Score:0

certbot creates a challenge owned by root:root and permissions 640 and apache can't access it - custom ACLs applied on parent directory

br flag

On my server I have special permissions that I set on my public_html folder.

First the sticky bit

chmod g+s /home/domain.com/public_html

Also default group permissions.

setfacl -m 'default:group::rwX' /home/domain.com/public_html

When I run my certbot command

certbot certonly \
        --webroot \
        -w /home/domain.com/public_html/ -d domain.com

certbot will create a .well-known/acme-challenge in the public_html folder with the correct permissions. It even keeps the correct group name. However, the acme challenge itself will have the following.

-rw-r-----  1 root                 root                   87 Feb  7 17:27 ELnik5A0krJsKUsL2If1mVfd2pSzWJAiSSjhA6h-f5E

It's owned by root and has the group root and can't be read by apache2. So the whole operation fails.

Adding --debug-challenges will allow it to pause so I can manually fix it, but I have a feeling renewing might be an issue.

What are my options here to fix this?

in flag
I would ask "why are you running certbot as root", you might want to consider running it as a more limited user. even if it does not solve your current issue.
Score:1
za flag

Well, you're merely overcomplicating things. Like a lot. No need to make webserver to deal with all of your special permissions and stuff: just make it it's own webroot for challenges with simple permissions (it will host the files like 0.0001% of its lifetime, and 99.9999% will just stay empty, so it can be considered totally safe):

for nginx it would be

    location ~* /.well-known/acme-challenge {
        allow all;
        rewrite ^/(.*)$ /$1;
        root /var/www/le;
        break;
    }

and for abandonware like (not sure, not using it for decades)

    Alias "/.well-known/acme-challenge" "/var/www/le"

(but seriously, get rid of the Apache, it's a museum stuff, most people got rid of it in the early '10s)

and then simply invoke the certbot with the new webroot:

certbot certonly --webroot -w /var/www/le -d foo.bar

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.