Hi

We were trying to update one of our certs which is expiring. Here are the steps we followed.

1. Created a new keystore with renewed cert.

2. Created a keystore reference to use in virtualhost

3. Updated the virtualhost to use new keystore reference.

After this we don't see the new cert updated on router. When we checked the edge-router system logs, we saw this error

2018-02-07 15:52:15,270 Apigee-Main-5 ERROR LB-SYNC - FileWriter.write() : Reason java.io.FileNotFoundException: /opt/nginx/conf.d/{certfile} (Permission denied)

Edge-router is running with apigee user and all the files under /opt/nginx are also owned by apigee user. But the cert file had 400 permissions. so apigee user was not able to open the cert file with write permissions to update its content. We changed the file permissions to 600 and then did the step 3 once again. Now the cert file got updated without errors and we can see the renewed cert on router.

So whenever we want to update a cert, should we give write permission to respective cert so it can update itself? Is there a way the update api call can give write permission to cert file or force write the contents without any manual intervention?