From 5a73c9a116da9cd2ee286e389e68965e508a301c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jo=C3=A3o=20Pedro=20Toledo?= <joao.goncalves@itguys.com.br>
Date: Tue, 27 Jan 2026 09:43:57 -0300
Subject: [PATCH] fix(ssl): chmod 644 keys to allow modsec access in shared
 volume

---
 scripts/renew_ssl.sh | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/scripts/renew_ssl.sh b/scripts/renew_ssl.sh
index a97ed70..6d95780 100644
--- a/scripts/renew_ssl.sh
+++ b/scripts/renew_ssl.sh
@@ -49,12 +49,14 @@ for conf in /etc/nginx/conf.d/*.conf; do
                 
                 if [ -f "$LE_CERT" ]; then
                     cp "$LE_CERT" "$CRT_FILE"
+                    chmod 644 "$CRT_FILE"
                     
                     # Key file assumption: usually same name but .key/privkey.pem
                     KEY_FILE=$(grep -E "\s*ssl_certificate_key\s+" "$conf" | sed -r 's/.*ssl_certificate_key\s+(.*);/\1/' | head -n 1)
                     if [ -f "$KEY_FILE" ]; then
                         # If key path is found, copy it
                         cp "$LE_KEY" "$KEY_FILE"
+                        chmod 644 "$KEY_FILE"
                     else
                         # Fallback: try to derive key path from cert path if variable is empty
                         # (This handles edge cases where parsing failed but cert existed)
@@ -89,6 +91,8 @@ for conf in /etc/nginx/conf.d/*.conf; do
           -out "$CRT_FILE" \
           -subj "/C=BR/ST=SP/L=Bootstrap/O=ITGuys/CN=$DOMAIN"
           
+        chmod 644 "$KEY_FILE" "$CRT_FILE"
+          
         echo "[SSL-Renew] Bootstrap Cert created. Nginx should be able to start."
     fi
 done