Join Log in
Score:0
fugee ohu avatar Server

permission denied error for letsencrypt certificates

za flag
fugee ohu

This error is from dovecot where it can't read the certificate because of permissions I tried changing permissions around, presently I have everything on 644 I understand the paths are only links to /etc/letsencrypt/archives file paths so I really don't know what's going on I don't know how perms on links effect the targets

mail dovecot: imap(example_user)<28542><mxY1sjPSlsxHvuNn>: 
 Panic: Settings check unexpectedly failed: ssl_client_ca_dir: 
 access(/etc/letsencrypt/live/mail.servicemouse.com) failed: Permission denied
1037
0 + 0
Score:0
Nikita Kipriyanov avatar Server
za flag
Nikita Kipriyanov

You need to set reasonable permissions for both the directory where links are (/etc/letsencrypt/live) and real files (/etc/letsencrypt/archives). And fix it each time you renew certificates, because new files get "secure" permissions. The following script I what I used some time ago:

#!/bin/bash

#use: certbot renew --post-hook /usr/local/bin/certbot-renew-fix-file-access.sh

chmod 0755 /etc/letsencrypt/
chmod 0711 /etc/letsencrypt/live/
chmod 0750 /etc/letsencrypt/live/example.com/
chmod 0711 /etc/letsencrypt/archive/
chmod 0750 /etc/letsencrypt/archive/example.com/
chmod 0640 /etc/letsencrypt/archive/example.com/{cert,chain,fullchain}*.pem
chmod 0640 /etc/letsencrypt/archive/example.com/privkey*.pem

chown root:root /etc/letsencrypt/
chown root:root /etc/letsencrypt/live/
chown root:mail /etc/letsencrypt/live/example.com/
chown root:root /etc/letsencrypt/archive/
chown root:mail /etc/letsencrypt/archive/example.com/
chown root:mail /etc/letsencrypt/archive/example.com/{cert,chain,fullchain}*.pem
chown root:mail /etc/letsencrypt/archive/example.com/privkey*.pem

/etc/init.d/postfix restart
/etc/init.d/cyrus restart
/etc/init.d/apache2 restart

You need to adapt host name, group name under which your services run if it's not mail and services which need to pick up new cert after renew.

0 + 0
fugee ohu avatar
za flag
fugee ohu
Are you running ubuntu? What do you mean by adapt?
0
Reply
fugee ohu avatar
za flag
fugee ohu
All those perms have to be so specific so you can't use one perms mask with the -R option?
0
Reply
Nikita Kipriyanov avatar
za flag
Nikita Kipriyanov
No, I never run ubuntu on server, but this doesn't matter. The `certbot` does the same everywhere. The perms are like minimal but allowed to work. You can allow everything to everyone, that will be even easier and shorter, but I don't think this is very secure.
0
Reply
fugee ohu avatar
za flag
fugee ohu
Everthing is chowned root:root on my system Why set group to mail?
0
Reply
Nikita Kipriyanov avatar
za flag
Nikita Kipriyanov
Notice I change not only group to `mail` but also perms to `xx0` for some objects. So only mail services (who belong to the `mail` group) will be able to access those private keys. You can do simpler way, but it will be less secure. The presented script shows a most secure way to do it (e.g. you'll need to have these keys with these permissions somewhere, one way or another).
0
Reply
fugee ohu avatar
za flag
fugee ohu
And then you would add users postfix and dovecot to group mail? I don't know what xx0 means Please tell me If I just ran ```chmod -R 644 /etc/letsencrypt/archive``` do you think that would do it?
0
Reply
Nikita Kipriyanov avatar
za flag
Nikita Kipriyanov
Postfix `master` runs as `root`, so it reads certificates/keys as root and then drops privileges. Apache does the same; notice I restart it, not reload. It's cyrus who runs as `cyrus:mail` on my server and so requires this setup. I never use dovecot, I don't know how it runs its processes; the setup is generic. You can set permissions as you wish, but **I *would not* recommend permitting access to everyone**, like 644 does. Under the term "xx0" I mean "everyone" does not have any access; e.g. real modes could be 640, 440, 400, 750, 100, e.g. something (appropriate) which end with zero.
0
Reply
fugee ohu avatar
za flag
fugee ohu
How can I see what user and group a process runs as
0
Reply
Nikita Kipriyanov avatar
za flag
Nikita Kipriyanov
Technically, `ps axu`, but **read a documentation on your particular software**. Postfix runs some processes as root, some as nobody, for example; it is covered in deep in the documentation, while with this brief exploration you can miss this fact.
0
Reply
fugee ohu avatar
za flag
fugee ohu
So I found postfix, dovecot, cyrus all running as root with no mention of group
0
Reply
fugee ohu avatar
za flag
fugee ohu
I ran the script I still have the same problem
0
Reply
Laenka-Oss avatar
lk flag
Laenka-Oss
+1, also answers this: Issue #5257 https://github.com/certbot/certbot/issues/5257
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.