In the README which was generated inside /etc/chasquid/certs, it is recommended using a symlink to point to /etc/letsencrypt/live/rapidev.org/{privkey,fullchain}.pem

Note the directory structure matches certbot's structure, so if you use it you can just create symlinks to /etc/letsencrypt/live/.

This is a great idea! Especially since my certs need regen every 90 days. I have a lot of subdomains, which equates to an entire day of headache every few months. Each cuttable corner is a blessing!

The issue is that the very next line in the README states:

Note also that the certificates and private keys must be readable by the chasquid user.

I don't see how these (symlinking and readability) can coexist when we arent allowed to change the modes of the files in /etc/letsencrypt/live. Ive already created softlinks with ln -s, but soft links look at the original for permissions.

For example, the filemode for my linked files are now 777 ( rwxrwxrwx ), yet cat fullchain.pem still outputs "permission denied."

The only workaround I can think of is to remove the -s flag from the ln command, but this is pointless because then the certs will not auto-update when I update the originals, and that is the only reason for linking in the first place. Is their a way around this?

Thanks in advance for your help! And for the MTA!

Are you sure they won't update? Does certbot create new files instead of overwriting them in place?

The recommended way is to use filesystem ACLs to give chasquid read access to the /etc/letsencrypt/live and /etc/letsencrypt/archive directories. New files in those directories inherit the ACLs from the parent, so after a cert renewal the new files will also be readable by chasquid.

This is documented in the how-to. In particular, this part sets up the ACLs on the letsencrypt certificates:

# Give chasquid access to the certificates.
# Dovecot does not need this as it reads them as root.
sudo setfacl -R -m u:chasquid:rX /etc/letsencrypt/{live,archive}

Does this help? Let us know if there's something still unclear!

Thank you. I should have thought of that. It was the README that threw me off, I guess. It recommended symlinking, so that's sort of the lens through which I was sort of viewing the situation. Thanks again. Ill be sure to star the repo if I haven't already.

I see! The installlation guide mentions the symlinking but not the ACLs, and I think it's a good point that it can be confusing.

I'll update the doc to make it clearer, thanks for letting us know!

The documentation changes are in master and in v1.9.

Please reopen/comment further if there's any other suggestion, and thanks again for reporting this!