Re: [exim] tls_certificate weirdness

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-users
Subject: Re: [exim] tls_certificate weirdness

> On Aug 21, 2016, at 7:01 PM, Phillip Carroll <domainmanager@???> wrote:
>
> The Letsencrypt "certbot" script installs certificate files and key files (in Centos at least) using the following symlinks:
> /etc/letsencrypt/live/<domain>/cert.pem
> /etc/letsencrypt/live/<domain>/chain.pem
> /etc/letsencrypt/live/<domain>/fullchain.pem (cert+chain)
> /etc/letsencrypt/live/<domain>/privkey.pem
> (where <domain> is the principal domain of the certificate)
>
> The actual files are stored at:
> /etc/letsencrypt/archive/<domain>/cert<n>.pem
> Where <n> is a serial that indicates the nth renewal.
>
> All directories on both paths are root owned, with 777 permissions, as are the symlinks. The cert and chain files are also root owned and world readable with 644 permissions.


World-readable keys are in almost all cases unwise. You might create a "keyread"
group, chgrp the key file and containing directories up to /etc/letsencrypt to "keyread"
then chmod same containing directories to "02755" and the key file permissions to 0640.
The sticky bit on the directory should ensure that any new files and sub-directories inherit
the "keyread" group.

As others have said, don't use 0777 on the directories, perhaps you
were looking at symlinks which are always 0777.

Finally, you'll need to ensure that when Exim drops privs to the "exim" user, either
the primary or one of the secondary groups it sets is "keyread"...

-- 
    Viktor.