Public Key Permissions


#1

Hi,

I noticed today while doing some work to enable CSP and HSTS, that the private key files on my server are written with permissions 644 instead of 600.

Since Apache runs on Linux as root in most distributions, root can read the file, but nobody else.

Please make certbot write the permissions as 600.


#2

In /etc/letsencrypt/, the archive/, keys/ and live/ directories are all 700, so non-root users can’t actually access any of the files inside them, and the private keys aren’t at risk. It’s weird but not actually harmful.

There’s an open bug about this, but it hasn’t been prioritized.


#3

Hi, thank you for your response. I understand that the parent directories are set to 700, however I want to configure an ACL on the “live” directory to allow specific users access to read files within the directory, but still keep the private keys protected.

Since the files are already 644, it would be simple to change certbot so that just the keys are 600 while the directory acl’s are not touched.


#4

That is literally the root of the problem.
And I do see your point.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.