From 46549c68631aaedcfd923f5281bb9b5ad89f9f8f Mon Sep 17 00:00:00 2001
From: Jim Hague <jim.hague@acm.org>
Date: Wed, 6 Sep 2023 14:22:51 +0100
Subject: [PATCH] Ensure new certificates are readably by ssl-cert group
 members.

---
 states/certificates/dehydrated/hooks/deploy.sh | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/states/certificates/dehydrated/hooks/deploy.sh b/states/certificates/dehydrated/hooks/deploy.sh
index 4e41d00..c5ded96 100755
--- a/states/certificates/dehydrated/hooks/deploy.sh
+++ b/states/certificates/dehydrated/hooks/deploy.sh
@@ -1,7 +1,8 @@
 #!/usr/bin/env bash
 #
 # Copy dehydrated generated certs into /var/local/certificates and
-# set required ownership. Also restart local services as appropriate.
+# set required ownership and permissions. Also restart local services
+# as appropriate.
 
 action=$1
 shift
@@ -9,6 +10,8 @@ shift
 deploy_cert() {
     cp -a /var/lib/dehydrated/certs/* /var/local/certificates/
     chown -R root:ssl-cert /var/local/certificates/
+    find /var/local/certificates/ -type d -print0 | xargs -0 chmod g+rx
+    find /var/local/certificates/ -type f -print0 | xargs -0 chmod g+r
 
     DOMAIN="$1"
     case $DOMAIN in