Let's Encrypt with nginx, I got error:SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/xxx.com/fullchain.pem','r')


#1

My step

###I use command :

certbot certonly --webroot -w /home/www/api/public/challenges/ -d xxx.com -d www.xxx.com

then result:

Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/xxx.com/fullchain.pem. Your cert will
expire on 2017-01-10. To obtain a new or tweaked version of this
certificate in the future, simply run certbot again. To
non-interactively renew all of your certificates, run “certbot
renew”

my nginx site.conf

server {
listen 443 ssl;
listen [::]:443 ssl;
server_name xxx.com www.xxx.com;

root /var/www/laravel/public;
index index.php index.html index.htm;
location /.well-known/acme-challenge/ {
    alias /var/www/laravel/public/challenges/.well-known/acme-challenge/;
    try_files $uri = 404;
}
location / {
     try_files $uri $uri/ /index.php$is_args$args;
}
location ~ \.php$ {
    try_files $uri /index.php =404;
    fastcgi_pass php-upstream;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include fastcgi_params;
}
location ~ /\.ht {
    deny all;
}
ssl on;
ssl_certificate /etc/letsencrypt/live/xxx.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/xxx.com/privkey.pem;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

}

when I start nginx ,got the error:

[emerg] BIO_new_file("/etc/letsencrypt/live/xxx.com/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(’/etc/letsencrypt/live/xxx.com/fullchain.pem’,‘r’) error:2006D080:BIO routines:BIO_new_file:no such file)

Buy the file is really exsit
why I got this error? What wrong is it?


#2

I’d suspect it’s a permission issue.

What user is nginx running as ? and does it have permission to read the files in /etc/letsencrypt/live/zuoye12.com/ ?


#3

perhaps root? I’m not exactly sure. my nginx is create with dockerfile.


#4

Without knowing your exact setup it’s difficult to say.

You could try giving world read access to the file ( if it isn’t already). You could also try copying the file to a different location ( maybe alongside your nginx config) and setting it to the same user / group as your nginx config - then trying to read it from there.


#5

I type: ps aux then result
bash-4.3# ps aux

PID USER TIME COMMAND
1 root 0:00 nginx: master process nginx
5 www-data 0:00 nginx: worker process
6 www-data 0:00 nginx: worker process
7 www-data 0:00 nginx: worker process
8 www-data 0:00 nginx: worker process
19 root 0:00 bash
28 root 0:00 ps aux

root or www-data witch is nginx user?


#6

The main nginx master process ( which is the one which should read the config file) is root.

Can you try copying the file - as above - I have heard of issues with nginx in docker and symlinks


#7

I open my nginx.conf ,found:

user www-data;
worker_processes 4;

I guess is a permission issue too,the nginx user is www-data, I will going to modify it and try again.


#8

Oooooooooooooooooh my god! It’s worked!!!
I copy the file into docker container’s volumes ,then worked,thank you!

but use this way, I can’t use “certbot renew” automatic T_T
but thank you all the same


#9

Glad to hear that worked.

You can use something like

certbot renew --post-hook “cp /etc/letsencrypt/path/cert /new/docker/path”

or have a script that copies the file, then reloads nginx, which can be called by the --post-hook command


#10

All right! I mark it !:+1:


#11

That’s a great suggestion. For more safety you would want to copy the other files too, because privkey.pem is likely to change every time, and chain.pem perhaps every couple of years. :slight_smile:


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.