Standard location for apache ssl certificates .key files.

Neil Wilson neil at brightbox.co.uk
Mon Aug 18 08:51:10 UTC 2008


2008/8/18 tacone <tacone at gmx.net>:
> /etc/ssl/private seems the best option, but it's (correctly) readable
> only by root, so Apache complains that files either doesn't exist or
> it's empty.

That directory should have execute permissions by the ssl-cert group
and keys should be readable by members of the ssl-cert group.

Interestingly on the latest version of Hardy that seems to have
changed to unknown group #89.

> We could easily create our own /etc/apache2/ssl/private directory
> owned by www-data, but first we'd like to know if there's already a
> standard location about storing SSL certificates to be used by Apache.
>
> Which directory ? Which permissions? What's the best practice ?

Certainly there needs to be a standard directory where https
certificates are stored. Ultimately those certificates might not be
used just by apache, but other httpd daemons like nginx. The reason I
store ours in /etc/ssl/ is so that switching between http daemons is
that much easier.

A solution would be to reinstate the ssl-certs group correctly in the
package controlling /etc/ssl/private, perhaps consider setGID the
directory, and add the apache user to the ssl certs group.  It's never
a problem for nginx, which doesn't drop privileges.

-- 
Neil Wilson




More information about the ubuntu-server mailing list