Default folder facl permission not assigned to let encrypt key file

[Sakamoto Ryōma]

I have set a face for the SSL folder in the Rocky Linux distro. The folder has default rx for my custom user. But when new SSL & key files are created. Certificate files have proper rights, but the key file does not. So I have a problem accessing the key file.

This is the result of getfacl for the folder where the SSL & key are stored.

getfacl /usr/local/directadmin/data/users/xyz/domains/
# file: usr/local/directadmin/data/users/xyz/domains/
# owner: diradmin
# group: diradmin
user::rwx
user:myuser:r-x
group::--x
mask::r-x
other::--x
default:user::rwx
default:user:myuser:r-x
default:group::--x
default:mask::r-x
defaultther::--x

This is the result for the newly created .key file inside that folder.

getfacl /usr/local/directadmin/data/users/xyz/domains/example.com.key
# file: usr/local/directadmin/data/users/xyz/domains/example.com.key
# owner: diradmin
# group: access
user::rw-
group::r--
other::---

 

[Sakamoto Ryōma]

I found the solution to this problem by adding a cron on root user (system level) to setfacl to certificate files regularly.
I think this problem is caused by certbot which probably sets restricted file access rules to the certificate which overrides the rules set by setfacl command. But if I have a system cron to set the rules again, the problem is solved.

Save the following content as you like (e.g. ssl_acl.sh) and define a cron for it at midnight every day or week.
SSL certificates auto renewed when 1 month is remaining to the expiration date.

#!/bin/bash
# Iterate over each user folder
for user_folder in /usr/local/directadmin/data/users/*; do
if [ -d "$user_folder" ]; then
user=$(basename "$user_folder")

# Apply setfacl command for SSL Step 1
sudo setfacl -Rm u:my_example_user:x "$user_folder"
# Apply setfacl command for SSL Step 2
sudo setfacl -Rm u:my_example_user:rx "$user_folder/domains/."

echo "Applied ACL for user: $user"
fi
done

 

[Richard G]

So I have a problem accessing the key file.

Out of curiosity, why do you need to access the keyfile as the user?

 

[Sakamoto Ryōma]

Out of curiosity, why do you need to access the keyfile as the user?

I want to use the same SSL on other servers which the domain is also served.

 

[Sakamoto Ryōma]

I encountered an issue with the Exim server regarding SSL certificate permissions on this server. Therefore, I simply updated this file to grant permission to the 'access' group, which includes the Exim mail server, to have read access to SSL files. Here is the updated version:

#!/bin/bash
# Iterate over each user folder
for user_folder in /usr/local/directadmin/data/users/*; do
if [ -d "$user_folder" ]; then
user=$(basename "$user_folder")

# Apply setfacl command for SSL Step 1
sudo setfacl -Rm u:my_example_user:x "$user_folder"
# Apply setfacl command for SSL Step 2
sudo setfacl -Rm u:my_example_user:rx "$user_folder/domains/."
# Apply setfacl command for SSL Step 3 
# Read/Execute Permission to 'access' Group: daemon,nobody,mail,majordomo,apache,ftp,nginx
sudo setfacl -Rm g:access:rx "$user_folder/domains/."

echo "Applied ACL for user: $user"
fi
done