MAMP: User running Apache cannot access this certificate

Hello!

My domain is:

domain4ssl2test.dynu.net

I ran this command:

sudo certbot certonly --webroot -w /Users/david/Sites/domain4ssl2test.dynu.net/ -d domain4ssl2test.dynu.net -d www.domain4ssl2test.dynu.net

My web server is (include version):

Apache 2.2.34

The operating system my web server runs on is (include version):

macOS 10.14.6 (18G1012)

I can login to a root shell on my machine (yes or no, or I don’t know):

yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

MAMP PRO 5.5.1 (17995)

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot 0.39.0

ls -l /private/etc/letsencrypt/live/* says:

-rw-------@ 1 root wheel 740 20 Nov 17:12 /private/etc/letsencrypt/live/README

/private/etc/letsencrypt/live/domain4ssl2test.dynu.net:

total 8

-rw-r–r-- 1 root wheel 692 20 Nov 19:47 README

lrwxr-xr-x 1 root wheel 48 20 Nov 19:47 cert.pem -> …/…/archive/domain4ssl2test.dynu.net/cert1.pem

lrwxr-xr-x 1 root wheel 49 20 Nov 19:47 chain.pem -> …/…/archive/domain4ssl2test.dynu.net/chain1.pem

lrwxr-xr-x 1 root wheel 53 20 Nov 19:47 fullchain.pem -> …/…/archive/domain4ssl2test.dynu.net/fullchain1.pem

lrwxr-xr-x 1 root wheel 51 20 Nov 19:47 privkey.pem -> …/…/archive/domain4ssl2test.dynu.net/privkey1.pem

I exactly followed the manual on https://www.macminivault.com/installing-a-lets-encrypt-ssl-certificate-on-mamp-pro to install Homebrew, then certbot and then created the certificate files.

Everything worked fine. But when I want to setup the files in MAMP, there’s a red arrow near Certificate key file upload button with the following message:

User running Apache cannot access this certificate

I’m event not able to save because the Save butto is greyed out. Here you can see a screenshot:

Does anybody have an idea what the problem might be?

Thanks for every help in advance and till then,
David.

I just figured out, there seems to be something with the rights. I’ll check this and get back with more informations later.

Till then,
David.

I noticed, ls -l /private/etc/letsencrypt/archive/* says the following:

total 32

-rw-r–r-- 1 root wheel 1992 20 Nov 22:27 cert1.pem

-rw-r–r-- 1 root wheel 1647 20 Nov 22:27 chain1.pem

-rw-r–r-- 1 root wheel 3639 20 Nov 22:27 fullchain1.pem

-rw------- 1 root wheel 1704 20 Nov 22:27 privkey1.pem

Why does privkey1.pem have wrong/other permissions?

Hi @MAMP

normally only root is allowed to read the private key.

Looks like this "good setup" doesn't work in your environment. Because the menu you use doesn't run with root access.

So change it.

Hi Jürgen,
thank you for replying.

I don’t really understand, what you mean. What do you mean with “good setup”?

You say: “menu you use doesn’t run with root access”. Isn’t it enough to have the administrator account? This is a Mac mini and I’m the administrator.

“So change it.”: What exactly do you suggest to change?

The permissions of all certificate files look like this.

Only the permissions of privkey1.pem look like this.

Everything is working perfect when changing the permissions of privkey1.pem to.

Is this recommended or shouldn’t I do this?

Greetings,
David.

I have no idea how that tool works.

Then this is required. Happy to read that you have found a solution. :+1:

--

Systems are different. That, what works with a linux system, may not work with your system.

Hi Jürgen,
great, thanks for the confirmation.

BTW: The command I ran is as follows:

sudo certbot certonly --webroot -w /Users/david/Sites/domain4ssl2test.dynu.net/ -d domain4ssl2test.dynu.net -d www.domain4ssl2test.dynu.net

Why do I have to use the path of the website /Users/david/Sites/domain4ssl2test.dynu.net/? There is also no hidden folder or so in it.

As I can so no certificate file or anything similar is stored there. What if the path changes? Do I have to create a new certificate?

Have a nice day,
David.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.