Permissions Required to /etc/letsencrypt/live/ for Script?


#1

Sorry for the premature post. Here is redo:

OS and environment are Ubuntu 16.04LTS on Amazon EC2 instance.

I used:
sudo certbot --nginx

All appeared to work, and I can see the created certs with:
sudo ls -l /etc/letsencrypt/live/MyDomain

However, the script reports:
IMPORTANT NOTES:

  • Unable to install the certificate

Can anyone explain or guess why it would have failed. And, is the solution simply to manually add the cert and key to the site config?

Thanks in advance.


#2

Hi @HumanJHawkins,

It would be great if you explained what software you are using and what command you ran. The text field automatically filled in questions about these topics, but you didn’t complete them.

If you’re using Certbot, it does default to requiring root access. There are ways of using it that won’t require root. If you want to get certificates without root access, you might be better off using one of the other clients

For example, a lot of people have had excellent experiences with


#3

Right. Sorry. I clicked over to the terminal to copy something, and when I came back saw that my blank message was posted. Revised above. First time here and was having trouble with the UI also, so cleared the post and hopefully got the relevant info in.


#4

Oh, thanks for updating all of that.

@erica, would you be interested in seeing data from a potential nginx installer failure?

@HumanJHawkins, I guess my previous reply isn’t really relevant because I thought from the subject line that you might be running without root. You should be able to edit nginx configuration files manually to refer to your new certificate and then reload nginx. The fact that it failed to install may mean that you’ve found a bug in Certbot’s nginx support, which was rolled out relatively recently.


#5

Yes please, I would love logs! Feel free to redact any information such as your domain and IP address. Helpful files:

  • the contents of any files in /var/log/letsencrypt
  • your Nginx config files (usually in /etc/nginx/sites-enabled)

Other information that would be helpful:

  • What version of certbot are you running? certbot --version
  • What installation method did you use? e.g. certbot-auto, packaged in Ubuntu, our ppa as instructed on certbot.eff.org, developer installation guide…

#6

I was playing in a sandbox originally and did not have the original logs. But I’ve gotten back to it and recreated the issue.

NOTE: The Ubuntu repo (as of a few days ago at least) only had Nginx 1.10. The current stable version is 1.12, which I installed by using Nginx.org repo for Ubuntu 16.04LTS.

What I did to see the issue:

  1. Installed Ubuntu 16.04LTS for the “hvm:ebs-ssd” instance type for US-West2 region.
  2. This big list… Most likely you will only care about the stuff halfway down in pink, which is mostly the web site config:
    https://docs.google.com/document/d/1rGoQFYZAWfZihVmdgMl9QG_2YlROUmVQ4geJsLs3Khk/edit?usp=sharing

On getting to the certbot stuff, certs were created and I easily manually configured it to use them. But I see two errors in the output:

i. nginx: [error] invalid PID number “” in "/var/run/nginx.pid"
ii. - Unable to install the certificate

Was blocked from uploading, so pasted the log here:
https://docs.google.com/document/d/1VWEIbyv3WmanUGYPKnlgVWa8XFloraBKfX2ceBCw18M/edit?usp=sharing

Thanks for the great work. Hope this helps it. (And to reiterate, I’ve solved this for myself with a manual install. So no complaints here if you decide this isn’t a priority.)


#7

@erica, @schoen, One more thing… I noticed something researching this issue that I think you’ll want to hear, that is best kept private. Is there a way I can contact either of you directly? (Possibly because I am a new user or lack of rep, I don’t see an option to PM.)

Thanks.


#8

Feel free to email me at noah@eff.org and I’ll see to it! I’m also a developer of Certbot and can help answer any questions you have and handle privat communications!


#9

Hi @HumanJHawkins, thanks for the info!

Currently, if someone has a server block with ssl enabled, we don’t add any ssl directives, on the assumption that we should try to leave things as much the same as possible.

But your use case is not uncommon, and it’s perhaps time to consider how best to handle this. Really appreciate you bringing it up!

If you would like Certbot to automatically install your cert, you can uncomment the two ssl_certificate lines, and instead of pointing to where the cert will eventually go, point to a dummy file – on my machine, good choices would be:

ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;

#10

Created an issue on Github to continue the discussion: https://github.com/certbot/certbot/issues/4832


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.