0

I am using webmin + virtualmin to host and manage websites. There is Let's encrypt module to configure automatic SSL certificate renewal in some period of time. Certificates are placed in user's home folder - /home/website1, /home/website2 etc.

I need to configure TomCat to work with these automatically generated certificates.

The problem is that 2 certificates ssl.cert and ssl.key have chmod 700 (can't read by group) and owner is website user.

How can I change permissions to 750 while generating new certificates? Or is it another way to let TomCat read these certificates?

Daniele Santi
  • 2,479
  • 1
  • 25
  • 22
Unibit
  • 13
  • 3

1 Answers1

0

Keys should not have permission 700, they should have 600 or 400. Many programs will refuse to use a key if it has permissions for group or other (Certificates also have no need for execute permission).

Certificates on the other hand are not sensitive, they are sent over the network whenever a client connects. If your Let's encrypt client creates them unreadable for others, just make a copy of run chmod after the certificates are retrieved.

The mode 700 suggests that there is a configuration for the mode of the certificates, and that it is configured wrong.

RalfFriedl
  • 3,008
  • 4
  • 12
  • 17
  • Owner of the key and certificate is website1 and user group is the same - website1 (at this moment in this group is only 1 member - website1, but I can add to this group TomCat user). So there would not be security issue if make chmod 750. How can I catch the moment when the new certificate is retrieved and change chmod or copy it? – Unibit Nov 13 '18 at 10:34
  • You don't need to catch the moment, it's enough to run a cron job daily. Let's encrypt recommends to renew the certificates 30 days before they expire. You don't need the newest certificate, just a valid certificate. – RalfFriedl Nov 13 '18 at 17:55