2008/8/18 tacone <[EMAIL PROTECTED]>: > /etc/ssl/private seems the best option, but it's (correctly) readable > only by root, so Apache complains that files either doesn't exist or > it's empty.
That directory should have execute permissions by the ssl-cert group and keys should be readable by members of the ssl-cert group. Interestingly on the latest version of Hardy that seems to have changed to unknown group #89. > We could easily create our own /etc/apache2/ssl/private directory > owned by www-data, but first we'd like to know if there's already a > standard location about storing SSL certificates to be used by Apache. > > Which directory ? Which permissions? What's the best practice ? Certainly there needs to be a standard directory where https certificates are stored. Ultimately those certificates might not be used just by apache, but other httpd daemons like nginx. The reason I store ours in /etc/ssl/ is so that switching between http daemons is that much easier. A solution would be to reinstate the ssl-certs group correctly in the package controlling /etc/ssl/private, perhaps consider setGID the directory, and add the apache user to the ssl certs group. It's never a problem for nginx, which doesn't drop privileges. -- Neil Wilson -- ubuntu-server mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
