certbot creates a challenge owned by root:root and permissions 640 and apache can't access it - custom ACLs applied on parent directory

Mikey A. Leonetti

6/7/23, 8:35 PM

On my server I have special permissions that I set on my public_html folder.

First the sticky bit

chmod g+s /home/domain.com/public_html

Also default group permissions.

setfacl -m 'default:group::rwX' /home/domain.com/public_html

When I run my certbot command

certbot certonly \
        --webroot \
        -w /home/domain.com/public_html/ -d domain.com

certbot will create a .well-known/acme-challenge in the public_html folder with the correct permissions. It even keeps the correct group name. However, the acme challenge itself will have the following.

-rw-r-----  1 root                 root                   87 Feb  7 17:27 ELnik5A0krJsKUsL2If1mVfd2pSzWJAiSSjhA6h-f5E

It's owned by root and has the group root and can't be read by apache2. So the whole operation fails.

Adding --debug-challenges will allow it to pause so I can manually fix it, but I have a feeling renewing might be an issue.

What are my options here to fix this?

0 + 0

ubuntu

access-control-list

lets-encrypt

apache2

certbot

NiKiZe

6/7/23, 10:12 PM

I would ask "why are you running certbot as root", you might want to consider running it as a more limited user. even if it does not solve your current issue.

Score:1

Server

drookie

6/10/23, 4:46 AM

Well, you're merely overcomplicating things. Like a lot. No need to make webserver to deal with all of your special permissions and stuff: just make it it's own webroot for challenges with simple permissions (it will host the files like 0.0001% of its lifetime, and 99.9999% will just stay empty, so it can be considered totally safe):

for nginx it would be

    location ~* /.well-known/acme-challenge {
        allow all;
        rewrite ^/(.*)$ /$1;
        root /var/www/le;
        break;
    }

and for abandonware like (not sure, not using it for decades)

    Alias "/.well-known/acme-challenge" "/var/www/le"

(but seriously, get rid of the Apache, it's a museum stuff, most people got rid of it in the early '10s)

and then simply invoke the certbot with the new webroot:

certbot certonly --webroot -w /var/www/le -d foo.bar

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: certbot creates a challenge owned by root:root and permissions 640 and apache can't access it - custom ACLs applied on parent directory

TH: certbot สร้างความท้าทายที่เป็นของ root:root และสิทธิ์ 640 และ apache ไม่สามารถเข้าถึงได้ - ACL แบบกำหนดเองที่ใช้กับไดเร็กทอรีหลัก

RO: certbot creează o provocare deținută de root:root și permisiunile 640 și apache nu o poate accesa - ACL-uri personalizate aplicate în directorul părinte

RU: certbot создает вызов, принадлежащий root:root и разрешения 640, и apache не может получить к нему доступ - настраиваемые ACL применяются к родительскому каталогу

VI: certbot tạo một thách thức thuộc sở hữu của root:root và quyền 640 và apache không thể truy cập nó - ACL tùy chỉnh được áp dụng trên thư mục mẹ

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.