I'm using Certbot to implement LetsEncrypt generated certificates on a Debian 11 server. Certbot was run/setup while logged in as root. This solution creates two files, fullchain.pem & privkey.pem, which the webserver needs to access.
ls -la of live files needed by webserver:
root@myserver:~# ls -la /etc/letsencrypt/live/mydomain.com/
total 12
drwxr-xr-x 2 root root 4096 Mar 21 14:34 .
drwx------ 3 root root 4096 Mar 19 05:15 ..
lrwxrwxrwx 1 root root 48 Mar 19 05:15 fullchain.pem -> ../../archive/mydomain.com/fullchain1.pem
lrwxrwxrwx 1 root root 46 Mar 19 05:15 privkey.pem -> ../../archive/mydomain.com/privkey1.pem
The two files are actually soft-links to files in an ../../archive/ directory.
ls -la of linked-to archive files:
root@myserver:~# ls -la /etc/letsencrypt/archive/mydomain.com/
total 32
drwxr-xr-x 2 root root 4096 Mar 21 14:17 .
drwx------ 3 root root 4096 Mar 19 05:15 ..
-rw-r--r-- 1 root root 5327 Mar 19 05:15 fullchain1.pem
-rw------- 1 root root 241 Mar 19 05:15 privkey1.pem
I'm assuming Certbot will, over time, make new files as the existing ones expire, add them to the archive, and update the links in the live/ folder.
For security I want to run my webserver using a user with minimal access. The only files the webserver will need to access, outside of its home directory, are the two linked files in the live/ folder.
My question is: How can I grant non-root user access to those soft-linked-to files?
I have tried many combinations of hard and soft links but can't seem to figure out how to make a link to a soft-link to a file in a restricted directory accessible to a non-root user. I don't want to change permissions to the /etc/ directory or other directories. And I don't want to hard link to the archive files (works BTW), since they will become outdated.
Any help is greatly appreciated.
