open localhost.pem permission denied

[IntelligenceInside]

generated openssl certificate on Ububtu

openssl req -x509 -nodes -newkey rsa:2048 -days 5000 -sha256 -keyout localhost.pem -out localhost.pem

i then generated my own openssl key and then created certificate

I'm now getting this error on starting dnscrypt-proxy

[2026-01-03 19:35:39] [NOTICE] Source [odoh-relays] loaded
[2026-01-03 19:35:39] [NOTICE] Firefox workaround initialized
[2026-01-03 19:35:39] [FATAL] open localhost.pem: permission denied

cc:
dcpt.txt
dnscrypt-proxy txt file.

[ismaildasci]

the permission error is because dnscrypt-proxy runs as a non-privileged user (usually dnscrypt) but your certificate file is only readable by root.

fix the permissions:

# check current permissions
ls -la localhost.pem

# option 1: add read permission for others
sudo chmod 644 localhost.pem

# option 2: change owner to dnscrypt user
sudo chown dnscrypt:dnscrypt localhost.pem

# option 3: move cert to dnscrypt config dir
sudo mv localhost.pem /etc/dnscrypt-proxy/
sudo chmod 644 /etc/dnscrypt-proxy/localhost.pem

also update your dnscrypt-proxy.toml to use the full path:

cert_file = "/etc/dnscrypt-proxy/localhost.pem"

important: make sure the private key is not world-readable if its in the same file. for production you should separate cert and key:

# generate separate key and cert
openssl req -x509 -nodes -newkey rsa:2048 -days 5000 -sha256 \
  -keyout localhost.key -out localhost.crt

# key should be readable only by dnscrypt user
sudo chown dnscrypt:dnscrypt localhost.key
sudo chmod 600 localhost.key

# cert can be readable by all
sudo chmod 644 localhost.crt

then update config to reference both files.

after fixing, restart dnscrypt-proxy:

sudo systemctl restart dnscrypt-proxy