Protecting SSL generation directories

I'm running Wordpress & LAMP stack on Ubuntu 20.04 on Oracle OCI.
Certs installed without any issues (certbot 0.40.0)

Just to check all was clean, I installed the Really Simple SSL plugin in Wordpress.
This plugin is giving me the following warning:

Your Key and Certificate directories are not properly protected. For more information, please read this article

The article goes on to state....
this warning occurs when your SSL certificate files aren’t protected. This happens when Really Simple SSL has created an ssl/certs and ssl/keys directory in your websites root folder. The public certificate (.crt) being available is not an issue, it’s the private key (.key) file that needs to be protected. To fix this issue, you can modify the file permissions to 644 for the .crt file and 600 for the .key file. You might have to ask your hosting provider to do this for you. Once this has been done, you can safely dismiss the notice.

I believe the Key & Certs are in the /etc/letsencrypt/live/domain_name directory.
I checked the permissions in this directory- its 777 on all files- which seems inappropriate. However, the files themselves appear to be symbolic links, rather than files.

root@webserver:/etc/letsencrypt/live/domain_name# ls -al

total 12
drwxr-xr-x 2 root root 4096 Mar 21 02:39 .
drwx------ 3 root root 4096 Mar 21 02:39 ..
-rw-r--r-- 1 root root 692 Mar 21 02:39 README
lrwxrwxrwx 1 root root 35 Mar 21 02:39 cert.pem -> ../../archive/domain_name/cert1.pem
lrwxrwxrwx 1 root root 36 Mar 21 02:39 chain.pem -> ../../archive/domain_name/chain1.pem
lrwxrwxrwx 1 root root 40 Mar 21 02:39 fullchain.pem -> ../../archive/domain_name/fullchain1.pem
lrwxrwxrwx 1 root root 38 Mar 21 02:39 privkey.pem -> ../../archive/domain_name/privkey1.pem

I subsequently checked the permissions of the files the above links are linking to.

root@webserver:/etc/letsencrypt/archive/domain_name# ls -al

total 28
drwxr-xr-x 2 root root 4096 Mar 21 02:39 .
drwx------ 3 root root 4096 Mar 21 02:39 ..
-rw-r--r-- 1 root root 1834 Mar 21 02:39 cert1.pem
-rw-r--r-- 1 root root 3750 Mar 21 02:39 chain1.pem
-rw-r--r-- 1 root root 5584 Mar 21 02:39 fullchain1.pem
-rw------- 1 root root 1704 Mar 21 02:39 privkey1.pem

Looking at the above files while referring to the initial warning I received...

It seems that the private key (privkey1.pem) is at 600 which seems appropriate. Everything else (cert1.pem, chain1.pem, fullchain1.pem) is at 644 which also seems appropriate.

So does anyone know the Very Simple SSL Plugin gives this warning? Or am I missing something obvious?

Any and all advice appreciated.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):
Server version: Apache/2.4.41 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 20.04

My hosting provider, if applicable, is:
Oracle OCI

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
OCI Console

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.40.0

Where does that plugin believe your key is?

Certbot will complain as well if your permissions aren't right, and it will set them appropriately when creating the files.


Welcome to the Let's Encrypt Community

I am fairly certain that RSS does not use the /etc/letsencrypt directory structure. It looks like you actually used certbot to generate the .pem files under live. If you can do that, you can (and certainly should) get rid of RSS completely.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.