Some services (such as the MySql daemon) might not run as root (or the user that runs getssl), but might need access to the private key. On some systems, that is done by making the private key readable by members of the "ssl-cert" group. Then the service that needs to read the private key can be made to run as a user that is a member of the ssl-cert group.
getssl creates private keys with mode 0600 owned by the effective user and group. It would be nice if there was an option to change some of those. For example, setting a PRIVATE_KEY_GROUP_OWNER variable to a group name (e.g. "ssl-cert") or GID could result in the group owner being changed to that group and the mode being changed to 0640.
There are also the various .pem files that get the private key bundled in (DOMAIN_KEY_CERT_LOCATION and DOMAIN_PEM_LOCATION) to consider.
Some services (such as the MySql daemon) might not run as root (or the user that runs getssl), but might need access to the private key. On some systems, that is done by making the private key readable by members of the "ssl-cert" group. Then the service that needs to read the private key can be made to run as a user that is a member of the ssl-cert group.
getssl creates private keys with mode 0600 owned by the effective user and group. It would be nice if there was an option to change some of those. For example, setting a PRIVATE_KEY_GROUP_OWNER variable to a group name (e.g. "ssl-cert") or GID could result in the group owner being changed to that group and the mode being changed to 0640.
There are also the various .pem files that get the private key bundled in (DOMAIN_KEY_CERT_LOCATION and DOMAIN_PEM_LOCATION) to consider.