I’ve installed certbot through pip on an Ubuntu host. Then, I setup certbot to renew certificates through Systemd timer and server units. I’m running the renew commands as a certbot user and group. Originally, this worked fine. But, It noticed that when certbot rotates logs, the new /var/log/letsencrypt/letsencrypt.log is being created as root:root. Thus, the next time renew tries to run, it fails because it does not have access to the log file.
I’ve found that I can set the log directory through a command line arg. I can also set --max-log-backups. But, I’d really prefer to just keep everything running as expected, just the new log files get created as certbot:certbot instead of root:root. Is this possible? Or is my best option to use one of the above flags?
It seems that you are a bit off the norm.
Maybe you could modify the directory setting to match your use.
ls -l /var/log/
should now show:
drwx------ 2 root root 4096 Sep 26 09:21 letsencrypt
So, certbot user us unable to use it.
Hi, rg305. Thanks for the response! I’ve given the certbot user and group ownership of /vat/log/letsencrypt and all of the log files inside of the directory. I can run the renew command and generate new certificates and it works. But when it comes time to rotate the log files, the new letsencrypt.log file is created as root:root again, which means that subsequent runs fail. Do you know why that would happen?
Thanks, Gotham. I think the chmod commands were exactly what I was missing! I’ll give this a try and check if it rotates with the correct permissions in the next couple of days.