private key permissions

[znz]

kuba/simp_le#29 says that simp_le creates private key as world readable.
dokku uses the files by root user. So I think they can set more secure permissions.

How about this patch?

diff --git a/functions b/functions
index 67e092a..7685bb3 100755
--- a/functions
+++ b/functions
@@ -68,6 +68,7 @@ letsencrypt_create_root () {
   # Set up folders
   if [ ! -d "$LETSENCRYPT_ROOT" ]; then
     mkdir -p "$LETSENCRYPT_ROOT"
+    chmod 600 "$LETSENCRYPT_ROOT"
   fi
 }

or this one?

diff --git a/functions b/functions
index 67e092a..a965ee4 100755
--- a/functions
+++ b/functions
@@ -69,6 +69,7 @@ letsencrypt_create_root () {
   if [ ! -d "$LETSENCRYPT_ROOT" ]; then
     mkdir -p "$LETSENCRYPT_ROOT"
   fi
+  chmod 600 "$LETSENCRYPT_ROOT"
 }

 letsencrypt_get() {

[sseemayer]

Welcome @znz and thanks for the suggestion, I agree that we should protect the keys as much as we can! There was some previous discussion in #6 but since a lot has changed since then we can definitely re-visit this.

Permissions-wise, the following things need access to the certificates/keys:

• The dokku letsencrypt command (write access to certs + key + settings)
• The certificate-using dokku commands such as certs:info letsencrypt:ls, etc. (read access to certs)
• The nginx process (read access to certs + key)

I'm not sure at this point what users these processes are running under and how far we can restrict permissions. Have you tried changing the permissions you suggest manually and do the aforementioned bullet points still work for you?

[sseemayer]

Closing for inactivity.