It doesn't need to be a file system permission issue. Could also be a permission issue from within Apache. Therefore: access and error logs! Don't play a guessing game, get the facts straight.
I totally agree about viewing the logs.
What would/could cause this aside from a file-system related permission conflict with the apache process:
Maybe I'm not familiar enough with the guts of apache itself here?
Shouldn't be possible in this specific case, as certbot places all kinds of permissive permissions in the "post config file" as mentioned above.
That's what had me stumped. I've ran into a few permission-related issues before, but didn't want to proceed here for concern of what might be lurking beneath.
@JuergenAuer @Osiris Ok, I'm back. I think the apache error log is explaining the problem here. This same error repeated over and over. Seems to coincide with my calls to certbot:
[Sat May 01 23:54:45.088171 2021] [core:error] [pid 108776:tid 140308787074816] (13)Permission denied: [client 17.58.91.224:35276] AH00035: access to /.well-known/acme-challenge/jLh_t-WCCDK8BJS8aWpbYCG-TTx4Jp13FjILQ7ObMGw denied (filesystem path '/var/lib/letsencrypt/http_challenges') because search permissions are missing on a component of the path
Here are the permissions within that path:
drwxr-xr-x 14 root root 4096 May 1 08:54 var
drwxr-xr-x 41 root root 4096 May 1 09:28 lib
drwx------ 4 root root 4096 May 2 09:08 letsencrypt
drwxr-xr-x 2 root root 4096 May 2 07:33 http_challenges
That one is drwxr-xr-x
on my server.
Oh wow!
root@ip-72-167-33-188:/var/lib# chmod 755 letsencrypt/
root@ip-72-167-33-188:/var/www/cozybroadcast.stream# sudo certbot certonly --apache -d "cozybroadcast.stream,www.cozybroadcast.stream" --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Simulating a certificate request for cozybroadcast.stream and www.cozybroadcast.stream
Performing the following challenges:
http-01 challenge for cozybroadcast.stream
http-01 challenge for www.cozybroadcast.stream
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- The dry run was successful.
root@ip-72-167-33-188:/var/www/cozybroadcast.stream# sudo certbot --apache -d "cozybroadcast.stream,www.cozybroadcast.stream"
...
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://cozybroadcast.stream and
https://www.cozybroadcast.stream
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Thank you, everybody! @griffin @Osiris @JuergenAuer
You're very welcome!
This created a second .conf for both default and my url. Should I remove the old url one or disable the new default one?
root@ip-72-167-33-188:/etc/apache2/sites-available# ls
000-default.conf cozybroadcast.stream.conf
cozybroadcast.stream-le-ssl.conf default-ssl.conf
sudo ls -lRa /etc/apache2/sites-enabled
root@ip-72-167-33-188:/etc/apache2/sites-available# sudo ls -lRA
.:
total 20
-rw-r--r-- 1 root root 1332 Apr 13 2020 000-default.conf
-rw------- 1 root root 1623 May 2 21:30 cozybroadcast.stream-le-ssl.conf
-rw------- 1 root root 1627 May 2 21:51 cozybroadcast.stream.conf
-rw-r--r-- 1 root root 6338 Apr 13 2020 default-ssl.conf
and...
sudo ls -lRA /etc/apache2/sites-enabled
root@ip-72-167-33-188:/# sudo ls -lRA /etc/apache2/sites-enabled
/etc/apache2/sites-enabled:
total 4
lrwxrwxrwx 1 root root 61 May 2 21:30 cozybroadcast.stream-le-ssl.conf -> /etc/apache2/sites-available/cozybroadcast.stream-le-ssl.conf
lrwxrwxrwx 1 root root 44 May 1 09:26 cozybroadcast.stream.conf -> ../sites-available/cozybroadcast.stream.conf
Happens to us all!
So I'm confused that I have two .conf
s enabled now. Which one should I add my virtual host proxy instructions to? Or should I just disable the old one altogether?
If you look at the two enabled confs, you'll see that cozybroadcast.stream.conf
is for port 80 (and is redirected to https) while cozybroadcast.stream-le-ssl.conf
(created by certbot) is a mirror of cozybroadcast.stream.conf
for port 443 with the necessary SSL pieces. You need both. You would likely want your proxy instructions in httpd-le-ssl.conf
since you want the requests to come in from the internet via https on port 443.
ah, ok, thanks. but I keep my app listening on port 80?
If you were to disable the port 80 conf:
- Most browsers wouldn't be able to reach your site via an entered address since the default protocol is http (port 80)
- Your certificate renewal would fail due to port 80 not responding
The next thing you should do is decide if you want cozybroadcast.stream
or www.cozybroadcast.stream
to be the canonical (official) name for your website and redirect all your traffic to your choice.
Ok, great. I think I've got everything to move on to setting up pm2.
Thanks for your help, again.