Just a general question about recommended permissions on various LE files.
I use certbot to renew my certs
I have following types of files
cert.pem
chain.pem
fullchain.pem
privkey.pem
I’m using my certs in various webservers (apache/nginx) and in reverse proxies.
Currently all of these files have 0644 permissions.
Are these the “best-practice” permission types for these files?
The files are only readable as root by virtue of /etc/letsencrypt/archive being 0700.
Those files you mentioned are 0644 (in Cerbot <0.29), it’s true, but they are obscured from unprivileged users by the above directory permission.
Apache/nginx initially load their configuration as the root user and then drop privileges, so they are reading it as root as well. (With the except of when certificates in nginx are loaded via variables, in which case, they are read by the nginx user).
Whether the above is a best practice or not is a bit of a ¯\(ツ)/¯.
It’s a bit of a potential risk if the files are copied outside of the directory, since the protection of archive being 0700 is lost.
There’s some up to date discussion on the matter here: https://github.com/certbot/certbot/issues/7412 . I recommend carefully reading the response by adferrand which explains how things have improved across Certbot versions and can be further improved still.
Thanks for explanation. Just for clarification – isn’t it really the privkey.pem that needs to be protected? I was under the impression that chhain files – such as fullchain.pem – are usually distributed during the course of the normal SSL handshake and therefore aren’t really secure per se.
And just to clarify – I know the directory under live/<domain name> contains symbolic links to /archive/<domain name> files. Should the let’s encrypt archive directory have 700 permissions or the archive/<domain name> subfolder, or both? I’m looking at my directory permissions, and for some reason I don’t see either of these directory with 700 permissions. I consulted the post you linked and within some of the responses it indicated the directory permissions could possibly be modified during the renewal process, and clearly mine don’t seem to be altered. I use cerbot .39.0 at the present time – so I don’t think its some out of date prior version.