Use Letsencrypt certificates for Postgresql

Question

I have successfully configured Letsencrypt for my NGINX webserver on Debian 8 Jessie.

Now I have installed Postgresql 9.4 and want to use the LE certificates (in /etc/letsencrypt/live/mydomain/com/...) for its SSL connection. I've set the paths to the certificate and the key in the config file ( /etc/postgresql/9.4/main/postgresql.conf).

Predictably when I try to restart Postgres via pg_ctlcluster it fails because of Permission denied to the certificate. I understand that Postgresql is run with the user postgres and that this user does not have access to this directory.

How do I fix this in a clean way?

Answer 1

You can either add the postgres user to the wheel group or a different group that can have access to the directory /etc/letsencrypt/live/mydomain/ or make the postgres user owner of the certificate (if is used exclusively).

Example command to make the postgres owner to a hypothetical location

sudo mkdir /etc/postgres/
sudo mv /etc/letsencrypt/live/mydomain/com/pg.crt /etc/postgres/pg.crt
sudo mv /etc/letsencrypt/live/mydomain/com/pg.key /etc/postgres/pg.key
sudo chown -R postgres: /etc/postgres

Then you need to adjust the /etc/postgresql/9.4/main/postgresql.conf to point to the new path.

Answer 2

Or add an acl to the directory that the key is stored in (make it the default acl so that it wil work when new files are added).

The directory you need to set the acl on is (at least on centos) /etc/letsencrypt/archive/[your fqdn here] as the files in /etc/letsencrypt/live/[your fqdn here] are just symlinks