Why does Certbot Use Symbolic Links - Do Certain Paramaters Overide this Behaviour?

Hi All

Hoping someone can help me out

From what I understand certbot uses symbolic links to point web servers to the latest version of the certificates?

If so do the parameters below overwrite this behavior? Or does certbot still want to create a symbolic link with those paths?

Is there anyway of getting certbot to just dump certificates into a folder and not create any links.

The reason I ask is that I have managed to get certbot to run on Windows with a few small code changes however getting stuck on the symlinks.

paths:
Arguments changing execution paths & servers

–cert-path CERT_PATH
Path to where cert is saved (with auth --csr),
installed from or revoked. (default: None)
–key-path KEY_PATH Path to private key for cert installation or
revocation (if account key is missing) (default: None)
–fullchain-path FULLCHAIN_PATH
Accompanying path to a full certificate chain (cert
plus chain). (default: None)
–chain-path CHAIN_PATH
Accompanying path to a certificate chain. (default:
None)
Andrei

Certbot puts all certificates into /etc/letsencrypt/archive/ by default, and then symlinks a copy into /etc/letsencrypt/live/. Under archive, the files are named fullchain1.pem, fullchain2.pem, etc., as they get renewed. Under live, the files are symlinks to files under archive. It uses symlinks partly to save space, but also so that there is one canonical copy of a file. I think it would probably be reasonable to make the live files a copy rather than a symlink, especially if that means we can make Certbot work on Windows. What do you think @bmw @erica?

I don’t know whether the flags you list override the symlinking behavior, but you can try it out!

thanks @jsha

i tried with the folders specified with no luck

below is a screenshot

I can see certbot created the right directories (so no issues with /etc, which i honestly thought would be an issue)


from the log file

2017-02-16 10:58:19,432:WARNING:certbot.client:Non-standard path(s), might not work with crontab installed by your operating system package manager
2017-02-16 10:58:19,432:DEBUG:certbot.storage:Archive directory C:\etc\letsencrypt\archive\certbot-windows.firecube.xyz-0001 and live directory C:\etc\letsencrypt\live\certbot-windows.firecube.xyz-0001 created.
2017-02-16 10:58:19,448:DEBUG:certbot.main:Exiting abnormally:

Traceback (most recent call last):
File “C:\Python36\Scripts\certbot-script.py”, line 11, in
load_entry_point(‘certbot==0.11.1’, ‘console_scripts’, ‘certbot’)()
File “c:\python36\lib\site-packages\certbot\main.py”, line 882, in main
return config.func(config, plugins)
File “c:\python36\lib\site-packages\certbot\main.py”, line 659, in obtain_cert
action, _ = _auth_from_available(le_client, config, domains, certname, lineage)
File “c:\python36\lib\site-packages\certbot\main.py”, line 108, in _auth_from_available
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File “c:\python36\lib\site-packages\certbot\client.py”, line 312, in obtain_and_enroll_certificate
self.config)
File “c:\python36\lib\site-packages\certbot\storage.py”, line 966, in new_lineage
target[kind])
OSError: symbolic link privilege not held

I can see in storage.py that os.symlink is used and thought that was the problem however have a look at it i can the method is ok for windows

so the question I am trying to figure out is since we are fine to this point (csrs are created and keys are created) is there a way on not using symlinks at the final stage for the certs

will continue to wade through code

so closseeeeeeee!

SUCCESS!!!

Ran PowerShell as Administrator and no issues at all :smiley:

Full write up shortly. I did have to hack a few bits with os.geteuid which I think can be improved but overall a very happy chappy!!!

Andrei

3 Likes

Awesome! Super glad to hear you got it working. Looking forward to the writeup. Hopefully we can incorporate some of your fixes into the main Certbot code and make it easier for everyone.

1 Like

Hi @ahaw021,

This is the behavior with --csr if you specify a CSR file, but otherwise not. We could consider adding options to support this behavior in other situations.

I'm not sure that the right solution for a Windows port would be to avoid using symlinks—it looks like you ultimately found out that the trouble was a permissions issue rather than the use of symlinks in the first place?

Several of other other Let's Encrypt clients don't have Certbot's concept of automated renewal and do simply save the certs in the current directory. I would say that automated renewal has been a pretty core priority for Certbot development and that we've been hoping to get more and more people to take advantage of that feature.

hi @schoen

Yes it was a permission issue (running cerrbot as admin fixed the issue)

That’s why I was confused as os.symlinks method is supported on windows and linux

It would be good from a control point of view to have a --no-symlinks option for certbot as I have seen a few linux users get in trouble with symlinks as well

I understand why they are good and having run the renewal process see the benefits

Andrei

Hello again @jsha and @schoen . As I have mentioned to Seth before, I am also very much interested in this topic as well; the reason being that MAMP PRO – which is simply a Mac OS X GUI for a proprietary instance of Apache, and not the built-in OS X Apache server – is not recognizing the .pem symbolic links in the “live” folder as valid certificate and key files.

As you may recall, Seth, for now, the only way I have found to get around this issue is by creating a new folder called “mamp” in the “letsencrypt” folder, and placing actual copies of the original files from “archive” in it. Furthermore, I must rename the file extensions to .crt and .key respectively.

Unlike @ahaw021, I do not believe that this problem is the result of a permissions issue, because when I use Certbot in the Terminal, I do use the sudo command, and provide my password.

Whether or not it is an issue with MAMP PRO itself, I really do not know. I have asked MAMP PRO’s developers about this, but they have not directly responded to my query yet, other than to say that they are working on ways to improve MAMP PRO’s creation of an SSL-enabled host.

Anyway, I just wanted to pipe in here, because I would like to use Certbot’s auto renew feature as well; because at my age, my memory is getting flaky already. Of course, I would need some help writing a cron job, or whatever Apple’s new mechanism is now. I can’t think of the name of it off the top of my head.

See! I need all the help I can get! :slight_smile:

At any rate, I would also appreciate some improvements vis-à-vis the symbolic links issue.

Thanks a lot for listening.

@IslandBoy: Can you provide an exact series of steps to reproduce the problem with MAMP Pro? Then we might be able to reproduce.

In theory programs on Mac OS X should support symbolic links just as well as programs on Linux, but we haven’t spent a lot of time testing Certbot on Mac OS X, so it’s possible there are problems.

Hello again @jsha . I have already explained all of this to Seth previously, but if you want to hear it again . . . :slight_smile:

I doubt that I can even remember it all straight – I am in my 60s – but I’ll do my best.

First of all, because I am not directly using OS X’s built-in Apache web server, but rather MAMP PRO, which creates its own files, and its own instance of Apache, I cannot choose “Apache” in the list of options when I use Certbot. Instead, as your web page instructed me to do, I had to choose “Other”.

Thus, I have to use the webroot approach when using Certbot and installing my certificates and key, like this:

sudo certbot certonly --webroot --webroot-path /Applications/path-to-my-actual-virtual-host’s-folder-in-my-MAMP-folder

Please note I use the sudo command, so that I am forced to provide my admin password. This in itself in my mind is a strong indication that my problem is not resulting from a lack of file permissions.

Doing the above then results in what you expect, which is this:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c’
to cancel): www.billkochman.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.billkochman.com
Using the webroot path /Applications/path-to-my-actual-virtual-host’s-folder-in-my-MAMP-folder for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem

Please note that I later had to redo the above, because I had only obtained a certificate for www.billkochman.com, and the HSTS Preload List site required that I also have billkochman.com in my certificate as well in order to qualify for the HSTS Preload List. So I had my certificates and key reissued with both versions of my domain name included.

At any rate, then I get the usual congratulatory message:

  • Congratulations! Your certificate and chain have been saved at
    /etc/letsencrypt/live/www.billkochman.com/fullchain.pem. Your cert
    will expire on 2017-05-10. To obtain a new or tweaked version of
    this certificate in the future, simply run certbot again. To
    non-interactively renew all of your certificates, run “certbot
    renew”

After that, I have to go to MAMP PRO’s main window, and select my primary host from the list of domains that I currently own.

Once I select that – meaning billkochman.com – I have to click on the SSL tab for that host.

Upon doing so, I need to provide the path for the fullchain, privkey and chain files. This I do by navigating via the Finder to private/etc/letsencrypt/live/www.billkochman.com.

And behold! That is where the problem occurs.

I can see the files in the file list, but I am unable to actually select any of them, because for some unknown reason, MAMP PRO is not recognizing them as valid certificate and key files, because they have the .pem extension.

Seth even showed me how to create new symlinks of the original files in the “archive” folder, but that did not help at all. The same problem still exists, and MAMP PRO refuses to recognize the files as valid files.

So, as I explained to Seth some time ago, the ONLY way I was able to get around this dilemma, was by making actual copies of the original files in the “archive” folder, and creating a new folder inside of “letsencrypt”, which I called “mamp”, and placing my copies there.

But even that was not enough for MAMP PRO to recognize them. Another issue was the file extension. I had to change the file extensions of my copies to .crt and .key respectively. Only then would MAMP PRO recognize the files as being valid certificate and key files.

Mind you, I could have created that “mamp” anywhere on my hard drive, and I don’t think that MAMP PRO would have had a problem with it.

Of course, the obvious problem here now, is that being as I am using actual copies of the originals that are in the “archive” folder, instead of symlinks, I can’t take advantage of the auto renewal feature, because the links are broken.

So, in a few months time, I will again have to make new copies of the updated certificate and key files in the “archive” folder, and place those in my “mamp” folder.

And on and on it goes until you folks and the MAMP PRO folks figure out why MAMP PRO won’t recognize the .pem file symlinks as being valid files.

Oddly enough, in the back of my mind, I seem to recall that when I was looking into all of this a few weeks ago, I am almost certain that I came across a page where the MAMP PRO folks showed MAMP PRO using .pem files. So I don’t know what to think.

I haven’t heard from them in a while, and I haven’t written to them in a while either, but they never did give me a straight answer regarding why MAMP PRO won’t recognize the symlink .pem files in “live/www.billkochman.com”.

As I said, I am not convinced that it is due to a lack of permissions, because I used sudo when using Certbot.

A final point worth mentioning is this:

Even if I go into the “live/www.billkochman.com” folder and rename the symlinks with the .crt and .key file extensions, instead of .pem, MAMP PRO still will not recognize them. While I can click on and select the files if I do the above, the “choose” button is grayed out. So it is still a no-go.

I hope the above info helps you in some way.

Kind regards,

Bill Kochman

It sounds like the problem is with the file extensions, not with symlinks. You could test this hypothesis by renaming the symlinks that Certbot creates, so they end in ".crt" and ".key", but are still symlinks. If that works, you should file a bug against MAMP PRO suggesting that they recognize files ending in .pem.

Also, if MAMP PRO documentation doesn't match your actual experience, is it possible you have an outdated version?

@jsha, I have stated several times now -- in this thread, and in previous related threads -- that changing the file extension of the actual symlinks does NOT help. MAMP PRO still does not recognize the symlinks.

In my previous response to you above, I specifically said near the end:

Even if I go into the "live/www.billkochman.com" folder and rename the symlinks with the .crt and .key file extensions, instead of .pem, MAMP PRO still will not recognize them. While I can click on and select the files if I do the above, the "choose" button is grayed out. So it is still a no-go.

I have also mentioned before that I have ALREADY written to Appsolute -- MAMP PRO developers -- about this on Februrary 10th, and explained the problem very clearly to them. I have even asked them directly why MAMP PRO does not recognize the .pem file extensions. They have yet to give me a clear answer regarding this issue.

Also, I have mentioned before that I am using the very latest version of MAMP PRO, which currently stands at 4.1.1. I always endeavor to keep all of my software up-to-date due to bug fixes, potential vulnerabilities, etc.

I will write to Appsolute again and ask them . . . although to be honest, it might even be better if you write to them developer-to-developer, as it will put more impetus behind the drive to find a solution to this nagging problem.

You can write to them at support@appsolute.zendesk.com

Following is part of my message to Appsolute on February 10th:

----- Begin Quote -----

This is a little long, but I wanted to provide you with all of the details, so that you can more easily help me to figure out what I am doing wrong.

I am trying to use official key and certificate files with my MAMP PRO server, because Google, Mozilla -- and probably others -- don't recognize self-signed certificates. They issue warnings to the web browser user.

After conducting some online research, I discovered "Let's Encrypt" and "Certbot".

Using Homebrew, I figured out how to successfully install Certbot on my iMac.

As it turns out, I discovered that you have to choose the "Other" web server option for MAMP PRO, because if you choose the "Apache" option, when Certbot attempts to verify the installation, it looks for a running version of OS X's built-in Apache server, and not for MAMP PRO.

Anyway, once I chose "Other", and pointed Certbot to the HTML directory for my domain in MAMP/htdocs/My-Domain, it successfully installed all of the required folders and files in "/private/etc/letsencrypt".

This includes a subfolder called "live" in which is another folder which bears my domain name. It is inside this last folder where the actual key and certificate files are found. These files are the following:

privkey.pem
fullchain.pem
chain.pem
cert.pem

However, here is the problem: Not only are the files in that folder just aliases, but they are in the CA standard format of ".pem".

Following instructions I found online, I made a second copy of my domain in MAMP PRO, in which I enabled SSL.

But the problem is that MAMP PRO does not recognize .pem files.

So I made copies of the "privkey.pem" and "fullchain.pem" files, and changed the file extensions to ".key" and ".crt". Then I set the paths to them in MAMP PRO on the SSL tab for my domain.

MAMP PRO recognizes the files . . .

----- End Quote -----

Three days later on February 13th, they responded with this:

----- Begin Quote -----

This may be a problem with MAMP PRO. I know we are going to make some changes how we make http and https work.

At this time you need to make a http and https host with the same name. Our new change will be a check box to add a ssl site. This is a few weeks away.

I will ask our developers how to do this now, if it is possible. It will take a few days to get back to you.

----- End Quote -----

In my response to their above message, on February 13th I reiterated the problem with pem files by saying this:

----- Begin Quote -----

One thing I do agree must be fixed, is the fact that MAMP PRO does not currently recognise the .pem key and certificate symbolic links/aliases in the “lets encrypt” “live” folder.

This is why I had to go into the actual “archive” folder, and make copies of them, change the file extensions to .crt and .key, and place them in their own “mamp” folder under “lets encrypt”. That is the only way that MAMP PRO will recognise them.

----- End Quote -----

So, as you can see, I have more than clearly conveyed to them the problem MAMP PRO has with pem files.

Just now, I wrote to them again, in order to remind them that I am still waiting for a solution to this problem. Here is what I wrote to them:

----- Begin Quote -----

Hello,

I have not heard from you in ten days.

I have been in contact with several technicians from Let’s Encrypt. They are the people who issued me my certificate and key files, which I am now using with MAMP PRO 4.1.1.

They also do not understand why MAMP PRO does not recognize the .pem symbolic links in the “live” folder as valid files, and why MAMP PRO does not allow me to select them.

Like myself, they are wondering what progress you have made towards resolving this issue with the .pem files.

If you would like to join in the discussion directly in the Let’s Encrypt forum, please go here:

Please let me know if you have made any progress towards resolving the .pem file issue, and how soon MAMP PRO users can expect a solution to this problem.

Thank you very much.

Kind regards,

Bill Kochman

----- End Quote -----

Sounds like MAMP PRO is aware of the problem and working on it. Not much more we can do beyond that. Thanks for working with them to debug the issue!

Now the wait begins . . . Actually, I have been waiting for two weeks now. :slight_smile:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.