Certbot manual on macOS, missing cert files

Hi. I have installed Certbot through homebrew on my Mac (High Sierra) to get the certificate for a website hosted on a shared server where I can’t login to a root shell. I used “sudo certbot certonly --manual” and seemed to work but I had no permission to access the “/etc/letsencrypt/live” folder. I manually changed the permissions, so I could open it, but the .pem files had the arrow that “alias or shortcuts” files have and when I tried to open them I got an error message saying that the file was missing. I tried a few times with the same result. I checked https://crt.sh/ and the certificates were issued (which means that I burnt out the 5 certificates that “Let’s Encrypt” allow a week).

Any help would be apreciated. Thanks

My domain is: e4u-reports.com
I ran this command: sudo certbot certonly --manual
My web server is (include version): Shared Apache hosting
I can login to a root shell on my machine (yes or no, or I don’t know): No

Hi @gdx,

Could you please show the output of this command?.

sudo ls -l /etc/letsencrypt/{live,archive}/e4u-reports.com/

Cheers,
sahsanu

Here you have:

/etc/letsencrypt/archive/e4u-reports.com/:
total 32
-rw-r--r-- 1 root wheel 1826 Feb 23 23:08 cert1.pem
-rw-r--r-- 1 root wheel 1647 Feb 23 23:08 chain1.pem
-rw-r--r-- 1 root wheel 3473 Feb 23 23:08 fullchain1.pem
-rw-r--r-- 1 root wheel 1704 Feb 23 23:08 privkey1.pem

/etc/letsencrypt/live/e4u-reports.com/:
total 8
-rw-r--r-- 1 root wheel 543 Feb 23 23:08 README
lrwxr-xr-x 1 root wheel 39 Feb 23 23:08 cert.pem -> ../../archive/e4u-reports.com/cert1.pem
lrwxr-xr-x 1 root wheel 40 Feb 23 23:08 chain.pem -> ../../archive/e4u-reports.com/chain1.pem
lrwxr-xr-x 1 root wheel 44 Feb 23 23:08 fullchain.pem -> ../../archive/e4u-reports.com/fullchain1.pem
lrwxr-xr-x 1 root wheel 42 Feb 23 23:08 privkey.pem -> ../../archive/e4u-reports.com/privkey1.pem

@gdx, so you at least have 1 certificate, I’m wondering where are the other 4 ;), did you remove or rename something?.

Anyway, you have 1 cert so let’s check whether it is the right one, show the output of these commands:

sudo ls -l /etc/letsencrypt/live/

sudo openssl x509 -in /etc/letsencrypt/live/e4u-reports.com/cert.pem -noout -text

Thanks for your answer sahsanu.
I did manually removed the previos certificates to start fresh.

After writing my last post I realised that the “/etc/letsencrypt/archive/” folder also had System access only. When I changed the permissions I could access the certificates. Even though I use an administrator account, Certbot created some folders that I can’t access unless I manually change the permissions manually. Those folders are: “accounts”, “archive”, “keys” and “live”. Is that normal? I am new to Certbot, so I wonder if there is something I didn’t set correctly to have this problem.

Yes, it is normal. certbot creates the dirs in a way that only "root" can access them to prevent any user in the system to be able to get your private keys. I don't use Mac so I've no idea what perms have an administrator account and how it differs from a system account so I can't help here but it is not a good idea to delete dirs/files nor change the perms inside /etc/letsencrypt/.

Cheers,
sahsanu

I understand. The problem is that I need to access the files to install the certificate on the server, but I guess I can just reset the permissions when I am done.

Thank you for all the help!

If necessary you can use a --deploy-hook script to copy the certificates to an appropriate location. There’s an example at https://certbot.eff.org/docs/using.html#renewing-certificates (it’s not limited to renewal though).

I will try that. Thanks!!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.