DERP container cannot read certs if file permissions incorrect
criticalsecurityUpdated Mar 2, 2026(via Exa)
Technologies:
How to detect:
When certificate files in /root/derper-data lack correct permissions (fullchain.pem not 644 or privkey.pem not 600), DERP container cannot read certificates causing SSL handshake failure, manifesting as curl hanging on Client Hello
Recommended action:
Set chmod 644 on derp.example.com.crt (fullchain) and chmod 600 on derp.example.com.key (privkey) in /root/derper-data. Verify container can read by checking curl -Iv https://derp.example.com:3443 returns HTTP/1.1 200 OK with SSL certificate verify ok