Certificate file permissions when sharing certificates

Using Caddy to keep certificates renewed shows how Caddy can maintain certificates for other applications to use - I think, a pretty cool and useful feature for a server that integrates a certificate manager to have.

However, in a default configuration, these certificates are created so as to only be readable by the Caddy user (mode 600), and all their parent directories are likewise created with mode 700. (These permissions are hard-coded into certmagic.)

Seeing as Caddy is responsible for maintaining these certificates automatically, one can’t simply change the permissions on these files, as they could be deleted and re-created at any time.

Is there an intended way to share these certificates with other applications, short of running daemons as the same user, using Posix ACLs, root cron jobs moving certificates, and other such hacks?

(Having the certs / keys and their parent directories be mode 640/750 would be my first inclination - simply put processes that need to read certs in Caddy’s group - but this might not make sense for all cases.)

Currently, no.

You can fork the FileSystem module into your own plugin, then configure Caddy to use that storage module instead. It would probably be as simple as embedding the FileSystem struct into your own struct and overriding Store().

3 Likes

This topic was automatically closed after 30 days. New replies are no longer allowed.