Permissions problem?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:cluster.kulturhotell.se

I ran this command:
certbot certonly --webroot --dry-run -w /var/www/cluster.kulturhotell.se -d cluster.kulturhotell.se

Error message:
Encountered exception during recovery:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/plugins/webroot.py”, line 180, in _create_challenge_dirs
os.mkdir(prefix, 0o0755)
PermissionError: [Errno 1] Operation not permitted: ‘/var/www/cluster.kulturhotell.se/.well-known’

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 75, in handle_authorizations
resp = self._solve_challenges(aauthzrs)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 139, in _solve_challenges
resp = self.auth.perform(all_achalls)
File “/usr/lib/python3/dist-packages/certbot/plugins/webroot.py”, line 83, in perform
self._create_challenge_dirs()
File “/usr/lib/python3/dist-packages/certbot/plugins/webroot.py”, line 192, in _create_challenge_dirs
“challenge responses: {1}”.format(name, exception))
certbot.errors.PluginError: Couldn’t create root for cluster.kulturhotell.se http-01 challenge responses: [Errno 1] Operation not permitted: ‘/var/www/cluster.kulturhotell.se/.well-known’

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/error_handler.py”, line 108, in _call_registered
self.funcs-1
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 323, in _cleanup_challenges
self.auth.cleanup(achalls)
File “/usr/lib/python3/dist-packages/certbot/plugins/webroot.py”, line 224, in cleanup
os.remove(validation_path)
FileNotFoundError: [Errno 2] No such file or directory: ‘/var/www/cluster.kulturhotell.se/.well-known/acme-challenge/Q-FGOvDRORNcxTno7sKswrWPBLEkcditjTAkbxGFl2k’
Couldn’t create root for cluster.kulturhotell.se http-01 challenge responses: [Errno 1] Operation not permitted: ‘/var/www/cluster.kulturhotell.se/.well-known’

Any idea how to fix this? We run 2 webservers with Haproxy and ISPconfig. Public address points to web-02 atm.

Thanks!

Hi @edamber

please read your exact error message:

Then configure your server correct.

Every permission is right. Tried dry run with standalone instead. Now I get can’t bind to port 80 on the first web server and The client lacks sufficient authorization on the other one. Tried putting the /.well-known/acme-challenge in Gluster so both servers shares it doesn’t seem to work either

Your error message says: No.

This can be due to two issues: you are not root, or something else is listening on port 80 already.

Which user did you run this command as?

They should have automatic installation of letsencrypt certificates as a feature, you should check and maybe consider upgrading.

Ok so now I dont get the bind to port 80. I get the same error as above on both servers.

Ran it as root. Done chmod 755 on all folders and gave

Yeah, they have checkboxes that auto installs. Doesn’t work though. They just uncheck. Tips I got was to share the folders between servers so I put /acme/.well-known/acme-challenge on Gluster. Not sure if I need /etc/letsencrypt too.

Is it because I run dry-runs as root but the folders are owned by ispconfig? Pretty sure it was root before I changed and it didnt work then either.

Mixing a control panel and raw Certbot is always a bad idea. Then you have problems you can't fix.

Use only the control panel solution.

PS: That's the reason of that template-question. But if you don't answer such required questions, that can't work.

Yes Ive tried the panel only too. Doesnt work, right now it don’t even produce errors in the letsencrypt log. Thanks for answers though. Guess it won’t work with a HA cluster and ISPconfig mirroring in combination with HAproxy. Might have to create and manage all certs on the haproxy servers.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.