I use certbot to generate certificate files. The certificate files are created in /etc/letsencrypt/live/...
. The live folder is created by certbot and is only accessible to admins.
In the past, I then copied these files to the folder of my application, and that worked fine. But it felt wrong to copy the certificate files.
So, I am wondering if there is a possibility to leave the files where they are. I tried to put this in practice, but I am struggling to give my application access to the folder. I had no problems adjusting the paths, but it has no privileges to access the folder.
I am wondering how I can give my application access to the files.
The application is launched using a systemd configuration file. I originally had this systemd config:
[Unit]
Description=my-service
Documentation=http://documentation.domain.com
After=network.target
[Service]
Type=simple
TimeoutSec=0
User=ubuntu
ExecStart=/usr/bin/node /home/ubuntu/my-service/server.js
Restart=on-failure
[Install]
WantedBy=multi-user.target
I tried adding the following line, but it made no difference.
PermissionsStartOnly=true
I don't think that copying certificate files from
/etc/letsencrypt/live
to an application's folder is wrong. I suggest you to do so by defining a custom script in/etc/letsencrypt/renewal-hooks/deploy
folder, which would also reload the application each time the corresponding certificate is renewed. For example:Please, check this URL for details: https://certbot.eff.org/docs/using.html#renewing-certificates