[Letsencrypt-devel] Bug#893738: certbot: ssl-cert group should be able to read certs
Jasen Betts
jasen at treshna.com
Wed Mar 21 21:26:46 UTC 2018
Package: certbot
Version: 0.10.2-1
Severity: normal
Dear Maintainer,
debian provides a group "ssl-cert" (maybe this is part of snakeoil?)
this group should probably have read permission to the certificates
generated by certbot.
I was installing "prayer" webmail server and it refued to start in TLS
mode using my letsencrypt cert.
This seems to fix it.
chmod g+x /etc/letsencrypt/live/ /etc/letsencrypt/archive/
chown :ssl-cert /etc/letsencrypt/live/ /etc/letsencrypt/archive/
Read access on those directories is not needed (only execute is needed)
but denying read is probably not significantly improving security, all
the hidden filenames are easy to guess.
-- System Information:
Debian Release: 9.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.15.8-x86_64-linode103 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages certbot depends on:
ii init-system-helpers 1.48
ii python 2.7.13-2
ii python-certbot 0.10.2-1
certbot recommends no packages.
Versions of packages certbot suggests:
pn python-certbot-apache <none>
pn python-certbot-doc <none>
-- no debconf information
More information about the Letsencrypt-devel
mailing list