You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
certbot certonly -n -d <my-domain> --webroot --webroot-path=/var/www/html
output: challenge files in /var/www/html, which are only readable by root (challenge files are set to root:root 640).
# pwd
/var/www/html/.well-known/acme-challenge
# ls -l
total 4
-rw-r----- 1 root root 87 Mar 29 15:10 NPm<...>g4
# ls -l ..
total 8
drwxr-xr-x 2 www-data www-data 4096 Mar 29 15:10 acme-challenge
Certbot's behavior differed from what I expected because:
only webservers running as root are able to read and thus serve acme challenge files. webservers should not run as root.
Certbot should either use the permissions of the acme-challenge directory (i set mine to www-data:www-data:755), or support a flag like --acme-challenge-files-umask 644 and --acme-challenge-files-uid www-data. At least provide a hook for when challenge files have been created.
There have been various issues regarding this, all of which have been closed for no good reason. (e.g. stale, inactivity, etc.)
This needs to be addressed. Looking at threads and closed issues, this has been an issue for years.
This is a rather simple issue, with an (i guess) simple fix, which is keeping me from being able to use certbot at all at the time.
The text was updated successfully, but these errors were encountered:
Leonetienne
changed the title
Challange files are created with insufficient permissions
Challenge files are created with insufficient permissions
Mar 29, 2024
Plattform:
Ubuntu/Linux 5.4.0-174-generic 86_64
Certbot was installed via:
apt-get
I ran this command and it produced this output:
certbot certonly -n -d <my-domain> --webroot --webroot-path=/var/www/html
output: challenge files in
/var/www/html
, which are only readable by root (challenge files are set toroot:root 640
).Certbot's behavior differed from what I expected because:
only webservers running as root are able to read and thus serve acme challenge files. webservers should not run as root.
Certbot should either use the permissions of the acme-challenge directory (i set mine to
www-data:www-data:755
), or support a flag like--acme-challenge-files-umask 644
and--acme-challenge-files-uid www-data
. At least provide a hook for when challenge files have been created.There have been various issues regarding this, all of which have been closed for no good reason. (e.g. stale, inactivity, etc.)
This needs to be addressed. Looking at threads and closed issues, this has been an issue for years.
This is a rather simple issue, with an (i guess) simple fix, which is keeping me from being able to use certbot at all at the time.
The text was updated successfully, but these errors were encountered: