Certbot fullchain.pem corrupts after pc reboot

My domain is: aerobot1.duckdns.org

I ran this command:

certbot certonly --standalone

My web server is (include version):

Python 3.10.1 --> Flask 2.1.2

The operating system my web server runs on is (include version):

Windows 10

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 1.24.0

Hello everybody:

I'm getting started on certificates and SSL. I'm running a Python web server using Flask and generating the SSL certificate through Certbot. Everything works fine until I have to reboot the pc that the server is hosted. When I do so, the Flask server wont start, throwing in console a permission related error about SSL. PermissionError: [Errno 13] Permission denied.

If I try to open fullchain.pem located in C:\Certbot\live\aerobot1.duckdns.org any text editor throws an error "Can't open file". This does not happen with privkey.pem as I can see the full text inside the file. The only way to get the server working with the SSL is to regenerate the certificate after each system reboot. Is there a way to stop this from happening?

Thank you very much

1 Like

Welcome @aerodiduch

I don't have a guess as to which program is changing permissions on that file.

I am posting to warn you that regenerating the cert like that can easily lead to getting rate limited. You can only get 5 identical certs in 7 days and you have already used up 4 of those.

Until you can find the faulty program you should view the file properties after reboot and manually change permissions rather than regenerating the cert.

5 Likes

Hey! Thank you very much!

Thank you so much for the heads up about the rate limit. I will take a look to the properties after reboot and see if I find something interesting.

Thanks!

1 Like

Check the file permissions but what user is the Certbot windows scheduled task configured to run as? It could be renewing as administrator but I don't know what file permissions it then set's on the output files. So if you set it up initially using your own user account but the renewal runs as administrator then you (or Flask) may not have read permission.

3 Likes

Hey @webprofusion thank you very much! You gave me an important hint to solve the problem.

For some reason, Windows was changing the permission just for the "Administrators" group only. Now I have to find out how to stop this from happening. If I run Certbot without admin privilege, it wont let me do anything. Error, certbot must be run on a shell with administrative rights.

To anybody else that might be having this problem:

**1 - ** Go to certbot/live/yourdomain/fullchain.pem
2 - On security tab, change permissions and add your user.
**3 - ** The file in /live/domain is a symlink. Go to shortcut tab in properties and click "Open folder location".
**4 - ** Repeat step 2 on the highlighted file in certbot/archive/yourdomain/

Cheers!

1 Like

You could perhaps run a post-request script to fix the permissions (i.e. set read permission for the Flask service user account, or your own account if that's what it's using)

2 Likes