On 2017-02-07 at 05:42 (GMT), Adam Borowski wrote: [...]
> Hi! > Currently, dehydrated creates both the parent directories and certs/privkeys > it outputs with permissions for root only. This works for daemons that load > everything as root (apache, etc) but not for those that drop privileges early > (exim, postgres, etc). > > As far as I know, the recommended way to do so is adding the daemons to > group ssl-cert which is created by some (but not all) ssl key generating > packages; those which do make /etc/ssl/private/ readable by that group. > > I think it'd be a good idea for dehydrated to support this group by default: > * directories as root:ssl-cert mode 710 > * .pem files as root:ssl-cert mode 640 +1 on my side, too. Cheers. -- Matteo F. Vescovi
signature.asc
Description: PGP signature
_______________________________________________ Letsencrypt-devel mailing list Letsencrypt-devel@lists.alioth.debian.org https://lists.alioth.debian.org/mailman/listinfo/letsencrypt-devel