Hi, starting the day after the certbot 3.0.0 release, my certbot commands have been failing with the following error. I have not made any changes to the script on my end other than dropping the --manual-public-ip-logging-ok flag since it's now deprecated.
PermissionError: [Errno 1] Operation not permitted: '/home/automation/automation/ssl-config-dir/archive/www.ladybirdessentials.com/privkey23.pem'
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /home/automation/automation/ssl-logs-dir/letsencrypt.log or re-run Certbot with -v for more details.
When I run certbot -v, it gives me this:
$ certbot -v
The following error was encountered:
[Errno 13] Permission denied: '/var/log/letsencrypt/letsencrypt.log'
Either run as root, or set --config-dir, --work-dir, and --logs-dir to writeable paths.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/certbot-log-wb8cvy74/log or re-run Certbot with -v for more details.
When I open the /tmp/certbot-log/wb8vcy74/log file, it shows this:
certbot.errors.Error: The following error was encountered:
[Errno 13] Permission denied: '/var/log/letsencrypt/letsencrypt.log'
Either run as root, or set --config-dir, --work-dir, and --logs-dir to writeable paths.
2024-11-10 13:58:25,974:ERROR:certbot._internal.log:The following error was encountered:
[Errno 13] Permission denied: '/var/log/letsencrypt/letsencrypt.log'
Either run as root, or set --config-dir, --work-dir, and --logs-dir to writeable paths.
The issue is, I am adding the --config-dir, --work-dir, and --logs-dir to the command line but it still appears to be requiring that /var/log/letsencrypt/letsencrypt.log is a writeable path even though it doesn't use it. I tested this by logging in as root and the certificate issued correctly, and did not update /var/log/letsencrypt/letsencrypt.log at all. So it's like certbot is checking for the writeable permission for /var/log/letsencrypt but isn't actually writing to it, even though --logs-dir is specified.
Also - when I try to set /var/log/letsencrypt to writeable, cerbot won't even try to issue the certificate, with this error instead: /var has 'other' write 40777
Here's my command line:
certbot certonly --manual --preferred-challenges http www.donnaleird.com -d donnaleird.com --config-dir ssl-config-dir --work-dir ssl-working-dir --logs-dir ssl-logs-dir --non-interactive --manual-auth-hook "ssl-automation/authenticator.sh" --manual-cleanup-hook "ssl-automation/cleanup.sh" --agree-tos --email notices@attractwell.com
Is there a new command line option or anything I can use to get this working again so I don't have to generate certs as root?
Below are the questions from this issue template if that's helpful.
My domain is: donnaleird.com (I actually have a lot of domains, but this is just one that failed starting recently)
I ran this command:
certbot certonly --manual --preferred-challenges http www.donnaleird.com -d donnaleird.com --config-dir ssl-config-dir --work-dir ssl-working-dir --logs-dir ssl-logs-dir --non-interactive --manual-auth-hook "ssl-automation/authenticator.sh getoiling" --manual-cleanup-hook "ssl-automation/cleanup.sh getoiling" --agree-tos --email notices@attractwell.com
It produced this output:
PermissionError: [Errno 1] Operation not permitted: '/home/automation/automation/ssl-config-dir/archive/www.ladybirdessentials.com/privkey23.pem'
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /home/automation/automation/ssl-logs-dir/letsencrypt.log or re-run Certbot with -v for more details.
My web server is (include version): Liquid Web Cloud Sites (the issue isn't with the installation - it's with file permission when writing a certificate)
The operating system my web server runs on is (include version): CentOS Linux 7 (Core) / Linux 3.10.0-1062.12.1.el7.x86_64
My hosting provider, if applicable, is: Liquid Web
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 3.0.0