Renewing of LE Certs on the Mac OSX client worked just fine on IPv4

I would like to report here that after turning off my lame AT&T IPv6, the renew of the cert was successfully done!

Renewing Certificate Command:

./certbot-auto certonly --webroot --webroot-path /Users/user2/Sites/ --email webmaster@domain.org -d domain.org -d www.domain.org


Here are the installation logs:


[server:~] root# cd /Users/user1/letsencrypt
[server:~/letsencrypt] root# ./certbot-auto certonly --webroot --webroot-path /Users/user2/Sites/ --email webmaster@domain.org -d domain.org -d www.domain.org
Upgrading certbot-auto 0.15.0 to 0.16.0…
Replacing certbot-auto…
Creating virtual environment…
Installing Python packages…
The directory ‘/Users/user1/Library/Caches/pip/http’ or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo’s -H flag.
The directory ‘/Users/user1/Library/Caches/pip’ or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo’s -H flag.
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for domain.org
http-01 challenge for www.domain.org
Using the webroot path /Users/user2/Sites for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Unable to clean up challenge directory /Users/user2/Sites/.well-known/acme-challenge

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at
    /etc/letsencrypt/live/domain.org/fullchain.pem. Your cert will
    expire on 2017-10-07. To obtain a new or tweaked version of this
    certificate in the future, simply run certbot-auto again. To
    non-interactively renew all of your certificates, run
    "certbot-auto renew"

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

[server:~/letsencrypt] root# mv /Users/user2/Sites/.well-known/acme-challenge/fDjNSMdaG4Ugr_adgurjghbvnfrjfhhdgdhfrjhfufhr /Users/user1/Downloads/install/LetsEncrypt\ Info/01\ Renew\ Domains/domain.org/z-backup/acme-challenge
[server:~/letsencrypt] root# mv /Users/user2/Sites/.well-known/acme-challenge/REYtZjAiL0rEYfadgurjghbvnfrjfhhdgdhfrjhfufhr /Users/user1/Downloads/install/LetsEncrypt\ Info/01\ Renew\ Domains/domain.org/z-backup/acme-challenge


access_log:


66.133.109.36 - - [09/Jul/2017:07:54:02 -0700] “GET /.well-known/acme-challenge/FlWUtpOL0uqxeoJnJadgurjghbvnfrjfhhdgdhfrjhfufhr HTTP/1.1” 302 272
66.133.109.36 - - [09/Jul/2017:07:54:02 -0700] “GET /.well-known/acme-challenge/4AaowOdr9p9lltadgurjghbvnfrjfhhdgdhfrjhfufhr HTTP/1.1” 302 276


Obs:

I renewed the LE Cert as root using an Admin account! In the installation logs Certbot stated:

The directory ‘/Users/user1/Library/Caches/pip/http’ or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo’s -H flag.
The directory ‘/Users/user1/Library/Caches/pip’ or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo’s -H flag.

Obs 1:
On the OS X, every website and its domain have their own separated account. These accounts are second level accounts with no root or administrative rights (for security reasons) and that is the reason these logs are popping out.

Obs 2:
In my opinion, renewing logged as root on a Admin account, one would think that they would have all the permissions to perform a renew but the logs showed that this is not inherited at the time of renewing.

That is the way the Mac OS X permissions are set. Even one Admin do not have the complete access to the user’s accounts. He can brake all the permissions but why one would do that?
… and that is the reason these logs are popping out! Pip has been installed on the admin account, so not sure the work around this one.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.