Standard location for apache ssl certificates .key files.
neil at brightbox.co.uk
Mon Aug 18 08:51:10 UTC 2008
2008/8/18 tacone <tacone at gmx.net>:
> /etc/ssl/private seems the best option, but it's (correctly) readable
> only by root, so Apache complains that files either doesn't exist or
> it's empty.
That directory should have execute permissions by the ssl-cert group
and keys should be readable by members of the ssl-cert group.
Interestingly on the latest version of Hardy that seems to have
changed to unknown group #89.
> We could easily create our own /etc/apache2/ssl/private directory
> owned by www-data, but first we'd like to know if there's already a
> standard location about storing SSL certificates to be used by Apache.
> Which directory ? Which permissions? What's the best practice ?
Certainly there needs to be a standard directory where https
certificates are stored. Ultimately those certificates might not be
used just by apache, but other httpd daemons like nginx. The reason I
store ours in /etc/ssl/ is so that switching between http daemons is
that much easier.
A solution would be to reinstate the ssl-certs group correctly in the
package controlling /etc/ssl/private, perhaps consider setGID the
directory, and add the apache user to the ssl certs group. It's never
a problem for nginx, which doesn't drop privileges.
More information about the ubuntu-server