[resolved] Why is live subdirectory permissions 700?

I was debugging a problem with exim throwing errors on TLS connections and discovered that /etc/letsencrypt/live is owned by root with permissions 700, so it’s not accessible by other users.

All that’s in there is the certificate itself (not the private key), so I don’t understand why it needs to be restricted in that way. What I’d like to be able to do is just symlink to the copy of the certificate in the live subdirectory for use by other applications.

Is there any risk associated with changing the permissions to something more liberal, like 755?

It seems I posted a bit prematurely here. The live directory, of course, symlinks back to the archive directory, and that contains private keys as well. So it seems like I have no alternative but to set up a cron job to export the keys to the right places. …or is there a stub somewhere that runs when the keys rotate that I can add commands to do the exporting?

look into “post validation hooks”

straight from the docs at https://certbot.eff.org/docs/using.html#id19
If you want your hook to run only after a successful renewal, use --deploy-hook in a command like this.

certbot renew --deploy-hook /path/to/deploy-hook-script

Sounds like just what I needed. Thanks!

1 Like

You can also use setfacl to grant additional permissions to users, e.g.

sudo setfacl -Rm 'u:exim:rX,d:u:exim:rX' /etc/letsencrypt/*/mail.example.com

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.