Access permissions for SSL certificates acquired with Let's encrypt

Question

I got SSL certificates with Let's encrypt and established HTTPS communication with docker-compose's nginx container. I was able to connect successfully, but I was worried about the access permissions of the folder.

The environment is amazon linux 2, and the SSL certificates obtained by Let's encrypt is stored in /etc/letsencrypt/live/www.example.com/. Here, the access permissions for the live folder are as follows.

drwx------ 3 root root 47 Nov 9 02:12 live

So, it seems that the ec2-user user cannot access it. To use the SSL certificates, I copied the pem files to the appropriate folder with root privileges, and was able to connect successfully, but is this the right way?

This time, I copied the pem file to /home/ec2-user/ssl like below.

drwxrwxr-x 2 ec2-user ec2-user    93 Nov  9 05:32 ssl

[ec2-user@ip-***-***-***-*** ssl]$ ls -la
total 24
drwxrwxr-x 2 ec2-user ec2-user   93 Nov  9 05:32 .
drwx------ 7 ec2-user ec2-user  163 Nov  9 05:31 ..
-rw-r--r-- 1 root     root     1854 Nov  9 03:14 cert.pem
-rw-r--r-- 1 root     root     3749 Nov  9 03:14 chain.pem
-rw-r--r-- 1 root     root     5603 Nov  9 05:32 fullchain.pem
-rw------- 1 root     root     1708 Nov  9 03:14 privkey.pem
-rw-r--r-- 1 ec2-user ec2-user  692 Nov  9 03:14 README

By the way, when I accessed the file /etc/letsencrypt/live/www.example.com/ from which I copied the file, and did docker-compose up -d, I got the following error. It is probably an error of access permissions.

[emerg] 1#1: cannot load certificate "/etc/letsencrypt/live/www.example.com/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/www.example.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)

The README said DON'T MOVE.

---

docker-compose.yml -> nginx volumes

volumes:
...
- /etc/letsencrypt/live/www.example.com:/etc/nginx/certs #error
# - /home/ec2-user/ssl:/etc/nginx/certs #ok
...

---

default.conf

server {
server_name www.example.com;
listen 443 ssl;
ssl_certificate /etc/nginx/certs/fullchain.pem;
ssl_certificate_key /etc/nginx/certs/privkey.pem;
...
}

Answer 1

The nginx must be started as root so it can read certs of root user. Then the nginx will start workers on behalf of www-data user. It's similar too Apache httpd How does Apache access SSL certs created by root user? Speaking about where to place certs: there is no a clear answer https://serverfault.com/questions/259302/best-location-to-keep-ssl-certificates-and-private-keys-on-ubuntu-servers

Answer 2

I solved this problem.

The pem files in /etc/letsencrypt/live/www.example.com/ were symbolic links. So I should have mount at /etc/letsencrypt/.

The real pem files are in /etc/letsencrypt/archive/www.example.com/.

---

docker-compose.yml -> nginx volumes

volumes:
...
- /etc/letsencrypt:/etc/letsencrypt
...

---

default.conf

server {
server_name www.example.com;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/www.example.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.example.net/privkey.pem;
...
}