[solved] Certbot creates inaccessible from www-data acme-challenge files for some of domains

I use certbot version 0.31.0-1+ubuntu18.04.1+certbot+1 on Ubuntu 18.04, and have problem with generating acme-challenge file for some of domains, because nginx got "403 Access denined" error.

For most of domains certbot creates .well-known/acme-challenge/* files well with right permissons (-rw-r--r-- owned by root/root) and this file is readable via nginx well.

But for some domains on same system certbot creates files with -rw-rw---- permission, so nginx can't read it and shows "403 Access denined" error!

The command for generate certificate is same:

certbot certonly --webroot -d test1.example.com --webroot-path=/srv/test1.example.com/public_html
certbot certonly --webroot -d test2.example.com --webroot-path=/srv/test2.example.com/public_html

Differs only owner of webroot path directory (different owner - test1:test1 and test2:test2), nginx configs for both domains are similar, directory permissions are same too. Users have same group membership (own group and www-data) and umask (0002).

And for test1.example.com user all works well, but for test2.example.com - not, because of described file permission problem!

Can anybody please describe which user settings (or directory permissions) can affect to acme-challenge files permissions? And maybe exists some way to manually force some permissions via command line argument?


Hi and welcome!

What happens if you place a test file in that same location, is it accessible from the Internet?
[without doing anything special to the permissions of that new file]
echo "test1" > /srv/test1.example.com/public_html/test-file-1
echo "test2" > /srv/test2.example.com/public_html/test-file-2


Hmm, the result of creating test files command is different, thanks for idea of this check! So the problem is outside of certbot, and I even have found the source of this problem!

The problem is in custom acl rules for test2 folder! I fix them, and all goes to work right!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.