2

I use certbot to generate certificate files. The certificate files are created in /etc/letsencrypt/live/.... The live folder is created by certbot and is only accessible to admins.

In the past, I then copied these files to the folder of my application, and that worked fine. But it felt wrong to copy the certificate files.

So, I am wondering if there is a possibility to leave the files where they are. I tried to put this in practice, but I am struggling to give my application access to the folder. I had no problems adjusting the paths, but it has no privileges to access the folder.

I am wondering how I can give my application access to the files.

The application is launched using a systemd configuration file. I originally had this systemd config:

[Unit]
Description=my-service
Documentation=http://documentation.domain.com
After=network.target

[Service]
Type=simple
TimeoutSec=0
User=ubuntu
ExecStart=/usr/bin/node /home/ubuntu/my-service/server.js
Restart=on-failure

[Install]
WantedBy=multi-user.target

I tried adding the following line, but it made no difference.

PermissionsStartOnly=true
bvdb
  • 225
  • 2
  • 9
  • the user that this service runs is `ubuntu` doesn't this user has access to the certificates folder? `The live folder is created by certbot and is only accessible to admins.` for admins it must be for write/read etc but it should be available for read to others. Check the folder permissions i think you must be ok for `read` in case you want `write` access then add `ubuntu` to the admins group and change the folder permissions so that `group` has `write` access. – Peter Darmis Oct 11 '19 at 20:16

1 Answers1

2

I don't think that copying certificate files from /etc/letsencrypt/live to an application's folder is wrong. I suggest you to do so by defining a custom script in /etc/letsencrypt/renewal-hooks/deploy folder, which would also reload the application each time the corresponding certificate is renewed. For example:

#!/bin/sh

# /etc/letsencrypt/renewal-hooks/deploy/example-com_deploy.sh

set -e

for domain in $RENEWED_DOMAINS; do
        case $domain in
        example.com)
                daemon_cert_root=/etc/some-daemon/certs

                # Make sure the certificate and private key files are
                # never world readable, even just for an instant while
                # we're copying them into daemon_cert_root.
                umask 077

                cp "$RENEWED_LINEAGE/fullchain.pem" "$daemon_cert_root/$domain.cert"
                cp "$RENEWED_LINEAGE/privkey.pem" "$daemon_cert_root/$domain.key"

                # Apply the proper file ownership and permissions for
                # the daemon to read its certificate and key.
                chown some-daemon "$daemon_cert_root/$domain.cert" \
                        "$daemon_cert_root/$domain.key"
                chmod 400 "$daemon_cert_root/$domain.cert" \
                        "$daemon_cert_root/$domain.key"

                service some-daemon restart >/dev/null
                ;;
        esac
done

Please, check this URL for details: https://certbot.eff.org/docs/using.html#renewing-certificates

Anderson Medeiros Gomes
  • 2,477
  • 9
  • 20