I use certbot
version 0.31.0-1+ubuntu18.04.1+certbot+1
on Ubuntu 18.04, and have problem with generating acme-challenge file for some of domains, because nginx got "403 Access denined" error.
For most of domains certbot creates .well-known/acme-challenge/*
files well with right permissons (-rw-r--r--
owned by root/root) and this file is readable via nginx well.
But for some domains on same system certbot
creates files with -rw-rw----
permission, so nginx can't read it and shows "403 Access denined" error!
The command for generate certificate is same:
certbot certonly --webroot -d test1.example.com --webroot-path=/srv/test1.example.com/public_html
certbot certonly --webroot -d test2.example.com --webroot-path=/srv/test2.example.com/public_html
Differs only owner of webroot path directory (different owner - test1:test1
and test2:test2
), nginx configs for both domains are similar, directory permissions are same too. Users have same group membership (own group and www-data
) and umask (0002
).
And for test1.example.com
user all works well, but for test2.example.com
- not, because of described file permission problem!
Can anybody please describe which user settings (or directory permissions) can affect to acme-challenge files permissions? And maybe exists some way to manually force some permissions via command line argument?