NPM : Cant create certificate "Unsafe permission"

LucEncrypted · December 15, 2024, 6:24pm

Hello everyone,

I pretty new to nginx proxy manager and i want to stop having the certificate alert with my service. I follow a tutorial to do so.

So i install NPM on my server and try to install a certificate for a domain named "intranetcul.duckdns.org" create for my local server. and when i try to create the certificate i got this :

Unsafe permissions on credentials configuration file: /etc/letsencrypt/credentials/credentials-2
Unsafe permissions on credentials configuration file: /etc/letsencrypt/credentials/credentials-2
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.

So i ask you some help to check if you have any idea to resolve that.

Thank for your help.

PS : If you need info i can provide it

Osiris · December 15, 2024, 6:34pm

Yeah, we need way more information.. NPM has a habit of omitting essential information. The output you've pasted for example, does not tell us anything useful. Those unsafe permission stuff are probably just warnings. (And to fix those, you should probably refer to an NPM support channel.)

So we really need the actual error message from the ACME server to debug the specific problem.

For example, I have no idea if NPM is actually trying to use the dns-01 challenge using the DuckDNS DNS API, as for your local IP address that's currently configured in your hostname (192.168.1.30), that would be the only viable challenge possible.

Please provide the Certbot log or some way more detailed Certbot output and please also:

When you opened this thread in the Help section, you should have been provided with a questionnaire. Maybe you didn't get it somehow (which is weird), or you've decided to delete it. In any case, all the answers to this questionnaire are required:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Please note that most volunteers, me including, are not very inclined to put much effort in debugging NPM, as it's quite a piece of )(#*$() software if you'd ask me. So you might get refered to the NPM support community again for the entirety of your problem in the future.

LucEncrypted · December 15, 2024, 6:55pm

Yes, im sorry i delete the requirement to open the thread

There the info asked (i hope all good)

My domain is: intranetcul.duckdns.org (for local - network)

I ran this command:

It produced this output: on the screenshot

My web server is (include version): dont use

The operating system my web server runs on is (include version): Truenas Scale 24.10

My hosting provider, if applicable, is: DuckDNS

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): yes (i suppose ^^')

Osiris · December 15, 2024, 7:02pm

The output is inadequate. Even on your screenshot a lot is cut away. (You surely have seen that, right?) But even if you copy/pasted the entire info, it is probably not enough (although that PermissionError is interesting).

Please provide the Certbot log file from, well, somewhere within NPM (I don't have a clue as where to look for that..)

LucEncrypted · December 15, 2024, 7:07pm

There is what i find for the issue with certbot :

Traceback (most recent call last):
  File "/opt/certbot/bin/certbot", line 8, in <module>
    sys.exit(main())
             ^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 1894, in main
    return config.func(config, plugins)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 1600, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 143, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/client.py", line 528, in obtain_and_enroll_certificate
    return storage.RenewableCert.new_lineage(
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/storage.py", line 1126, in new_lineage
    new_config = write_renewal_config(config_filename, config_filename, archive,
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/storage.py", line 171, in write_renewal_config
    filesystem.chmod(n_filename, current_permissions)
  File "/opt/certbot/lib/python3.11/site-packages/certbot/compat/filesystem.py", line 59, in chmod
    os.chmod(file_path, mode)
PermissionError: [Errno 1] Operation not permitted: '/etc/letsencrypt/renewal/npm-4.conf'
2024-12-15 20:05:30,221:ERROR:certbot._internal.log:An unexpected error occurred:
2024-12-15 20:05:30,221:ERROR:certbot._internal.log:PermissionError: [Errno 1] Operation not permitted: '/etc/letsencrypt/renewal/npm-4.conf'

Osiris · December 15, 2024, 7:10pm

That error should not happen on regular systems. Sounds like some bug in NPM or your specific setup of NPM.

Please refer to the NPM support channels.

system · January 14, 2025, 7:11pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Help with error when requesting new SSL certificate (nginx proxy manager) Help	7	1899	December 3, 2022
Cant create Certificate Help	2	668	August 24, 2022
⚠ warning Command failed: certbot certonly Help	3	942	January 24, 2024
Nginx Proxy Manager Troubleshooting Help	21	6197	July 13, 2023
Creating certificate with Nginx Help	16	748	November 25, 2022

NPM : Cant create certificate "Unsafe permission"

Related topics