Mosquitto 1.5.5, no changes have been made to mosquitto, on this installation using user root in config works with sudo mosquitto -c /etc/mosquitto/mosquitto.conf. I have carried out the same installation over and over and have not been able to resolve this. Why would this suddenly change is my issue. The installation process I have used for at least a year on multiple servers and only today it stops working.
This is a security risk, shifting the files is extra hassle, the problem is, why has this suddenly changed?
Was there a great deal of time between rollouts?
Are the versions of your ACME clients different between servers? (certbot --version)
What ACME client are you using? (This is critically important here.)
1 Like
I have installed at least 4 in the last few days, none of which had this issue. No versions are the same 0.31.0
Your certbot version is pretty old.
Is your OS Ubuntu?
Is your webserver apache?
Perhaps use a snap install to 1.9.0.
It is the one that is available in Ubuntu. It is downloaded from the repository each time. Also even moving the files does not make them able to be opened. No it is NGINX and I don't use snap.
This is nuts! Even after changing permissions in a non-root directory, still not able to read the certs:
Error: Unable to load CA certificates
The certs are symlinks.
certbot update_symlinks
1 Like
I found an issue on my side with that. One sec thanks for the help.
I had a wrong path in the cert config in mosquitto. OK so that is loading, but what happens when the certs are renewed, this will have to be manually updated.
Also the service still continues to fail.
Shouldn't. Go ahead and run the renewal with --force-renewal to check.
If you are the one making the change(s), how is this a risk?
Do you understand how it was working? And how it is now failing?
Changing the permissions of the folder means that users that are not suppose to access that folder will be able to. The certs will need moving every time they are updated.
Why? The symlinks solve that.
1 Like
I don't think that will "fix" anything.
It will check if the permissions and such get mangled.
1 Like
sudo cp /etc/letsencrypt/live/$domain/fullchain.pem /fserver/libraries/mosquitto/certs/
So the files in the new folder are symlinks pointing to the certs ? No they are the certs themselves.
This is an actual command to fix the symlinks:
certbot update_symlinks
1 Like
This makes no sense.
You control the server, you decide who has access to those files.
Sure, If you change permissions to "ANY ANY" then of course anyone can access them.
Do you understand how to set permissions so that only specific users have the access?