Hi, recently I have installed Home Assistant and Vaultwarden, and in both of them if you requiere https connection, you’ll face the problem of each users for each web app not having permissions to read letsencrypt folder where the certs are.
I ask if this has been solved inn any way. Searching through posts I’ve reached this one from MichaIng proposing these solutions:
At least do the following:
CODE: SELECT ALL
chmod -R root:root /etc/letsencrypt
chmod -R 750 /etc/letsencrypt
usermod -a -G root homeassistant
Re-assures that key+cert is only/fully owned by root.
Grant only read (and execute to read directory content) access to the root group.
Adds the homeassistant user to the root group to grant him cert+key read access.
However adding a user to the root group is as well not ideal. Better again is to create a new group for this, e.g. named ssl and then add all users that require SSL read access to this new group instead.
The most secure way is to create a copy of the privkey+fullchain and chown homeassistant:homeassistant those. But this practically a bid annoying, since you need to redo this after every certificate renewal. At best a systemd unit timer hook would do that.
Each one has it’s pros and cons. Is there an all arround solution?
For me as a newbie, it will be much easier if a guide of doing for example the group ssl thing exists.
Thank you so much.
I am also looking for solution to use my pre obtained (via acme.sh) domain ssl certificate to be used with dietpi system. I have wildcard SSL certificate for my domain so not want dietpi-letencrypt service(no dns validation). I want to use my own customized SSL certificate with dietpi. I just want to request dietpi administration to implement caddy, nigix proxy manager or swag type application in dietpi software portfolio. Please guide me also towards right direction. This time in my computer following software installed home assistant, vaultwarden, adguardhome, plex. I want all these software use HTTPS connections.
In meantime NginxProxy Manager can be installed quite easily by yourself. There is no need to wait on use to have this implemented. NPM guys simplified their needs and moved away from MariaDB to use SQLite now. This means no DB container needed anymore.
Basic stuff like Docker, Docker-Compose and optional Portainer (container manager) can bi installed from dietpi-software. Getting NPM up and running is just 1-2 commands away. 
At the moment we do not offer a tool to manage HTTPS/SSL for all our apps. We where thinking on it but it looks to complicate to catch all cases and all apps in a single dietpi tool, as we would need to cover all possible combination of web server, revers proxy apps and user applications.
amibumpin
to avoid to assign SSL certificates to each app individually, you could use a revers proxy. Nginx web server is a perfect candidate and can be installed from our catalogue. Maybe you already running a different web server that could be used for same activity.
Hi Joulinar I am trying the approach of creating the a group for having permissions to read ssl certs, but I having a problem…
I create the group “permisos-ssl”
I then give the permissions to the group in the ssl folder
/etc/letsencrypt/live/my.ddns.net
drwxr-xr-x 2 root permisos-ssl 4096 Dec 29 12:35 .
drwx------ 3 root root 4096 Dec 28 19:06 ..
-rw-r--r-- 1 root permisos-ssl 2204 Dec 28 19:06 cert1.pem
-rw-r--r-- 1 root root 2204 Dec 29 12:35 cert2.pem
-rw-r--r-- 1 root permisos-ssl 3749 Dec 28 19:06 chain1.pem
-rw-r--r-- 1 root root 3749 Dec 29 12:35 chain2.pem
-rw-r--r-- 1 root root 5953 Dec 28 19:06 fullchain1.pem
-rw------- 1 root root 3272 Dec 28 19:06 privkey1.pem
I added the group right to the folder
/etc/letsencrypt/archive/my.ddns.net
because the other folder has the certs symlinked.
Still fullchain1.pem and privkey1.pem was not getting the permissions, then I renew the certs in order that they would be created again to inherit folder permissions. But after renew then the permissions still were the same.
drwxr-xr-x 2 root permisos-ssl 4096 Dec 29 12:35 .
drwx------ 3 root root 4096 Dec 28 19:06 ..
-rw-r--r-- 1 root permisos-ssl 2204 Dec 28 19:06 cert1.pem
-rw-r--r-- 1 root root 2204 Dec 29 12:35 cert2.pem
-rw-r--r-- 1 root permisos-ssl 3749 Dec 28 19:06 chain1.pem
-rw-r--r-- 1 root root 3749 Dec 29 12:35 chain2.pem
-rw-r--r-- 1 root permisos-ssl 5953 Dec 28 19:06 fullchain1.pem
-rw-r--r-- 1 root root 5953 Dec 29 12:35 fullchain2.pem
-rw------- 1 root permisos-ssl 3272 Dec 28 19:06 privkey1.pem
-rw------- 1 root permisos-ssl 3272 Dec 29 12:35 privkey2.pem
Is letsencrypt scipt forcing root group on the certs? How can I solve it?
Thank you Joulinar!
probably best to create a hock script that will be executed to change permission on your need after certificate creation.
Usually it should be enough to grant read permission on /etc/letsencrypt/archive/ as well as /etc/letsencrypt/live/ only. Rest of files should have read permission for everyone by default. Ah and probably privkey1.pem.
Hooks can be placed in /etc/letsencrypt/renewal-hooks/{deploy,post,pre}