New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

client creates .well-known folder with insufficient permissions #1761

Open
Kissaki opened this Issue Dec 5, 2015 · 8 comments

Comments

Projects
None yet
9 participants
@Kissaki

Kissaki commented Dec 5, 2015

I used the letsencrypt-auto client with --webroot --webroot-path.

When the webroot path does not contain a .well-known folder yet, the client creates it as root (current user) with permissions 700. With a webserver running as www-data this will not allow the webserver to serve the challenge files, as it does not have the folder traversal (x) permission.

The subfolder acme-challenge is created with www-data:www-data 777, which is fine.

./letsencrypt-auto certonly --webroot --webroot-path /path/to -d example.com

@dixonwille

This comment has been minimized.

dixonwille commented Aug 22, 2016

I get the same. I thought I was not configuring something correctly... had to set a watch -t 1 ls -la to see the permissions were set to root...

@Shnoulle

This comment has been minimized.

Shnoulle commented Jan 11, 2017

Maybe best is to have a option for each --webroot-path , --webroot-user.

I use apache-mpm-itk then each of my web server have their own user. To fix the issue i use acl : then all files inside .well-know are readable by my webuser ( setfacl -m d:u:user:rX www/.well-know)

@tmilev

This comment has been minimized.

tmilev commented Mar 25, 2017

This is a very serious bug.
Please fix it!
It is preventing me from using certbot -I will buy certificates instead.

Certbot MUST not create challenge files that require root to access. I am running a custom webserver which runs without root privileges (I listen to port 80 without root access with a port redirect trick).

Once again, I want to stress out the fact that certbot is losing users (namely, myself) because of this bug.

@Kissaki

This comment has been minimized.

Kissaki commented Mar 26, 2017

@tmilev just create the folder with adequate permissions yourself and you’re set. This is an inconvenience, not a blocker.

Also note that it does not create challenge files as root. And that’s the point of this ticket. It creates the folder with only root readable. The challenge step then fails with inadequate permissions.

@tmilev

This comment has been minimized.

tmilev commented Mar 27, 2017

@Kissaki: I don't think you are right. Here is what I get

./certbot-auto certonly --config-dir /home/ddtester/ace/calculator/certbot/certificates --logs-dir /home/ddtester/ace/calculator/certbot/logsdir --work-dir /home/ddtester/ace/calculator/certbot/workdir --webroot -w /home/ddtester/ace/public_html/ -d calculator-algebra.org -d www.calculator-algebra.org

the result I get is:

Requesting root privileges to run certbot... /home/ddtester/.local/share/letsencrypt/bin/letsencrypt certonly --config-dir /home/ddtester/ace/calculator/certbot/certificates --logs-dir /home/ddtester/ace/calculator/certbot/logsdir --work-dir /home/ddtester/ace/calculator/certbot/workdir --webroot -w /home/ddtester/ace/public_html/ -d calculator-algebra.org -d www.calculator-algebra.org /var/tmp/sclzwtpq9: Zeile 8: CERTBOT_AUTO=./certbot-auto: Datei oder Verzeichnis nicht gefunden

I have no clue why the program is looking for stuff in /var/tmp, but it does.

When run the same command with a "sudo" in the front, I get:

...

The following errors were reported by the server:
Domain: www.calculator-algebra.org
Type: unauthorized
Detail: Invalid response from
http://www.calculator-algebra.org/.well-known/acme-challenge/Iz3v2SYjCcfx1K1SBZhU8f1LuWd_vyiZnlH_brFvv-k:
"Error: file appears to exist but I could not open it.
File display name: /.well-known/acme-challe"

@stratacast

This comment has been minimized.

stratacast commented Apr 22, 2017

Can someone confirm what the permissions/ownership for the folder and the contents of the .well-known folder are supposed to be? I'm having troubles finding that information

@mikeshultz

This comment has been minimized.

mikeshultz commented May 10, 2017

Using the setgid sticky bit worked for me. Should be good enough to automate, anyway. Though I agree, there should be an argument for a user/group.

Example:

sudo -u lighttpd mkdir -p /tmp/certbot/public_html/.well-known/
chmod g+s /tmp/certbot/public_html/.well-known
certbot certonly --dry-run --webroot -w /tmp/certbot/public_html -d example.com -d www.example.com
@ppython

This comment has been minimized.

ppython commented May 11, 2017

@Kissaki , @dixonwille :
We figured it out, if you're able to, chown the following directories to your "www-data" or equivalent user. Or start a fresh install as "www-data" or equivalent.

  • log directory: /var/log/letsencrypt/
  • working directory: /var/lib/letsencrypt/
  • config directory: /etc/letsencrypt/

@Shnoulle : I also like the idea of a new "--werbroot-user".

@stratacast : the .well-known folder should be accessible by the acme client, it's all that matter (in our case as "root:root" it didn't work, we switched for the equivalent of "www-data".

@sydneyli sydneyli added this to the 1.0.0 milestone Sep 26, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment