How to change umask for Caddy service?


I tried this a couple of months ago to no avail, but this time I tried to solve this differently.

I have the following part in my caddy.json:

"storage": {
    "module": "file_system",
    "root": "/home/admin/tls"

Right at the start before Caddy is even installed, I prepare the directory via bash script:

mkdir -p /home/admin/tls/certificates
sudo chown -R caddy:caddy /home/admin/tls
sudo chmod -R g+x /home/admin/tls/certificates/
sudo chmod -R g+r /home/admin/tls/certificates/
sudo chmod g+s /home/admin/tls/certificates/

Caddy and Xray should be able to access the certs in /home/admin/tls/.
xray user belongs to caddy group. Hence as long as group read and execution permission are given to caddy group, it would be fine.

So far so good, but as soon as Caddy obtains the certificates and stores them in /home/admin/tls/ the new sub-directories/files no longer keep the permissions from the parent directory and xray user loses access to the certs.

In Caddy service I tried to add UMask=0002 under [Service], but it didn’t help. What can I do?
Is there a post-hook where I could run

sudo chmod -R g+x /home/admin/tls/certificates/
sudo chmod -R g+r /home/admin/tls/certificates/

Caddy: v2.7.3 h1:eMCNjOyMgB5A1KgOzT2dXKR4I0Va+YHCJYC8HHu+DP0=

Many Thanks

In general I recommend avoiding the use of /home with webservers. Use something like /opt or /etc/caddy for config/storage (default storage is /var/lib/caddy/.local/share/caddy; what’s wrong with that?), and /srv/ or /var/www for your site contents.

Because I’m using Caddy in combination with Xray-core. The latter needs direct access to the certificates. I suppose I could keep the path to default /var/lib/caddy/.local/share/caddy. But it doesn’t change the permission problem for Xray to access it.

Even though I have given Group Read+Execution access to the path, the moment Caddy obtains a fresh copy for the certificates, it replaces the old permissions, and Xray can no longer access the certificates.

Does it make sense?

You can use events to copy certs elsewhere:

Yes, I remember trying that last time with an older version of Caddy.

Reading the link you sent me, it speaks of a third-party plugin. Do you know if caddy-events-exec is now already part of Caddy 2.7.3?


It’s still a separate plugin for now.

Thank you guys. I got it this time working with the events.

"apps": {
    "events": {
      "subscriptions": [
          "events": ["cert_obtained"],
          "handlers": [
              "handler": "exec",
              "command": "/opt/shared_certs/",
              "args": []

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.