fix(ssl): chmod 644 keys to allow modsec access in shared volume

2026-01-27 09:43:57 -03:00 · 2026-01-27 09:43:57 -03:00 · 5a73c9a116
parent 6ddf679e9c
commit 5a73c9a116
1 changed files with 4 additions and 0 deletions
--- a/scripts/renew_ssl.sh
+++ b/scripts/renew_ssl.sh
@ -49,12 +49,14 @@ for conf in /etc/nginx/conf.d/*.conf; do
                
                if [ -f "$LE_CERT" ]; then
                    cp "$LE_CERT" "$CRT_FILE"
+                    chmod 644 "$CRT_FILE"
                    
                    # Key file assumption: usually same name but .key/privkey.pem
                    KEY_FILE=$(grep -E "\s*ssl_certificate_key\s+" "$conf" | sed -r 's/.*ssl_certificate_key\s+(.*);/\1/' | head -n 1)
                    if [ -f "$KEY_FILE" ]; then
                        # If key path is found, copy it
                        cp "$LE_KEY" "$KEY_FILE"
+                        chmod 644 "$KEY_FILE"
                    else
                        # Fallback: try to derive key path from cert path if variable is empty
                        # (This handles edge cases where parsing failed but cert existed)
@ -89,6 +91,8 @@ for conf in /etc/nginx/conf.d/*.conf; do
          -out "$CRT_FILE" \
          -subj "/C=BR/ST=SP/L=Bootstrap/O=ITGuys/CN=$DOMAIN"
          
+        chmod 644 "$KEY_FILE" "$CRT_FILE"
+          
        echo "[SSL-Renew] Bootstrap Cert created. Nginx should be able to start."
    fi
 done