What are the appropriate permissions for PEM files?

I’m running caddy to serve as TLS front-end with my own certificate/key files but the following error.

Parse error: Unable to load certificate and key files

keys are set to 0400 and certificates were set to 0444 for root as owner

  1. Which user/group is Caddy running as?
  2. What are the directory permissions/ownership?
  3. Which group(s) own the directory and files?

Installation on Ubuntu 14.04 were as following,

curl -fsSL https://getcaddy.com | bash -s search
sudo chown root:root /usr/local/bin/caddy
sudo chmod 755 /usr/local/bin/caddy
sudo setcap cap_net_bind_service=+ep /usr/local/bin/caddy

sudo mkdir /etc/caddy
sudo chown -R root:www-data /etc/caddy

sudo mkdir /etc/ssl/caddy
sudo chown -R www-data:root /etc/ssl/caddy
sudo chmod 0770 /etc/ssl/caddy

sudo touch /etc/caddy/Caddyfile
sudo chown www-data:www-data /etc/caddy/Caddyfile
sudo chmod 444 /etc/caddy/Caddyfile

and set for up-start at boot as following,

nano /etc/init/caddy.conf

description “Caddy Web Server”
start on runlevel [2345]
stop on runlevel [016]
console log
setuid www-data
setgid www-data
respawn limit 10 5
reload signal SIGUSR1
env CADDYPATH=/etc/ssl/caddy
limit nofile 1048576 1048576
cd /etc/caddy
rootdir="$(mktemp -d -t “caddy-run.XXXXXX”)"
exec /usr/local/bin/caddy -agree -log=stdout -conf=/etc/caddy/Caddyfile -root=$rootdir
end script

Issue have been fixed with chmod 0444 for PEM files, but I want to avoid others in permissions

chown root:www-data and chmod 640 will make your key and certificate files root-writable, www-data-readable, and inaccessible to everyone else, which is a secure setup (as long as the key files are not in Caddy’s web root).

certificates/keys are under /etc/caddy with root:root 0444 permissions

I’m planning to replace Caddyfile line

tls /etc/caddy/MyDomain.CRT.PEM /etc/caddy/MyDomain.KEY.PEM

into the following for LE certifications once everything is ok

tls admin@MyDomain.com

The permission attributes (you can usually just refer to the last 3 numbers) work like so:

 ||+- World permissions (everyone)
 |+- Group permissions
 +- Owner (user) permissions

So when you say your setup is:

That means that the user root has read (4) access, the group root has read (4) access, and everyone else had read (4) access.

Suggest you read up further on Unix file permissions, here’s a good overview. My previous post should suit your objectives, though, and Caddy will naturally handle permissions itself once it’s managing certificates via ACME.