No "chown" as acmeuser

Help
1

https://www.c-rieger.de/nextcloud-installationsanleitung/My domain is:
cloud.freundel.net

I ran this command:
acme.sh --issue --test -d cloud.freundel.net -d meet.freundel.net --keylength 4096 -w /var/www/letsencrypt --key-file /etc/letsencrypt/rsa-certs/privkey.pem --ca-file /etc/letsencrypt/rsa-certs/chain.pem --cert-file /etc/letsencrypt/rsa-certs/cert.pem --fullchain-file /etc/letsencrypt/rsa-certs/fullchain.pem --reloadcmd "sudo /bin/systemctl reload nginx.service"

For the command I used the user acmeuser:
adduser --disabled-login acmeuser
usermod -a -G www-data acmeuser

It produced this output:
[Fri 23 Jul 2021 06:26:18 PM CEST] Using ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory
[Fri 23 Jul 2021 06:26:19 PM CEST] Using CA: https://acme-staging-v02.api.letsencrypt.org/directory
[Fri 23 Jul 2021 06:26:19 PM CEST] Multi domain='DNS:cloud.freundel.net,DNS:meet.freundel.net'
[Fri 23 Jul 2021 06:26:19 PM CEST] Getting domain auth token for each domain
[Fri 23 Jul 2021 06:26:22 PM CEST] Getting webroot for domain='cloud.freundel.net'
[Fri 23 Jul 2021 06:26:22 PM CEST] Getting webroot for domain='meet.freundel.net'
[Fri 23 Jul 2021 06:26:22 PM CEST] Verifying: cloud.freundel.net
[Fri 23 Jul 2021 06:26:25 PM CEST] cloud.freundel.net:Verify error:Invalid response from http://cloud.freundel.net/.well-known/acme-challenge/tLasTgQVCG2N_N-VxL1UlRbOBMouI4a5o23bzQGGyg8 [202.61.250.234]:
[Fri 23 Jul 2021 06:26:25 PM CEST] Please check log file for more details: /home/acmeuser/.acme.sh/acme.sh.log

My web server is (include version):
nginx version: nginx/1.21.1

The operating system my web server runs on is (include version):
Debian 4.19.0-17-amd64

I can login to a root shell on my machine (yes or no, or I don't know):
yes

less /home/acmeuser/.acme.sh/acme.sh.log shows the following:
...
[Fri 23 Jul 2021 05:41:25 PM CEST] wellknown_path='/var/www/letsencrypt/.well-known/acme-challenge'
[Fri 23 Jul 2021 05:41:25 PM CEST] writing token:9zRARTX8fMU8RsF7nRmL5cqKR1Gtz8-0HmmXWIpdh3o to /var/www/letsencrypt/.well-known/acme-challenge/9zRARTX8fMU8RsF7nRmL5cqKR1Gtz8-0HmmXWIpdh3o
[Fri 23 Jul 2021 05:41:25 PM CEST] Changing owner/group of .well-known to www-data:www-data
[Fri 23 Jul 2021 05:41:25 PM CEST] chown: changing ownership of '/var/www/letsencrypt/.well-known/acme-challenge/9zRARTX8fMU8RsF7nRmL5cqKR1Gtz8-0HmmXWIpdh3o': Operation not permitted
chown: changing ownership of '/var/www/letsencrypt/.well-known/acme-challenge': Operation not permitted
chown: changing ownership of '/var/www/letsencrypt/.well-known': Operation not permitted
[Fri 23 Jul 2021 05:41:25 PM CEST] chown: changing ownership of '/var/www/letsencrypt/.well-known/acme-challenge/9zRARTX8fMU8RsF7nRmL5cqKR1Gtz8-0HmmXWIpdh3o': Operation not permitted
chown: changing ownership of '/var/www/letsencrypt/.well-known/acme-challenge': Operation not permitted
chown: changing ownership of '/var/www/letsencrypt/.well-known': Operation not permitted
...

The mentioned command worked during original creation of the certificate, but seems not to work to renew the certificate.

Problem seems to be the rights of the user, but they were not changed.
Does anybody have an idea, how to solve this?

2

The folder belongs to www-data. So changing the owner should not be necessary.

#ls -la /var/www/letsencrypt/.well-known/
drwxrwxr-x 3 www-data www-data 4096 Jul 23 17:30 .
drwxrwxr-x 3 www-data www-data 4096 Jul 23 16:26 ..
drwxrwxr-x 2 www-data www-data 4096 Jul 24 00:52 acme-challenge

3

Why not use a completely new and unrelated path?
Like:
/var/ACMEchallenges
/var/tmp/challenges
/tmp/acmechallenges

4

Because the path is used in nginx as place for /.well-known/acme-challenge.

5

Do you have control over that nginx path setting?

6

Yes, I have the control. But I don't understand, how changing the path can solve the problem.

As I understand, the script does the following:

  • creating an token in /var/www/letsencrypt/.well-known/acme-challenge/
    • "writing token:9zRARTX8fMU8RsF7nRmL5cqKR1Gtz8-0HmmXWIpdh3o to /var/www/letsencrypt/.well-known/acme-challenge/9zRARTX8fMU8RsF7nRmL5cqKR1Gtz8-0HmmXWIpdh3o"
  • than it tries to change the owner of the token
    • "chown: changing ownership of '/var/www/letsencrypt/.well-known/acme-challenge/9zRARTX8fMU8RsF7nRmL5cqKR1Gtz8-0HmmXWIpdh3o': Operation not permitted"

The user is acmeuser and it is in the group www-data.
The owner of all folder under /var/www/ is www-data:www-data

After the script finishes, there is no token in the folder.

If I change the path, probably the same would happen, wouldn't it?

7

There is one sure fire way to find out.

8

I have tried another path. Unfortunately no success.

Then I changed the owner of /var/www/letsencrypt/ to acmeuser. Now the Operation-not-permitted-Error does not occur anymore.

But I still get an "Verify error:Invalid response from"-Error. So I changed the log-level to 2.

Now the log-file shows an error with http-01:
[Mon 26 Jul 2021 09:03:45 PM CEST] original='{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Invalid response from http://cloud.freundel.net/.well-known/acme-challenge/c1brsHTlkA_ueZq8q-MRJlRLRjq6aS0LVFTfAasPdCQ [202.61.250.234]: "\u003chtml\u003e\r\n\u003chead\u003e\u003ctitle\u003e404 Not Found\u003c/title\u003e\u003c/head\u003e\r\n\u003cbody\u003e\r\n\u003ccenter\u003e\u003ch1\u003e404 Not Found\u003c/h1\u003e\u003c/center\u003e\r\n\u003chr\u003e\u003ccenter\u003enginx\u003c/center\u003e\r\n"",
"status": 403

Does anyone have an idea, why the token is not saved in the folder?
Is it a good idea to run acme.sh as root?

9

And now both paths are unsuccessful.
Please show us how you changed the path exactly.
And also show the nginx configuration with:
nginx -T

10

rg305, thanks for your help.

as root:
mkdir -p /tmp/letsencrypt/.well-known/acme-challenge
chmod -R 775 /tmp/letsencrypt
chown -R www-data:www-data /tmp/letsencrypt/

as acmeuser:
acme.sh --issue --test --log-level 2 -d cloud.freundel.net -d meet.freundel.net --server letsencrypt --keylength 4096 -w /tmp/letsencrypt --key-file /etc/letsencrypt/rsa-certs/privkey.pem --ca-file /etc/letsencrypt/rsa-certs/chain.pem --cert-file /etc/letsencrypt/rsa-certs/cert.pem --fullchain-file /etc/letsencrypt/rsa-certs/fullchain.pem --reloadcmd "sudo /bin/systemctl reload nginx.service"
[Tue 27 Jul 2021 12:12:37 PM CEST] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Tue 27 Jul 2021 12:12:37 PM CEST] Multi domain='DNS:cloud.freundel.net,DNS:meet.freundel.net'
[Tue 27 Jul 2021 12:12:37 PM CEST] Getting domain auth token for each domain
[Tue 27 Jul 2021 12:12:40 PM CEST] Getting webroot for domain='cloud.freundel.net'
[Tue 27 Jul 2021 12:12:40 PM CEST] Getting webroot for domain='meet.freundel.net'
[Tue 27 Jul 2021 12:12:40 PM CEST] Verifying: cloud.freundel.net
[Tue 27 Jul 2021 12:12:44 PM CEST] cloud.freundel.net:Verify error:Invalid response from http://cloud.freundel.net/.well-known/acme-challenge/Vz1vFAtxmdqbpG6cfszfJB5ySSXpkhiAJLrlkQ2xmt8 :
[Tue 27 Jul 2021 12:12:44 PM CEST] Please check log file for more details: /home/acmeuser/.acme.sh/acme.sh.log

acme.sh.log shows:
[Tue 27 Jul 2021 12:12:40 PM CEST] Verifying: cloud.freundel.net
[Tue 27 Jul 2021 12:12:40 PM CEST] d='cloud.freundel.net'
[Tue 27 Jul 2021 12:12:40 PM CEST] keyauthorization='Vz1vFAtxmdqbpG6cfszfJB5ySSXpkhiAJLrlkQ2xmt8.KSvd8aht3X7AfjmrcmisW8meUNmFHYZywj1jBVPHJqA'
[Tue 27 Jul 2021 12:12:40 PM CEST] uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/16591171410/4Nf9Ow'
[Tue 27 Jul 2021 12:12:40 PM CEST] _currentRoot='/tmp/letsencrypt'
[Tue 27 Jul 2021 12:12:40 PM CEST] wellknown_path='/tmp/letsencrypt/.well-known/acme-challenge'
[Tue 27 Jul 2021 12:12:40 PM CEST] writing token:Vz1vFAtxmdqbpG6cfszfJB5ySSXpkhiAJLrlkQ2xmt8 to /tmp/letsencrypt/.well-known/acme-challenge/Vz1vFAtxmdqbpG6cfszfJB5ySSXpkhiAJLrlkQ2xmt8
[Tue 27 Jul 2021 12:12:40 PM CEST] Changing owner/group of .well-known to www-data:www-data
[Tue 27 Jul 2021 12:12:40 PM CEST] chown: changing ownership of '/tmp/letsencrypt/.well-known/acme-challenge/Vz1vFAtxmdqbpG6cfszfJB5ySSXpkhiAJLrlkQ2xmt8': Operation not permitted
chown: changing ownership of '/tmp/letsencrypt/.well-known/acme-challenge': Operation not permitted
chown: changing ownership of '/tmp/letsencrypt/.well-known': Operation not permitted
[Tue 27 Jul 2021 12:12:40 PM CEST] chown: changing ownership of '/tmp/letsencrypt/.well-known/acme-challenge/Vz1vFAtxmdqbpG6cfszfJB5ySSXpkhiAJLrlkQ2xmt8': Operation not permitted
chown: changing ownership of '/tmp/letsencrypt/.well-known/acme-challenge': Operation not permitted
chown: changing ownership of '/tmp/letsencrypt/.well-known': Operation not permitted
[Tue 27 Jul 2021 12:12:40 PM CEST] Trigger domain validation.

acme.sh.log shows also:
[Tue 27 Jul 2021 12:12:43 PM CEST] original='{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Invalid response from http://cloud.freundel.net/.well-known/acme-challenge/Vz1vFAtxmdqbpG6cfszfJB5ySSXpkhiAJLrlkQ2xmt8 [202.61.250.234]: "\u003chtml\u003e\r\n\u003chead\u003e\u003ctitle\u003e404 Not Found\u003c/title\u003e\u003c/head\u003e\r\n\u003cbody\u003e\r\n\u003ccenter\u003e\u003ch1\u003e404 Not Found\u003c/h1\u003e\u003c/center\u003e\r\n\u003chr\u003e\u003ccenter\u003enginx\u003c/center\u003e\r\n"",
"status": 403

than as root:
chown -R acmeuser:www-data /tmp/letsencrypt/

than as acmeuser:
repeat above mentioned acme.sh-command

result:

  • "Operation not permitted" does not occur
  • http-01 error occured again

nginx -T:
[file removed]

11

I fail to find a vhost for cloud.freundel.net that is listening on port 80.

12

Please could you explain, what exactly that means.

13

This link need to be validated by your web server:

http://cloud.freundel.net/.well-known/acme-challenge/Vz1vFAtxmdqbpG6cfszfJB5ySSXpkhiAJLrlkQ2xmt8

But is has no way to do that.
There is only:

server {
    listen 80;
    listen [::]:80;
    server_name meet.freundel.net;

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name meet.freundel.net;

server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name cloud.freundel.net;

You need a fully functional web server before trying to secure it.
Where is?:
http://cloud.freundel.net/

14

There are also nginx-config-files for nextcloud and jitsi.

Do you have an examples how http://cloud.freundel.net should look like in the configuration?

15

No, certificate validity doesn't alter your web server configuration.
There is a missing section for:

server {
listen 80;
listen [::]:80;
server_name cloud.freundel.net;
16

Furthermore, since both domains are set to use webroot "/tmp/letsencrypt", both HTTP vhosts must be prepared to handle the HTTP challenge requests accordingly.

This fails to do so:

server {
    listen 80;
    listen [::]:80;
    server_name meet.freundel.net;

    location ^~ /.well-known/acme-challenge/ {
        default_type "text/plain";
        root         /usr/share/jitsi-meet;
    }

/usr/share/jitsi-meet <> /tmp/letsencrypt

17

Also, if this file is empty, just delete it:
# configuration file /etc/nginx/conf.d/default.conf:

18

Went on step forward:

Added the following to nextcloud.conf:
server {
listen 80;
listen [::]:80;
server_name cloud.freundel.net;

location ^~ /.well-known/acme-challenge/ {
    default_type "text/plain";
    root         /tmp/letsencrypt;
}
location = /.well-known/acme-challenge/ {
    return 404;
}
location / {
    return 301 https://$host$request_uri;
}

}

Verifying: cloud.freundel.net
[Tue 27 Jul 2021 05:48:52 PM CEST] Success
[Tue 27 Jul 2021 05:48:52 PM CEST] Verifying: meet.freundel.net
[Tue 27 Jul 2021 05:48:56 PM CEST] meet.freundel.net:Verify error:Invalid response from http://meet.freundel.net/.well-known/acme-challenge...

Changed then /usr/share/jitsi-meet <> /tmp/letsencrypt

But still shows the http-01 error for meet.freundel.net

19

I don't think you understood what I meant with that line.
The "<>" is read as "does not equal" or "is not equal to".
So:
/usr/share/jitsi-meet <> /tmp/letsencrypt
reads as:
/usr/share/jitsi-meet does not equal /tmp/letsencrypt
/usr/share/jitsi-meet is not equal to /tmp/letsencrypt

20

Hope I understand you right.

Now the meet.conf contains:

server {
    listen 80;
    listen [::]:80;
    server_name meet.freundel.net;

    location ^~ /.well-known/acme-challenge/ {
        default_type "text/plain";
        root         /usr/share/jitsi-meet;
    }
    location = /.well-known/acme-challenge/ {
        return 404;
    }
    location / {
        return 301 https://$host$request_uri;
    }
}

And the nextcloud.conf contains:

server {
    listen 80;
    listen [::]:80;
    server_name cloud.freundel.net;

    location ^~ /.well-known/acme-challenge/ {
        default_type "text/plain";
        root         /tmp/letsencrypt;
    }
    location = /.well-known/acme-challenge/ {
        return 404;
    }
    location / {
        return 301 https://$host$request_uri;
    }
}

Result of the acme.sh command:

[Tue 27 Jul 2021 08:17:11 PM CEST] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Tue 27 Jul 2021 08:17:11 PM CEST] Multi domain='DNS:cloud.freundel.net,DNS:meet.freundel.net'
[Tue 27 Jul 2021 08:17:11 PM CEST] Getting domain auth token for each domain
[Tue 27 Jul 2021 08:17:13 PM CEST] Getting webroot for domain='cloud.freundel.net'
[Tue 27 Jul 2021 08:17:14 PM CEST] Getting webroot for domain='meet.freundel.net'
[Tue 27 Jul 2021 08:17:14 PM CEST] cloud.freundel.net is already verified, skip http-01.
[Tue 27 Jul 2021 08:17:14 PM CEST] Verifying: meet.freundel.net
[Tue 27 Jul 2021 08:17:17 PM CEST] meet.freundel.net:Verify error:Invalid response from http://meet.freundel.net/.well-known/acme-challenge/_isnSQzl4x4oemaJMdZC386KBSTVnz5Q1h_5FioprVI [202.61.250.234]: 
[Tue 27 Jul 2021 08:17:17 PM CEST] Please check log file for more details: /home/acmeuser/.acme.sh/acme.sh.log