EDIT_2 Addition to my setup since this is really getting confusing.
I have 3 certificates installed from letsencrypt. All on different domains and were generated individually.
The problem I believe is not on the particular certificate but somewhere on the setup? Please help me out… Because when I removed www.example.com from the enabled websites and did another apachectl configtest the same file does not exist or is empty appears but this time for the other domains (like site2.example.com).
EDIT_3 /etc/letsencrypt/live has 0700 permission and the rest inside it has 0755. I’ve tries changing 0700 to 0755 to no avail. Owner and Group is root:root.
My mistake. It was a typo. Edited my original post already. Path is ‘/etc/letsencrypt/live/www.example.com/fullchain.pem’. I’ve checked it already, its there. The setup was AUTO, I didn’t touch anything.
'/etc/letsencrypt/live/www.example.com/fullchain.pem' this is also a link from /etc/letsencrypt/archive/www…example.com. But again, the setup was done with AUTO.
Did you check the contents of that file? You could try to see if openssl is able to parse the file using openssl x509 -text -noout -in /etc/letsencrypt/live/www.example.com/fullchain.pem.
That’s a bit confusing given that you said the file exists. Can you confirm using cat /etc/letsencrypt/live/www.example.com/fullchain.pem? It should look like this:
openssl x509 -text -noout -in /etc/letsencrypt/live/www.example.com/fullchain.pem yields “No such file or directory”
sudo cat on the same file shows what appears to be a valid certificate
Can you try the openssl command with sudo as well? A permission problem should trigger a “Permission denied” error instead of “No such file or directory”, but since that’s the only difference between those commands, I’m curious.
I did openssl again with sudo and generated the same errors.
I also edited main post again to include a diagnostic scenario. I think the issue here is not on the specific fullchain.pem file since if I a2dissite www.example.com, the error would again appear for other sites using letsencrypt.
The odd thing here is that sudo service apache2 reload works even if apachectl configtest shows the error. And the websites are shown with no problems. Green padlock and all. I can even check it with SSL Labs.
I finally got it to work. The issue was permissions The problem was that I was working on the permissions of /etc/letsencrypt/live and missing the fact that it was just a link from /etc/letsencrypt/archive. If I had to change permission, it should be there at the archive directory.
After changing the permission of /etc/letsencrypt/archive to 0755, I was already getting Syntax OK from apachectl configtest and openssl was already able to read the file.
I hope this post gets to the dev. team. Is this normal behavior? The steps I took to setup letsencrypt is mentioned in the original post including how I got the certificates, which was done Auto. I believe that something done in Auto should work fine. I don’t know if my user credentials had something to do with the permission issue. I installed letsencrypt using a non-root User and I did sudo.
I also got this running at Server Fault. Also marked as answered there.
Hi @jarvis, we haven't seen this before. I wonder if it has to do with root's umask value somehow? Supposedly the client will choose permissions explicitly for everything it creates, but I wonder if there are some cases in which we fail to specify them and then they get taken from root's default umask value.