Skip to content

Instantly share code, notes, and snippets.

@zmwangx

zmwangx/caddy-acl.md

Created October 13, 2023 02:29
Show Gist options
  • Save zmwangx/059f67b2276adf42c67daf3ec636ab25 to your computer and use it in GitHub Desktop.
Save zmwangx/059f67b2276adf42c67daf3ec636ab25 to your computer and use it in GitHub Desktop.
Download ZIP
Granting caddy (official Debian package) access to existing certificates in /etc/letsencrypt/live
Raw
caddy-acl.md

Caddy can be instructed to load existing certificates:

example.com {
	reverse_proxy :32767
	tls /etc/letsencrypt/live/example.com/fullchain.pem /etc/letsencrypt/live/example.com/privkey.pem
}

However, caddy.service uses user caddy and group caddy:

# systemctl cat caddy
...
[Service]
...
User=caddy
Group=caddy
...

which can't access the cert files, which are strictly restricted to the root user.

We can grant access through acl:

# setfacl -m caddy:r-x /etc/letsencrypt/live /etc/letsencrypt/archive
# setfacl -m caddy:r-- /etc/letsencrypt/archive/*/*.pem

Then we can test access:

# sudo -u caddy test -r /etc/letsencrypt/live/example.com/fullchain.pem; echo $?
0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment