Using automatically obtained security certificates for other purposes

For example in /etc/postfix/main.cf :

smtpd_tls_cert_file = /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/blanco.colmena.biz/blanco.colmena.biz
.crt
smtp_tls_cert_file = /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/blanco.colmena.biz/blanco.colmena.biz.
crt
smtpd_tls_key_file = /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/blanco.colmena.biz/blanco.colmena.biz.
key
smtp_tls_key_file = /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/blanco.colmena.biz/blanco.colmena.biz.k
ey

Which works fine except that I am enabling SELinux for, you know, security, and the key files are in a different security context than the mail server or other services that I would want to share the key with, and with SELinux in enforcing mode, postfix will no longer be able to access the keys.

----
time->Sat Jan 11 09:51:58 2025
type=AVC msg=audit(1736589118.808:253): avc:  denied  { read } for  pid=1933 comm="smtpd" name="blanco.colmena.biz.crt" dev="sda5" ino=138459 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
----
time->Sat Jan 11 09:51:58 2025
type=AVC msg=audit(1736589118.808:254): avc:  denied  { open } for  pid=1933 comm="smtpd" path="/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/blanco.colmena.biz/blanco.colmena.biz.crt" dev="sda5" ino=138459 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
----
time->Sat Jan 11 09:51:58 2025
type=AVC msg=audit(1736589118.808:255): avc:  denied  { getattr } for  pid=1933 comm="smtpd" path="/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/blanco.colmena.biz/blanco.colmena.biz.crt" dev="sda5" ino=138459 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
----

It would not be a problem to run certbot certonly to obtain certificates, but caddy is already binding port 80

As this user has already found.

EDIT: there are other tools to set security context.

# semanage fcontext ...

Labeling problems

A common cause of labeling problems is when a non-standard directory is used for a service…