Private key permissions after certbot renewal

Help
#1

I have a cert for mailserver TLS and the mailserver (exim4) needs read access to its private key. I'm not sure if I'm happy, but I'm doing it according to exim's recommendations (group-readable by a group only the exim user belongs to).

I'm running certbot v31 under a cron job to check for renewal. When it renews, the final target in /archive of the symlink in /live will change from privkey1.pem to privkey2.pem.

Will certbot recreate the same permissions on privkey2 as on privkey1?

If not, I plan to do it with a --manual-cleanup-hook script, that will find the new target of the /live privkey.pem link and apply perms as root. Is that the right thing to do?

exim4 under Debian 10, certbot v31, I have root access.

1 Like
#2

Are you using the /live/ symlink or /archive/file directly?

I believe certbot will always set the same permissions on all new files.
[Ignoring any changed permissions on previous files]

I would say NO.
What I would do is use the deploy-hook script to copy the files (from their symlinks) to a dedicated EXIM accessible location.
Then on those copied files, you can make whatever permissions it requires.
[so maybe the script should clean/remove files from the EXIM folder first]

3 Likes
#3

I'm only using the cert for this one purpose but that may change. Whichever, making a copy under /etc/exim4 seems a better way to do it. Thanks.

2 Likes
#4

Seems to work a treat. Will need to wait till renewal is due to confirm that the --deploy-hooks script works the same as when run directly.

1 Like
#5

You can confirm now by running:
certbot renew --dry-run

hmm... but that won't trip the deploy script...

If it passed that test and you really want to fully test it, then try (only once):
certbot renew --force-renewal

[that will fast forward and force your next renewal right now]

2 Likes
#6

I'm superstitious about pushing things I don't completely understand. I've set myself a reminder for the day it should renew (expiry - 30 days) and will do a TLS test then.

2 Likes
#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.