Cannot read file /etc/letsencrypt/live/mx.example.com/fullchain.pem

[Th-Barth]

Hello,
I would like to check the expire date of a remote certificate created by letsencrypt. When I start check_ssl_cert on the console as root I get a nice output:
/usr/local/nagios/libexec/check_ssl_cert -f /etc/letsencrypt/live/mx.example.com/fullchain.pem -w 30 -c 15
SSL_CERT OK - localhost:443, https, x509 certificate 'mx.example.com' from 'Let's Encrypt' valid until Sep 11 12:37:02 2024 GMT (expires in 85 days)|days_chain_elem1=85;30;15;; days_chain_elem2=998;30;15;;

But when I call this script remote with nrpe, the cert file cannot be read. Of course, the owner of the file is root:root.

How do you handle the rights for this script so that it can read root:root cert files?

[matteocorti]

nrpe does not run as root. This means that the certificate must be world readable or readable by a group which includes the nrpe user. On my machine fullchain.pem is a symlink to ../../archive/mx.example.org-0003/fullchain30.pem.

ls -ld /etc/letsencrypt/archive/
drwxr-x---. 6 root ssl-cert 4096 Jan  1  2021 /etc/letsencrypt/archive/

You should then add the nrpe user to the ssl-cert group.