Permissions on lets encrypt directory

To allow apps using a dedicated user account to read certificates

src/freedombone-addcert

 
     update_default_domain
 
+    # this group can be used to assign read permissions for
+    # application user accounts
+    chgrp -R ssl-cert /etc/letsencrypt
+    chmod -R g=rX /etc/letsencrypt
+
     nginx_ensite ${LETSENCRYPT_HOSTNAME}
     systemctl start nginx
 

src/freedombone-app-matrix

 
     if [[ $ONION_ONLY == "no" ]]; then
         sed -i "s|tls_certificate_path:.*|tls_certificate_path: \"/etc/ssl/certs/${MATRIX_DOMAIN_NAME}.pem\"|g" "${filepath}"
-        sed -i "s|tls_private_key_path:.*|tls_private_key_path: \"/etc/ssl/private/${MATRIX_DOMAIN_NAME}.key\"|g" "${filepath}"
+        if ! grep -q '#tls_private_key_path' "${filepath}"; then
+            sed -i 's|tls_private_key_path|#tls_private_key_path|g' "${filepath}"
+        fi
         sed -i "s|tls_dh_params_path:.*|tls_dh_params_path: \"/etc/ssl/certs/${MATRIX_DOMAIN_NAME}.dhparam\"|g" "${filepath}"
     fi
     sed -i 's|8448|8449|g' "${filepath}"
     groupadd matrix
     useradd -c "Matrix system account" -d $MATRIX_DATA_DIR -m -r -g matrix matrix
     usermod -a -G www-data matrix
+    usermod -a -G ssl-cert matrix
 
     function_check install_turn
     install_turn
                 exit 73572
             fi
         fi
+        chgrp -R ssl-cert /etc/letsencrypt
+        chmod -R g=rX /etc/letsencrypt
     fi
 
     export DEBIAN_FRONTEND=noninteractive

src/freedombone-restore-local

     if [ -d $USB_MOUNT/backup/letsencrypt ]; then
         echo $"Restoring Lets Encrypt settings"
         restore_directory_from_usb / letsencrypt
+        chgrp -R ssl-cert /etc/letsencrypt
+        chmod -R g=rX /etc/letsencrypt
     fi
 }