mirror of
https://github.com/acmesh-official/acme.sh.git
synced 2024-12-26 01:00:10 +08:00
Page:
how about the private key access modes, chmod, or chown or umask
Pages
Blogs and tutorials
BuyPass.com CA
CA
Change default CA to ZeroSSL
Code of conduct
DNS API Dev Guide
DNS API Test
DNS alias mode
DNS manual mode
Deploy ssl certs to apache server
Deploy ssl certs to nginx
Deploy ssl to SolusVM
Donate list
Enable acme.sh log
Exit Codes
Explicitly use DOH
Google Public CA
Google Trust Services CA
Home
How to debug acme.sh
How to install
How to issue a cert
How to run on DD WRT with lighttpd
How to run on OpenWrt
How to use Amazon Route53 API
How to use Azure DNS
How to use OVH domain api
How to use Oracle Cloud Infrastructure DNS
How to use lexicon DNS API
How to use on Solaris based operating sytsems
How to use on embedded FreeBSD
Install in China
Install preparations
Issue a cert from existing CSR
OVH Success
Options and Params
Preferred Chain
Run acme.sh in docker
SSL.com CA
Server
Simple guide to add TLS cert to cpanel
Stateless Mode
Synology NAS Guide
Synology RT1900ac and RT2600ac install guide
TLS ALPN without downtime
Usage on Tomato routers
Use DNS Exit DNS API
Using pre hook post hook renew hook reloadcmd
Using systemd units instead of cron
Utilize multiple DNS API keys
Validity
ZeroSSL.com CA
deploy to docker containers
deployhooks
dnsapi
dnsapi2
dnscheck
dnssleep
how about the private key access modes, chmod, or chown or umask
ipcert
notify
openvpn2.4.7服务端和客户端使用注意
revokecert
sudo
tlsa next key
如何安装
说明
0
how about the private key access modes, chmod, or chown or umask
neil edited this page 2020-08-24 09:55:55 +08:00
Table of Contents
How acme.sh deals with the private key file modes?
A short answer is: we deal with the file permission as little as possible.
A longer answer is: we almost don't change the file permissions, you set it yourself, and it will be kept forever.
Ok, let me give a longer answer:
- By default, the key/cert files are saved in
~/.acme.sh
, this folder is set to mode700
by default. So, nobody else can read your private key. - When you use
--install-cert
command to copy the cert to the target locations, we usecat keyfile > target_key_file
pattern, in which the target file permission is not changed, and you only need write permission to the target file. Yes, if the target file doesn't exist for the first time, it will be created with your default umask, which is umask 022 in most of the unix/linux systems. In this case, somebody else may read your private key file. But you can change the file mode manually,chmod 600 target_key_file
. The reasons why we don't change the file mode are:- We respect the users choice most. We trust you more than ourselves. you can change the file modes manually, you know your system best. We respect your choice.
- We can not use
umask
also. In webroot mode, we have to create validation file, if umask is set to022
, the webserver would not be able to read the validation file.
So, doing more doesn't mean doing better. Less is more.
Buy me a beer, Donate to acme.sh if it saves your time. Your donation makes acme.sh better: https://donate.acme.sh/
如果 acme.sh 帮你节省了时间,请考虑赏我一杯啤酒🍺, 捐助: https://donate.acme.sh/ 你的支持将会使得 acme.sh 越来越好. 感谢