It recommends to add a user ‘solid’ for systemd to auto start the Solid server, so we created this user.
How ever it wouldn’t start the server with the ‘solid’ user, but it does with ‘root’. When not running in verbose (-v) we get some output from systemd status solid:
Apr 12 01:15:58 ubuntu-2gb-nbg1-1 solid[11136]: ERROR Can’t find SSL key in /etc/letsencrypt/live/domain/privkey.pem
When checking the /etc/letsencrypt/live directory default permission I see it is only readable for root
4.0K drwx------ 3 root root 4.0K Apr 10 20:53 live
What is a secure / recommended solution to fix this issue?
Yes this looks like a step was missed in ensuring that the created solid user is able to read the certs appropriately. The quickest approach to get you going would be:
Create a “certificates” group
Add user “solid” to that group
Change the permissions on /etc/letsencrypt/live/domain/ to be readable by the certificates group
For those using certbot, probably a better long-term approach would be to add a deploy-hook script that copies the certs into a space where the solid user is better permissioned (e.g. /etc/solid/certificates).
Will make an issue to get the documentation updated.
Thanks @justin . I’ll give it a try. The deploy-hook script isn’t documented in which parameters to change, and I got a rate limit from letsencrypt for force renewing, so I can see if the script will work next week.