[Letsencrypt-devel] Bug#893738: certbot: ssl-cert group should be able to read certs

Jasen Betts jasen at treshna.com
Wed Mar 21 21:26:46 UTC 2018

Package: certbot
Version: 0.10.2-1
Severity: normal

Dear Maintainer,

debian provides a group "ssl-cert" (maybe this is part of snakeoil?)
this group should probably have read permission to the certificates 
generated by certbot.

I was installing "prayer" webmail server and it refued to start in TLS
mode using my letsencrypt cert.

This seems to fix it.

 chmod g+x        /etc/letsencrypt/live/ /etc/letsencrypt/archive/
 chown :ssl-cert  /etc/letsencrypt/live/ /etc/letsencrypt/archive/

Read access on those directories is not needed (only execute is needed) 
but denying read is probably not significantly improving security, all
the hidden filenames are easy to guess.

-- System Information:
Debian Release: 9.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.15.8-x86_64-linode103 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages certbot depends on:
ii  init-system-helpers  1.48
ii  python               2.7.13-2
ii  python-certbot       0.10.2-1

certbot recommends no packages.

Versions of packages certbot suggests:
pn  python-certbot-apache  <none>
pn  python-certbot-doc     <none>

-- no debconf information

More information about the Letsencrypt-devel mailing list