fatal: use_certificate_chain_file: Permission denied

[kamasylvia]

Trojan works perfectly on Fedora 28 but has this problem on Ubuntu 18.04 and Manjaro.

What permission does trojan need? I have already tried chmod 744 <cert and key>

trojan.service - trojan
   Loaded: loaded (/usr/lib/systemd/system/trojan.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Sat 2019-03-16 00:35:35 CST; 7s ago
     Docs: man:trojan(1)
           https://trojan-gfw.github.io/trojan/config
           https://trojan-gfw.github.io/trojan/
  Process: 16825 ExecStart=/usr/bin/trojan /etc/trojan/config.json (code=exited, status=1/FAILURE)
 Main PID: 16825 (code=exited, status=1/FAILURE)

Mar 16 00:35:35 manjaro systemd[1]: Started trojan.
Mar 16 00:35:35 manjaro trojan[16825]: Welcome to trojan 1.10.0
Mar 16 00:35:35 manjaro trojan[16825]: [2019-03-16 00:35:35] [FATAL] fatal: use_certificate_chain_file: Permission denied
Mar 16 00:35:35 manjaro trojan[16825]: [2019-03-16 00:35:35] [FATAL] exiting. . .
Mar 16 00:35:35 manjaro systemd[1]: trojan.service: Main process exited, code=exited, status=1/FAILURE
Mar 16 00:35:35 manjaro systemd[1]: trojan.service: Failed with result 'exit-code'.

[GreaterFire]

@ZhangYue-vhyt Not only the files themselves, the directory led to the files should be set to 755 as well.

[kamasylvia]

Thanks, 755 directory works.

[kamasylvia]

Giving the SSL directory 755 is not safe, I would like to run trojan as a particular user.

---

I know how to achieve this in nginx

groupadd -r web 
useradd nginx -g web -M

then edit /etc/nginx/nginx.conf: user nginx web

---

/etc/trojan/config.json does not have this. Can you provide the user option in config.json or change the default user nobody to a permitted safe user? Now I delete User=nobody in trojan.service to let root user run trojan.

[GreaterFire]

It's standard to change the User option in systemd service file.

[llong175]

I,m guessing I just slove this problem ,mybe it can help .

root@debian:~# systemctl status trojan
● trojan.service - trojan
Loaded: loaded (/lib/systemd/system/trojan.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2019-12-24 15:06:14 HKT; 3s ago
Docs: man:trojan(1)
https://trojan-gfw.github.io/trojan/config
https://trojan-gfw.github.io/trojan/
Main PID: 1169 (trojan)
Tasks: 1 (limit: 4632)
Memory: 964.0K
CGroup: /system.slice/trojan.service
└─1169 /usr/bin/trojan -c /etc/trojan/config.json

Dec 24 15:06:14 debian systemd[1]: Started trojan.
Dec 24 15:06:14 debian trojan[1169]: Welcome to trojan 1.10.0
Dec 24 15:06:14 debian trojan[1169]: [2019-12-24 15:06:14] [FATAL] trojan service (server) started at 0.0.0.0:443

you should try to give this doc & file /etc/letsencrypt/ all permission.
chmod -R 777 /etc/letsencrypt/

[LeeYouRan]

systemctl status trojan
● trojan.service - trojan
Loaded: loaded (/usr/lib/systemd/system/trojan.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Sun 2020-05-03 18:03:54 CST; 11s ago
Process: 4056 ExecStop=/etc/trojan/trojan (code=exited, status=203/EXEC)
Process: 4054 ExecStart=/etc/trojan/trojan -c /etc/trojan/server.conf (code=exited, status=203/EXEC)
Main PID: 4054 (code=exited, status=203/EXEC)

May 03 18:03:54 45.62.124.117.16clouds.com systemd[1]: Started trojan.
May 03 18:03:54 45.62.124.117.16clouds.com systemd[1]: trojan.service: main process exited, code=exit...XEC
May 03 18:03:54 45.62.124.117.16clouds.com systemd[1]: trojan.service: control process exited, code=e...203
May 03 18:03:54 45.62.124.117.16clouds.com systemd[1]: Unit trojan.service entered failed state.
May 03 18:03:54 45.62.124.117.16clouds.com systemd[1]: trojan.service failed.
Hint: Some lines were ellipsized, use -l to show in full.

[dun11]

chmod -R 777 /etc/letsencrypt/
it works, thanks for the answer.

[martyn0ff]

Here's what helped me to solve this problem (I'm on Debian 11, using Lets Encrypt).

1. Stop trojan from running: systemctl stop trojan
2. Add new system user debian-trojan: useradd -r debian-trojan
3. Edit user and group that systemd launches trojan with: vim /lib/system/system/trojan.service, replace User with debian-trojan
4. Add Group=debian-trojan in [Service] section. Now systemd will launch trojan as a separated isolated user.
5. systemctl daemon-reload to push updates to systemd
6. Now we need to change permissions for config.json and certificates so that debian-trojan can read them:
   • chown root:debian-trojan /etc/trojan/config.json
   • then do same for LetsEncrypt certificates: chown root:debian-trojan /etc/lets-encrypt/archive/YOUR-SERVER/*.pem, chown root:debian-trojan /etc/lets-encrypt/archive/
   • also change permissions for symlinks: chown -h root:debian-trojan /etc/lets-encrypt/live/YOUR-SERVER/*.pem.
   • trojan wants to read privkey1.pem, so: chmod 640 /etc/lets-encrypt/archive/YOUR-SERVER/privkey1.pem
7. Make sure that every folder on a path to certificates has both read and execution permission for debian-trojan group:
   • chmod 640 /etc/lets-encrypt/archive
   • chmod 640 /etc/lets-encrypt/archive/YOUR-SERVER
   • chmod 640 /etc/lets-encrypt/live/
   • chmod 640 /etc/lets-encrypt/live/YOUR-SERVER
8. Start trojan: systemctl start trojan, should start fine. I'm not a security expert but such configuration gives me a peace of mind.