Skip to content

Certbot doesn't remove old certificates when running as non-root #2902

New issue
New issue
Closed as not planned
Closed as not planned
Certbot doesn't remove old certificates when running as non-root#2902
Labels
bugstale
@bibelwort

Description

@bibelwort
bibelwort
opened on May 9, 2023

Hi!
I have encountered a problem when manually revoking old certs, when start an NPM container as non-root.
When trying to manually delete old certificates via the /nginx/certificates page the following error occurs in logs:

> [5/9/2023] [12:24:29 PM] [SSL      ] › ℹ  info      Revoking Let'sEncrypt certificates for Cert #5: test.example.com
> [5/9/2023] [12:24:29 PM] [SSL      ] › ℹ  info      Command: certbot revoke --config "/etc/letsencrypt.ini" --cert-path "/etc/letsencrypt/live/npm-5/fullchain.pem" --delete-after-revoke ; rm -f '/etc/letsencrypt/credentials/credentials-5' || true
> [5/9/2023] [12:24:30 PM] [SSL      ] › ✖  error     Command failed: certbot revoke --config "/etc/letsencrypt.ini" --cert-path "/etc/letsencrypt/live/npm-5/fullchain.pem" --delete-after-revoke
> The following error was encountered:
> [Errno 13] Permission denied: '/var/log/letsencrypt'
> Either run as root, or set --config-dir, --work-dir, and --logs-dir to writeable paths.

The web-app does not show any errors and certs seem to be removed, however actual files stay in mounted /etc/letsencrypt data-dir.

As I understand, certbot commands other than certbot certonly are running without --work-dir "/tmp/letsencrypt-lib" and --logs-dir "/tmp/letsencrypt-log" options so certbot use default locations /var/lib/letsencrypt and /var/log/letsencrypt instead.

Here, when certbot is issuing a new cert it uses non-root writable paths:

[5/9/2023] [12:23:58 PM] [SSL      ] › ℹ  info      Command: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-6" --agree-tos --authenticator webroot --email "admin@example.com" --preferred-challenges "dns,http" --domains "test.example.com" 
[5/9/2023] [12:24:01 PM] [SSL      ] › ✔  success   Requesting a certificate for test.example.com

Successfully received certificate.

The easy fix is to create symlinks /var/lib/letsencrypt and /var/log/letsencrypt to /tmp/letsencrypt-lib and /tmp/letsencrypt-log correspondingly within already running container or within custom docker-image (so I did).

Is it complete solution, or other related problems may occur when running the NPM as non-root?

Nginx Proxy Manager 2.10.2
Docker image:
jc21/nginx-proxy-manager:2
1e1fc14c70f7299a11391945025e36ec393b9edbed38e3df8c28dedf749ba240

Steps to reproduce the behavior:

  1. Start NPM container as non-root
  2. Remove some certs on /nginx/certificates page of the npm webapp

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugstale

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions