From 552191ecace3874902782463280df8329cd77e65 Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Thu, 16 Apr 2020 10:09:26 +0200
Subject: [PATCH] dnsdist: Document the cert/key permissions in DoT and DoH
 guides

---
 pdns/dnsdistdist/docs/guides/dns-over-https.rst | 4 +++-
 pdns/dnsdistdist/docs/guides/dns-over-tls.rst   | 2 ++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/pdns/dnsdistdist/docs/guides/dns-over-https.rst b/pdns/dnsdistdist/docs/guides/dns-over-https.rst
index 353ba944bf..339e3563ba 100644
--- a/pdns/dnsdistdist/docs/guides/dns-over-https.rst
+++ b/pdns/dnsdistdist/docs/guides/dns-over-https.rst
@@ -35,4 +35,6 @@ In case you want to run DNS-over-HTTPS behind a reverse proxy you probably don't
 To let dnsdist listen for DoH queries over HTTP on localhost at port 8053 add one of the following to your config::
 
   addDOHLocal("127.0.0.1:8053")
-  addDOHLocal("127.0.0.1:8053", nil, nil, "/", { reusePort=true })
\ No newline at end of file
+  addDOHLocal("127.0.0.1:8053", nil, nil, "/", { reusePort=true })
+
+A particular attention should be taken to the permissions of the certificate and key files. Many ACME clients used to get and renew certificates, like CertBot, set permissions assuming that services are started as root, which is no longer true for dnsdist as of 1.5.0. For that particular case, making a copy of the necessary files in the /etc/dnsdist directory is advised, using for example CertBot's ``--deploy-hook`` feature to copy the files with the right permissions after a renewal.
diff --git a/pdns/dnsdistdist/docs/guides/dns-over-tls.rst b/pdns/dnsdistdist/docs/guides/dns-over-tls.rst
index bb201aa309..27b681dd1a 100644
--- a/pdns/dnsdistdist/docs/guides/dns-over-tls.rst
+++ b/pdns/dnsdistdist/docs/guides/dns-over-tls.rst
@@ -16,3 +16,5 @@ In order to support multiple certificates and keys, for example an ECDSA and an
   addTLSLocal('192.0.2.55', {'/etc/ssl/certs/example.com.rsa.pem', '/etc/ssl/certs/example.com.ecdsa.pem'}, {'/etc/ssl/private/example.com.rsa.key', '/etc/ssl/private/example.com.ecdsa.key'})
 
 The certificate chain presented by the server to an incoming client will then be selected based on the algorithms this client advertised support for.
+
+A particular attention should be taken to the permissions of the certificate and key files. Many ACME clients used to get and renew certificates, like CertBot, set permissions assuming that services are started as root, which is no longer true for dnsdist as of 1.5.0. For that particular case, making a copy of the necessary files in the /etc/dnsdist directory is advised, using for example CertBot's ``--deploy-hook`` feature to copy the files with the right permissions after a renewal.
-- 
2.39.5