Recommended permissions on files distributed by Lets Encrypt

Just a general question about recommended permissions on various LE files.

I use certbot to renew my certs
I have following types of files
cert.pem
chain.pem
fullchain.pem
privkey.pem

I’m using my certs in various webservers (apache/nginx) and in reverse proxies.
Currently all of these files have 0644 permissions.
Are these the “best-practice” permission types for these files?

1 Like

The files are only readable as root by virtue of /etc/letsencrypt/archive being 0700.

Those files you mentioned are 0644 (in Cerbot <0.29), it’s true, but they are obscured from unprivileged users by the above directory permission.

Apache/nginx initially load their configuration as the root user and then drop privileges, so they are reading it as root as well. (With the except of when certificates in nginx are loaded via variables, in which case, they are read by the nginx user).

Whether the above is a best practice or not is a bit of a ¯\(ツ)/¯.

It’s a bit of a potential risk if the files are copied outside of the directory, since the protection of archive being 0700 is lost.

There’s some up to date discussion on the matter here: https://github.com/certbot/certbot/issues/7412 . I recommend carefully reading the response by adferrand which explains how things have improved across Certbot versions and can be further improved still.

1 Like

Thanks for explanation. Just for clarification – isn’t it really the privkey.pem that needs to be protected? I was under the impression that chhain files – such as fullchain.pem – are usually distributed during the course of the normal SSL handshake and therefore aren’t really secure per se.

And just to clarify – I know the directory under live/<domain name> contains symbolic links to /archive/<domain name> files. Should the let’s encrypt archive directory have 700 permissions or the archive/<domain name> subfolder, or both? I’m looking at my directory permissions, and for some reason I don’t see either of these directory with 700 permissions. I consulted the post you linked and within some of the responses it indicated the directory permissions could possibly be modified during the renewal process, and clearly mine don’t seem to be altered. I use cerbot .39.0 at the present time – so I don’t think its some out of date prior version.

You're correct.


For what it's worth, here's what one of my systems looks like:

$ ll /etc/letsencrypt/
total 64
drwxr-xr-x   9 root root  4096 Oct 18 17:15 ./
drwxr-xr-x 117 root root 12288 Oct 18 14:28 ../
drwx------   6 root root  4096 Mar 21  2018 accounts/
drwx------   9 root root  4096 Aug 16 20:28 archive/
-rw-r--r--   1 root root   121 Jan 31  2018 cli.ini
drwxr-xr-x   2 root root 12288 Oct 16 09:07 csr/
drwx------   2 root root 12288 Oct 16 09:07 keys/
drwx------   9 root root  4096 Aug 16 20:28 live/
drwxr-xr-x   2 root root  4096 Oct 16 09:07 renewal/
drwxr-xr-x   5 root root  4096 Oct 24  2017 renewal-hooks/
1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.