Mosquitto suddenly cannot load certificates

Hi I have been using letsencrypt in servers for some time now. Suddenly today I set up a new one in the exactly the same way as I always do and now get the following error:

1602341633: Error: Unable to load CA certificates. Check cafile "/etc/letsencrypt/live/mydomain/fullchain.pem".
1602341633: Error: Permission denied

The certificate exists and nothing has changed in how I set them up, or the brokers. Please can you explain what is happening. I cannot provide the domain name as it points to a private network.

Hi @AMBTB

that's only a local permission / configuration problem.

Completely Letsencrypt - unrelevant.

Not at all. It is entirely related to LetsEncrypt. It reading the certs that is the issue. This never happened before, and today suddenly Mosquitto cannot read the certs, if I point mosquitto to a different cert then there is no issue.

That's exact your local problem. Wrong permission. So check the permission of that file.

The files were generated by letsencrypt, so how do you suggest is an issue elsewhere?

You did read the error right?

Looks like you didn't read the error. That's a local problem.

If you want help, then answer all of the following questions. May be there is no certificate created (because your client is too old), so the path + file doesn't exist.


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

You are the one that doesnt have appeared to read the error or the description:
"Error: Unable to load CA certificates. Check cafile "/etc/letsencrypt/live/mydomain/fullchain.pem"."
Nginx is the server, I will not provide the domain name as already noted.

That's

your local file. And it's impossible to read that file or the file content is wrong. And you have two errors - unable to load and "Permission denied".

I think maybe I am speaking Chinese. LETSENCRYPT CREATED THAT FILE !!!!!!!

No, Letsencrypt hasn't access to your system.

Your ACME-client created that file. But that's part of the problem - your client is unknown, it's unknown, if the certificate creation has worked (because you don't share your domain and the command) or if you have a valid certificate.

What's the content of

/etc/letsencrypt/live/mydomain/fullchain.pem

Is there content or is it a 0-byte-file? Sometimes error messages are "a little bit wrong" if files have 0 bytes.

What says

certbot certificates
letsencrypt certificates

(if you use a very old client)

1 Like

Everything is downloaded today, in the last two days I have installed 4 or 5 servers using exactly the same process. Today, this error starts during installation, no modification to the way I am installing.

You seem more determined to say that this is not a Letsencrypt error than to actually listen. The files are generated by using the letsencrypt software and you say letsencrypt did not make the files, with NGINX the server runs fine so the file is ok.

I cannot access the file to check, permissions are denied.

That's exact your error description. A local problem.

Use sudo or root.

I have just told you permissions are denied! Using root. Letsencrypt has messed up when generating these files somehow.

Looking online about this, considering you say it is not an issue with letsencrypt, it seems there are a lot of people with this issue, and all the answers say that it is an issue with letsencrypt permissions. The thing that is really annoying is that this has only started today after multiple server installs. And the solution is to change the permissions, and then letsencrypt will break it next time it updates the certificate. Awesome.

Server on domain 1 (working)
4 drwx------ 5 root root 4096 Aug 18 06:24 .
4 drwxr-xr-x 9 root root 4096 Oct 10 02:07 ..
4 -rw-r--r-- 1 root root 740 Apr 22 23:33 README
4 drwxr-xr-x 2 root root 4096 Aug 18 06:24 domainname

Server on domain 2 (not working)
drwx------ 3 root root 4096 Oct 10 15:46 .
4 drwxr-xr-x 9 root root 4096 Oct 10 15:59 ..
4 drwxr-xr-x 2 root root 4096 Oct 10 15:46 domain
4 -rw-r--r-- 1 root root 740 Oct 10 15:46 README

But yer, it is a local issue not letsencrypt right?

The content of

/etc/letsencrypt/live/mydomain

is relevant.

@AMBTB

JuergenAuer is very much on the right track here although I feel like there is perhaps a bit of a misunderstanding between the two of you going on, so I will do my best to clarify.

Let's Encrypt is a certificate authority (CA) that issues certificates. That might seem like an obvious statement, but it will become clear in a moment. In order to acquire certificates from Let's Encrypt, you need to use (and are using) use a piece of software known as an ACME client that interacts with the Let's Encrypt CA servers. There is an ACME client affiliated with Let's Encrypt known as certbot that has confusingly gone by the name "letsencrypt" in the past. The vast majority of ACME clients, including my own, are not affiliated one iota with Let's Encrypt.

The permission problem could be associated with what permissions are granted to the ACME client that is creating the certificate files when it receives them from Let's Encrypt. My big question is: what did you do differently on this particular server? I firmly believe that the answer lies there.

1 Like

I also agree with @griffin.
The client may have changed the way it does things (may be).
But without knowing the client and version, it is difficult to give any advice on that.
The application that uses the certs (Mosquitto) may have "changed" (through updates or a direct configuration change).
It is extremely difficult to give any advice on that without knowing the version and related "change" history.

I presume that if you ran Mosquitto as root it would have no problem reading the files.
Of course, that may be less than an ideal solution and should only be used to confirm the permissions issue.
If Mosquitto can see the files (when run as root) and you don't want to run Mosquitto as root (I would not), then you may need to modify the group access to the /live/ files OR run a script that copies those live files to another location where Mosquitto can read it (every time the cert gets updated).
[there may be other solutions - that is just the first that came to mind]

2 Likes