Trying to secure Nginx with Let's Encrypt but can't access .pem files in /etc/letsencrypt/live using a non-root user


#1

I’ve got a Flask app with nginx reverse proxy server in front of it. I have deployed my application on a Digital Ocean droplet. I created a user with root privileges and I’m using this user to run my application over HTTPS. I’ve been having problems with permissions for the .pem files located in the following path: /etc/letsencrypt/live/my-domain-name.com. What I do now is to copy those files to my project folder using a sudo command in the terminal and then in the nginx Dockerfile I copy them again to /etc/nginx and give this path in the configuration file. However, this is not ideal because I want my SSL certificate to be automatically renewed. I tried changing permissions from my root user using commands such as chown -R user:user/etc/letsencrypt but nothing worked. I get this error:

nginx: [emerg] BIO_new_file("/etc/letsencrypt/live/my-domain-name.com/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/my-domain-name.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)

Any idea how I can fix this problem? I want to be able to access the .pem files using the /live/my-domain-name path and to be able to renew my cert when it expires without using the root user. Any help would be greatly appreciated. Thanks.

Project conf file:

server {
    
        listen 80;
        server_name my-domain-name.com www.my-domain-name.com;
        return 301 https://$host$request_uri;
    }
    
    
    
    server {
        listen       443 ssl;
        server_name  my-domain-name.com www.my-domain-name.com;
        ssl_certificate     /etc/nginx/fullchain.pem;
        ssl_certificate_key /etc/nginx/privkey.pem;
        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers         HIGH:!aNULL:!MD5;
    
        location / {
            proxy_pass http://app:8000;
            proxy_ssl_server_name on;
    
            # Do not change this
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
    
        location /static {
            rewrite ^/static(.*) /$1 break;
            root /static;
        }
    }

Nginx Dockerfile:

 FROM nginx:1.13.3
    
    EXPOSE 80
    EXPOSE 443
    
    RUN rm /etc/nginx/nginx.conf
    COPY nginx.conf /etc/nginx/
    
    RUN rm /etc/nginx/conf.d/default.conf
    COPY project.conf /etc/nginx/conf.d/
    
    COPY fullchain.pem /etc/nginx/
    COPY privkey.pem /etc/nginx/

#2

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.