Fix SSL cert and key permissions

[tombooth]

It is bad practice to use 644 on a private key so we
have migrated the key mode to 0400. The cert is already
avaliable publicly through nginx so we have allowed it
0444.

Nothing should need to write either the cert of the key
after puppet has run, so we have denied any writing.

[abraham1901]

Hello
Thanks for you work.
Yes, read for other isn't good.
But read only user - sometime is trouble, when private key used other application.
0440 - good.

[dcarley]

I'm not sure there's any benefit to using 0440 when the default group is "root". Other UID==0 processes will be able to read the file anyway. I'd venture that anything UID>0 and not Nginx should probably have it's own copy outside of Nginx's config dir.

[abraham1901]

You can change group for private key.

[jfryman]

@dcarley let's go with 0440 in order to potentially avoid any breakage for folks that use group permissions on this file.

[tombooth]

I've push a commit to allow the key's group permission to read the file

[jfryman]

🤘

[ghost]

Is there a way for this module to have parameters like ssl_owner and/or ssl_mode?

I see you've settled on www-data 400... but in my humble opinion, perms on private key must be root - 0400. This is just in case you server gets compromised somehow (i.e.: php shell); it is then not possible for any of your nginx processes to retrieve your private keys. This way, broken code somewhere in your application won't mean an attacker can decrypt your communications... or have you regenerate your expensive certs.

Cheers!