Could not obtain certificates: Could not create required directories


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: docker run -it -v /STORAGE/Sites/certs:/.lego -v /STORAGE/Sites/#####.#####.com:/tmp/webroot xenolf/lego --email="#####@###.com" --webroot /tmp/webroot --domains="#####.#####.com" run

It produced this output: 2018/06/29 16:20:51 No key found for account #####@###.com. Generating a curve P384 EC key.
2018/06/29 16:20:51 Saved key to /.lego/accounts/acme-v01.api.letsencrypt.org/#####@###.com/keys/#####@###.com.key
2018/06/29 16:20:53 [INFO] acme: Registering account for #####@###.com
2018/06/29 16:20:53 !!! HEADS UP !!!
2018/06/29 16:20:53
Your account credentials have been saved in your Let’s Encrypt
configuration directory at “/.lego/accounts/acme-v01.api.letsencrypt.org/#####@###.com”.
You should make a secure backup of this folder now. This
configuration directory will also contain certificates and
private keys obtained from Let’s Encrypt so making regular
backups of this folder is ideal.
2018/06/29 16:20:53 Please review the TOS at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
2018/06/29 16:20:53 Do you accept the TOS? Y/n
Y
2018/06/29 16:21:17 [INFO][#####.#####.com] acme: Obtaining bundled SAN certificate
2018/06/29 16:21:18 [INFO][#####.#####.com] AuthURL: https://acme-v01.api.letsencrypt.org/acme/authz/DRvfqsfI3FcV8ecRj4zIUi1PCplpRXjuP18r3fMYpIA
2018/06/29 16:21:18 [INFO][#####.#####.com] acme: Trying to solve HTTP-01
2018/06/29 16:21:18 [#####.#####.com] Could not obtain certificates
[#####.#####.com] error presenting token: Could not create required directories in webroot for HTTP challenge -> mkdir /tmp/webroot/.well-known/acme-challenge: permission denied

My web server is (include version): Mac OS Server 5.2

The operating system my web server runs on is (include version): Mac OS X 10.11.6

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


Please help! SSL Certificate expired days ago, renewal status is still pending for days now.


#2

It looks like this directory (which presumably contains your web site’s content) can’t be written to by the user as whom you’re running docker. This is a requirement for the method that you’re using, so you’ll need to change the permissions on this directory or else run docker as a different user.


#3

Thanks for your response schoen. Ran the command in bash actually…
bash-3.2# docker run -it -v /STORAGE/Sites/certs:/.lego -v /STORAGE/Sites/#####.#####.com:/tmp/webroot xenolf/lego --email="#####@###.com" --webroot /tmp/webroot --domains="#####.#####.com" run


#4

So you’re running the command as root?


#5

So you’re running the command as root? - Yes


#6

Was thinking maybe the certificate has expired already, that’s why it’s getting denied permission? Is there a way to re-create, start cert request from scratch, maybe?


#7

This is a file permission error, which is unrelated to the certificate’s validity.

Can you try running mkdir /STORAGE/Sites/#####.#####.com/test outside of Docker?

Where did you get this Docker image or instructions?


#8

That worked outside Docker. test folder created.


#9

Where did you get this Docker image from; which image is it?

@bmw, have you ever seen a case where commands that work outside of Docker don’t work inside of Docker on a bound directory?


#10

No idea about the image. Tried running previous commands to renew same cert months ago… Took over this task recently. :-/


#11

Hmmm! Maybe you could replace this part

xenolf/lego --email="#####@###.com" --webroot /tmp/webroot --domains="#####.#####.com" run

with just bash, forming a command like

docker run -it -v /STORAGE/Sites/certs:/.lego -v /STORAGE/Sites/#####.#####.com:/tmp/webroot bash

and then you would have a shell prompt with the same environment that the lego command would have had. In that case you can run id to see if you are still considered root inside of docker, and you can also try running mkdir to see if you can create /tmp/webroot/.well-known and then /tmp/webroot/.well-known/acme-challenge inside of docker.


#12

Not sure if I did it correctly, but am getting same result: denied permission.


#13

Thanks for your time, shoen. Solved this one —

sudo certbot certonly --webroot -w /STORAGE/Sites/#####.#####.com -d #####.#####.com

sudo openssl pkcs12 -export -inkey “/etc/letsencrypt/live/#####.#####.com/privkey.pem” -in “/etc/letsencrypt/live/#####.#####.com/cert.pem” -certfile “/etc/letsencrypt/live/#####.#####.com/fullchain.pem” -out “/etc/letsencrypt/live/#####.#####.com/letsencrypt_sslcert.p12”

sudo security import “/etc/letsencrypt/live/#####.#####.com/letsencrypt_sslcert.p12” -f pkcs12 -k /Library/Keychains/System.keychain -T /Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/ServerManagerDaemon.bundle/Contents/MacOS/servermgrd


#14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.