You are not logged in.

Pages: 1

#1 2021-12-30 14:09:37

Gefrierbrand
Member
Registered: 2015-02-12
Posts: 5

[SOLVED] Why can Apache read the cert / key files owned by root

I used certbot-apache to get certificates from LetsEncrypt.

Listing them shows them clearly being owned by root and the private keys only being readable by root:

# ls -alh
total 68K
drwxr-xr-x 2 root root 4.0K Nov  5 12:51 .
drwx------ 5 root root 4.0K Jul  8 07:04 ..
-rw-r--r-- 1 root root 1.8K Jul  8 07:04 cert1.pem
-rw-r--r-- 1 root root 1.8K Sep  6 12:16 cert2.pem
-rw-r--r-- 1 root root 1.8K Nov  5 12:51 cert3.pem
-rw-r--r-- 1 root root 3.7K Jul  8 07:04 chain1.pem
-rw-r--r-- 1 root root 3.7K Sep  6 12:16 chain2.pem
-rw-r--r-- 1 root root 3.7K Nov  5 12:51 chain3.pem
-rw-r--r-- 1 root root 5.5K Jul  8 07:04 fullchain1.pem
-rw-r--r-- 1 root root 5.5K Sep  6 12:16 fullchain2.pem
-rw-r--r-- 1 root root 5.5K Nov  5 12:51 fullchain3.pem
-rw------- 1 root root 1.7K Jul  8 07:04 privkey1.pem
-rw------- 1 root root 1.7K Sep  6 12:16 privkey2.pem
-rw------- 1 root root 1.7K Nov  5 12:51 privkey3.pem

Apache is run as user http as configured in /etc/httpd/conf/httpd.conf:

User http

But Apache can apparently read those files as the https connection works fine using those certs. So why is this?

Last edited by Gefrierbrand (2021-12-30 14:25:07)

Offline

#2 2021-12-30 14:18:39

progandy
Member
Registered: 2012-05-17
Posts: 5,279

Re: [SOLVED] Why can Apache read the cert / key files owned by root

apache starts as root. Maybe it first reads the private keys and then drops privileges and switches to the http user?

Edit: That assumption seems to be correct:

https://httpd.apache.org/docs/2.4/ssl/s … passphrase

Now server.key contains an unencrypted copy of the key. If you point your server at this file, it will not prompt you for a pass-phrase. HOWEVER, if anyone gets this key they will be able to impersonate you on the net. PLEASE make sure that the permissions on this file are such that only root or the web server user can read it (preferably get your web server to start as root but run as another user, and have the key readable only by root).

Last edited by progandy (2021-12-30 14:21:50)

| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#3 2021-12-30 14:23:57

Gefrierbrand
Member
Registered: 2015-02-12
Posts: 5

Re: [SOLVED] Why can Apache read the cert / key files owned by root

well that makes sense. Kind of annoying, though.
Thanks anyways.

Offline

Pages: 1

Board footer

Powered by FluxBB