Package: certbot Version: 0.10.2-1 Severity: normal Dear Maintainer,
debian provides a group "ssl-cert" (maybe this is part of snakeoil?) this group should probably have read permission to the certificates generated by certbot. I was installing "prayer" webmail server and it refued to start in TLS mode using my letsencrypt cert. This seems to fix it. chmod g+x /etc/letsencrypt/live/ /etc/letsencrypt/archive/ chown :ssl-cert /etc/letsencrypt/live/ /etc/letsencrypt/archive/ Read access on those directories is not needed (only execute is needed) but denying read is probably not significantly improving security, all the hidden filenames are easy to guess. -- System Information: Debian Release: 9.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.15.8-x86_64-linode103 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages certbot depends on: ii init-system-helpers 1.48 ii python 2.7.13-2 ii python-certbot 0.10.2-1 certbot recommends no packages. Versions of packages certbot suggests: pn python-certbot-apache <none> pn python-certbot-doc <none> -- no debconf information