/var/log/letsencrypt/letsencrypt.log always created as root

I’ve installed certbot through pip on an Ubuntu host. Then, I setup certbot to renew certificates through Systemd timer and server units. I’m running the renew commands as a certbot user and group. Originally, this worked fine. But, It noticed that when certbot rotates logs, the new /var/log/letsencrypt/letsencrypt.log is being created as root:root. Thus, the next time renew tries to run, it fails because it does not have access to the log file.

I’ve found that I can set the log directory through a command line arg. I can also set --max-log-backups. But, I’d really prefer to just keep everything running as expected, just the new log files get created as certbot:certbot instead of root:root. Is this possible? Or is my best option to use one of the above flags?

Thank you,

It seems that you are a bit off the norm.
Maybe you could modify the directory setting to match your use.
ls -l /var/log/
should now show:
drwx------ 2 root root 4096 Sep 26 09:21 letsencrypt
So, certbot user us unable to use it.

Hi, rg305. Thanks for the response! I’ve given the certbot user and group ownership of /vat/log/letsencrypt and all of the log files inside of the directory. I can run the renew command and generate new certificates and it works. But when it comes time to rotate the log files, the new letsencrypt.log file is created as root:root again, which means that subsequent runs fail. Do you know why that would happen?

Set SUID or SGID using sudo privileges . It will help you in this scenario.
change the ownership or group ownership using sudo .
for example :

cd /var/log
sudo chown -R root:certbotuser letsencrypt
sudo chmod g+s letsencrypt
sudo chmod -R g+w letsencrypt

now certbot user can have write privileges .

check whether its working

Thanks, Gotham. I think the chmod commands were exactly what I was missing! I’ll give this a try and check if it rotates with the correct permissions in the next couple of days.


FYI, certbot also needs group read access to /var/log/letsencrypt, which is not setup by default. So, the last command should be:

sudo chmod -R g+wr letsencrypt

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.