Letsencrypt changes cert file rights and owner?

[Richard G]

I had this error in the log file:

2017-05-29 14:49:53 TLS error on connection from [24.xx.xxx.xxx] (SSL_accept): error:00000000:lib(0):func(0):reason(0)
2017-05-29 14:49:53 TLS client disconnected cleanly (rejected our certificate?)

It happened only 3 times so far but I went and had a look why this could be happening. Then I disovered this one.

This is on a default server without Letsencrypt installed:

# ls -al /etc/exim.cert  
-rwxr-xr-x 1 root root 2.0K May 13  2016 /etc/exim.cert

And this is on 2 other servers with Letsencrypt installed:

# ls -al /etc/exim.cert
-rw------- 1 mail mail 3806 May 23 00:15 /etc/exim.cert

Now on the server without Letsencrypt the owner and rights for exim.key are also only rw and owned by mail.

I'm just wondering, since I got this error on one of the servers with letsencrypt.... is this a problem that the exim.cert is not chmod 755 (or 644)?

 

[SeLLeRoNe]

As far as I remember exim would complain (in logs) about certificate security if it is not set to 600

Not really sure why LetsEncrypt would make any difference, it is something that has been that way for a long time as far as I can remember

Best regards

 

[Richard G]

Maybe it happened due to something else. I did not change it manually in any case.
I did not see Exim complaining about it, but since it should be 600 I will put it to 600 on that one server.
Thank you Sellerone!

 

[SeLLeRoNe]

Hi Richard,

I made confusion, exim.key file must be 600, the cert file can be 640 or 644

Best regards

 

[Richard G]

Thank you Sellerone.
Nevertheless I changed it to 600 because they were 600 on both other servers automatically.
So if everything is correct I should be fine.