Let's Encrypt with nginx, I got error:SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/xxx.com/fullchain.pem','r')

My step

###I use command :

certbot certonly --webroot -w /home/www/api/public/challenges/ -d xxx.com -d www.xxx.com

then result:

Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/xxx.com/fullchain.pem. Your cert will
expire on 2017-01-10. To obtain a new or tweaked version of this
certificate in the future, simply run certbot again. To
non-interactively renew all of your certificates, run "certbot
renew"

my nginx site.conf

server {
listen 443 ssl;
listen [::]:443 ssl;
server_name xxx.com www.xxx.com;

root /var/www/laravel/public;
index index.php index.html index.htm;
location /.well-known/acme-challenge/ {
    alias /var/www/laravel/public/challenges/.well-known/acme-challenge/;
    try_files $uri = 404;
}
location / {
     try_files $uri $uri/ /index.php$is_args$args;
}
location ~ \.php$ {
    try_files $uri /index.php =404;
    fastcgi_pass php-upstream;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include fastcgi_params;
}
location ~ /\.ht {
    deny all;
}
ssl on;
ssl_certificate /etc/letsencrypt/live/xxx.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/xxx.com/privkey.pem;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

}

when I start nginx ,got the error:

[emerg] BIO_new_file("/etc/letsencrypt/live/xxx.com/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/xxx.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)

Buy the file is really exsit
why I got this error? What wrong is it?

I’d suspect it’s a permission issue.

What user is nginx running as ? and does it have permission to read the files in /etc/letsencrypt/live/zuoye12.com/ ?

perhaps root? I’m not exactly sure. my nginx is create with dockerfile.

Without knowing your exact setup it’s difficult to say.

You could try giving world read access to the file ( if it isn’t already). You could also try copying the file to a different location ( maybe alongside your nginx config) and setting it to the same user / group as your nginx config - then trying to read it from there.

I type: ps aux then result
bash-4.3# ps aux

PID USER TIME COMMAND
1 root 0:00 nginx: master process nginx
5 www-data 0:00 nginx: worker process
6 www-data 0:00 nginx: worker process
7 www-data 0:00 nginx: worker process
8 www-data 0:00 nginx: worker process
19 root 0:00 bash
28 root 0:00 ps aux

root or www-data witch is nginx user?

The main nginx master process ( which is the one which should read the config file) is root.

Can you try copying the file - as above - I have heard of issues with nginx in docker and symlinks

1 Like

I open my nginx.conf ,found:

user www-data;
worker_processes 4;
...

I guess is a permission issue too,the nginx user is www-data, I will going to modify it and try again.

Oooooooooooooooooh my god! It’s worked!!!
I copy the file into docker container’s volumes ,then worked,thank you!

but use this way, I can’t use “certbot renew” automatic T_T
but thank you all the same

2 Likes

Glad to hear that worked.

You can use something like

certbot renew --post-hook "cp /etc/letsencrypt/path/cert /new/docker/path"

or have a script that copies the file, then reloads nginx, which can be called by the --post-hook command

All right! I mark it !:+1:

1 Like

That’s a great suggestion. For more safety you would want to copy the other files too, because privkey.pem is likely to change every time, and chain.pem perhaps every couple of years. :slight_smile:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.