1.pem
chain1.pem
fullchain1.pem
privkey1.pem

All four of these were created mode 644. Shouldn’t the privkey1.pem file be set to mode 400? If so, how about the others?

Should I set up a --post-hook or --deploy-hook script to adjust these permissions?

Additionally, it doesn’t look as if certificate installation automatically restarts the web server, which needs to happen, and also, especially, for automatic renewals. Shouldn’t I include a restart in a --post-hook script?

/etc/letsencrypt/archive (where the actual file contents are located) is mode 0700 aready.

It does if you specified the --installer (which is then persisted in the renewal configuration in /etc/letsencrypt/renewal).

1 Like

Including if you specified --apache, which implies --installer apache.

If not, you should use a --deploy-hook script to reload Apache, yes.

1 Like

Bingo on both points. Thank you.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.