Yunohost V2.5 XMPP Problem with LetsEncrypt domain cert

Hi everyone i use the beta v2.5.2 version actually it seems when using letsEncrypt certificate the group for *pem changed from root:metronome to root:root
And vice-versa when changed from LetsEncrypt certificate to self-signed certificate it changed from root:root to root:metronome.
Conclusion if you want to use xmpp on your instance with letsencript certificate :
You need to manually changed the group owner in order to metronome to work with letsEncrypt cert

I can’t reproduce this. Are you sure that the certificate with root:root permissions wasn’t the one you got after uninstalling the letsencrypt_ynh app ? Can you confirm that if you install a LE cert with yunohost domain cert-install, you get root:root permissions ?

N.B. : the files in /etc/yunohost/certs/domain.tld might be symlinks. Make sure to follow the links to check which permission really applies.

Hi Captain,
Here is the record of my terminal

root@totofr:/etc/yunohost/certs# ls -la
total 52
drwxr-xr-x 12 root root 4096 déc.  26 14:21 .
drwxr-xr-x  5 root root 4096 déc.  20 15:14 ..
lrwxrwxrwx  1 root root   66 déc.  20 15:14 toto.fr -> /etc/yunohost/certs//toto.fr-history/20161220.151444-letsencrypt
drwxr-xr-x  3 root root 4096 déc.  20 15:14 toto.fr-backups
drwxr-xr-x  3 root root 4096 déc.  20 15:14 toto.fr-history
lrwxrwxrwx  1 root root   71 déc.  20 15:18 shop.toto.fr -> /etc/yunohost/certs//shop.toto.fr-history/20161220.151822-letsencrypt
drwxr-xr-x  3 root root 4096 déc.  20 15:18 shop.toto.fr-backups
drwxr-xr-x  3 root root 4096 déc.  20 15:18 shop.toto.fr-history
lrwxrwxrwx  1 root root   70 déc.  26 14:21 test.toto.fr -> /etc/yunohost/certs//test.toto.fr-history/20161226.142112-selfsigned
drwxr-xr-x  6 root root 4096 déc.  26 14:21 test.toto.fr-history
lrwxrwxrwx  1 root root   69 déc.  20 21:01 www.toto.fr -> /etc/yunohost/certs//www.toto.fr-history/20161220.210105-selfsigned
drwxr-xr-x  3 root root 4096 déc.  20 21:01 www.toto.fr-history
drwxr-xr-x  2 root root 4096 oct.   6 21:55 yunohost.org
root@totofr:/etc/yunohost/certs# ls -la toto.fr
toto.fr/         toto.fr-backups/ toto.fr-history/ 
root@totofr:/etc/yunohost/certs# ls -la toto.fr
lrwxrwxrwx 1 root root 66 déc.  20 15:14 toto.fr -> /etc/yunohost/certs//toto.fr-history/20161220.151444-letsencrypt
root@totofr:/etc/yunohost/certs# ls -la toto.fr/
total 16
drw-r-xr-x 2 root root      4096 déc.  20 15:14 .
drwxr-xr-x 3 root root      4096 déc.  20 15:14 ..
-rw-r----- 1 root metronome 3603 déc.  20 15:14 crt.pem
-rw-r----- 1 root metronome 2488 déc.  20 15:14 key.pem
root@totofr:/etc/yunohost/certs# ls -la test.toto.fr
lrwxrwxrwx 1 root root 70 déc.  26 14:21 test.toto.fr -> /etc/yunohost/certs//test.toto.fr-history/20161226.142112-selfsigned
root@totofr:/etc/yunohost/certs# ls -la test.toto.fr/
total 32
drwxr-xr-x 2 root root      4096 déc.  26 14:21 .
drwxr-xr-x 6 root root      4096 déc.  26 14:21 ..
lrwxrwxrwx 1 root root        34 déc.  26 14:21 ca.pem -> /etc/ssl/certs/ca-yunohost_crt.pem
-rw-r----- 1 root **metronome** 5654 déc.  26 14:21 crt.pem
-rw-r----- 1 root **metronome** 1704 déc.  26 14:21 key.pem
-rw------- 1 root root      8886 déc.  26 14:21 openssl.cnf
root@totofr:/etc/yunohost/certs# yunohost domain cert-install test.toto.fr
Succès ! Installation avec succès d’un certificat Let’s Encrypt pour le domaine test.toto.fr !
root@totofr:/etc/yunohost/certs# ls -la test.toto.fr/
total 16
drw-r-xr-x 2 root root      4096 déc.  26 14:28 .
drwxr-xr-x 7 root root      4096 déc.  26 14:28 ..
-rw-r----- 1 root **metronome** 3615 déc.  26 14:28 crt.pem
-rw-r----- 1 root **root**      2484 déc.  26 14:27 key.pem

I used the Web admin UI to return to the selfsigned certificate and there is the result in the terminal

root@totofr:/etc/yunohost/certs# ls -la test.toto.fr/
total 32
drwxr-xr-x 2 root root      4096 déc.  26 14:33 .
drwxr-xr-x 8 root root      4096 déc.  26 14:33 ..
lrwxrwxrwx 1 root root        34 déc.  26 14:33 ca.pem -> /etc/ssl/certs/ca-yunohost_crt.pem
-rw-r----- 1 root **metronome** 5654 déc.  26 14:33 crt.pem
-rw-r----- 1 root **metronome** 1704 déc.  26 14:33 key.pem
-rw------- 1 root root      8886 déc.  26 14:33 openssl.cnf

I can reproduce the problem each times i add another domain and generate a Letsencrypt certificate using the command line or the Web admin UI

Edit : I’m dumb and didn’t real the log correctly the first time :smiley:

So the command shows :

which is what expected … i.e. metronome has permissions on the certs… (And note that the link gives permissions to everybody since it has rwxrwxrwx)

Can you please double check that you get the error message in metronome despite this :confused: ?

Hi i doubled check

my metronome logs were empty with the self-signed certificate.
After generated the letsencrypt certificate metronome restarts and here is the metronome.log

Dec 27 09:54:15 mod_posix	info	Successfully daemonized to PID 27412
Dec 27 09:54:15 certmanager	error	SSL/TLS: Failed to load '/etc/yunohost/certs/test.toto.fr/key.pem': Check that the permissions allow Metronome to read this file. (for test.toto.fr)
Dec 27 09:54:15 certmanager	error	SSL/TLS: Failed to load '/etc/yunohost/certs/test.toto.fr/key.pem': Previous error (see logs), or other system error. (for test.toto.fr)

And metronome.err

Dec 27 09:54:15 certmanager	error	SSL/TLS: Failed to load '/etc/yunohost/certs/test.toto.fr/key.pem': Check that the permissions allow Metronome to read this file. (for test.toto.fr)
Dec 27 09:54:15 certmanager	error	SSL/TLS: Failed to load '/etc/yunohost/certs/test.toto.fr/key.pem': Previous error (see logs), or other system error. (for test.toto.fr)

There is definitively an error on my instance.
Maybe only with my instance.
If i returned to a self signed certificate, the problem disappear look at the metronome.log with the last line at 10:02 AM it’s the last line 6 mins later after returning to a selfsigned certificate.

Dec 27 10:02:15 mod_posix	info	Successfully daemonized to PID 27823

If i use letsencrypt i need to change manually the owner group of the key.pem to metronome.

Hello @madmaxlamenace,

Can you check that the whole path has the correct permissions please? It’s very possible that a subdirectory doesn’t have the good permission and thus metronome can’t reach the end path.

Here is my working personal setup for reference:

root@browny:/etc/yunohost/apps# ls -l / | grep etc
drwxr-xr-x 139 root   root    12288 déc.  28 17:54 etc
root@browny:/etc/yunohost/apps# ls -l /etc | grep yunohost
drwxr-xr-x  6 root root    4096 déc.  16 01:26 yunohost
root@browny:/etc/yunohost/apps# ls -l /etc/yunohost | grep certs
drwxr-xr-x 34 root root 4096 déc.  24 02:40 certs
root@browny:/etc/yunohost/apps# ls -l /etc/yunohost/certs | grep atom.browny.pink
lrwxrwxrwx 1 root root   73 déc.  11 23:57 atom.browny.pink -> /etc/yunohost/certs//atom.browny.pink-history/20161211.235715-letsencrypt
drwxr-xr-x 3 root root 4096 déc.  11 23:57 atom.browny.pink-backups
drwxr-xr-x 3 root root 4096 déc.  11 23:57 atom.browny.pink-history
root@browny:/etc/yunohost/apps# ls -l /etc/yunohost/certs | grep atom.browny.pink-history
lrwxrwxrwx 1 root root   73 déc.  11 23:57 atom.browny.pink -> /etc/yunohost/certs//atom.browny.pink-history/20161211.235715-letsencrypt
drwxr-xr-x 3 root root 4096 déc.  11 23:57 atom.browny.pink-history
root@browny:/etc/yunohost/apps# ls -l /etc/yunohost/certs/atom.browny.pink-history | grep 20161211.235715-letsencrypt
drw-r-xr-x 2 root root 4096 déc.  11 23:57 20161211.235715-letsencrypt
root@browny:/etc/yunohost/apps# ls -l /etc/yunohost/certs/atom.browny.pink-history/20161211.235715-letsencrypt 
total 8
-rw-r----- 1 root metronome 3619 déc.  11 23:57 crt.pem
-rw-r----- 1 root metronome 2488 déc.  11 23:57 key.pem

He re is the logs but they are the sames as below the trird time i paste the same lines of my terminal in my opinion the script forget to change the owner group at the end when generating the lets encypt certificate

root@totofr:/etc/yunohost/apps# ls -l / | grep etc
drwxr-xr-x 116 root root 12288 déc.  28 22:31 etc
root@totofr:/etc/yunohost/apps# ls -l /etc/ | grep yunohost
drwxr-xr-x  5 root root                 4096 déc.  20 15:14 yunohost
root@totofr:/etc/yunohost/apps# ls -l /etc/yunohost/ | grep certs
drwxr-xr-x 12 root root 4096 déc.  27 10:02 certs
root@totofr:/etc/yunohost/apps# ls -l /etc/yunohost/certs | grep test.toto.fr
lrwxrwxrwx  1 root root   70 déc.  27 10:02 test.toto.fr -> /etc/yunohost/certs//test.toto.fr-history/20161227.100214-selfsigned
drwxr-xr-x 12 root root 4096 déc.  27 10:02 test.toto.fr-history

At this point i generate the lets encrypt certificate

root@totofr:/etc/yunohost/apps# ls -l /etc/yunohost/certs | grep test.toto.fr
lrwxrwxrwx  1 root root   71 déc.  29 14:32 test.toto.fr -> /etc/yunohost/certs//test.toto.fr-history/20161229.143255-letsencrypt
drwxr-xr-x 13 root root 4096 déc.  29 14:32 test.toto.fr-history
root@totofr:/etc/yunohost/apps# ls -l /etc/yunohost/certs | grep test.toto.fr
lrwxrwxrwx  1 root root   71 déc.  29 14:32 test.toto.fr -> /etc/yunohost/certs//test.toto.fr-history/20161229.143255-letsencrypt
drwxr-xr-x 13 root root 4096 déc.  29 14:32 test.toto.fr-history
root@totofr:/etc/yunohost/apps# ls -l /etc/yunohost/certs | grep test.toto.fr-history
lrwxrwxrwx  1 root root   71 déc.  29 14:32 test.toto.fr -> /etc/yunohost/certs//test.toto.fr-history/20161229.143255-letsencrypt
drwxr-xr-x 13 root root 4096 déc.  29 14:32 test.toto.fr-history
root@totofr:/etc/yunohost/apps# ls -l /etc/yunohost/certs/test.toto.fr | grep 20161229.143255-letsencrypt
lrwxrwxrwx 1 root root 71 déc.  29 14:32 /etc/yunohost/certs/test.toto.fr -> /etc/yunohost/certs//test.toto.fr-history/20161229.143255-letsencrypt
root@totofr:/etc/yunohost/apps# ls -l /etc/yunohost/certs/test.toto.fr-history | grep 20161229.143255-letsencrypt
drw-r-xr-x 2 root root 4096 déc.  29 14:32 20161229.143255-letsencrypt
root@totofr:/etc/yunohost/apps# ls -l /etc/yunohost/certs/test.toto.fr-history/20161229.143255-letsencrypt
total 8
-rw-r----- 1 root metronome 3615 déc.  29 14:32 crt.pem
-rw-r----- 1 root root      2488 déc.  29 14:32 key.pem

At this point i returned to the self signed certificate and here is the result

root@totofr:/etc/yunohost/apps# ls -l /etc/ | grep yunohost
drwxr-xr-x  5 root root                 4096 déc.  20 15:14 yunohost
root@totofr:/etc/yunohost/apps# ls -l /etc/yunohost/ | grep certs
drwxr-xr-x 12 root root 4096 déc.  29 14:48 certs
root@totofr:/etc/yunohost/apps# ls -l /etc/yunohost/certs | grep test.toto.fr
lrwxrwxrwx  1 root root   70 déc.  29 14:48 test.toto.fr -> /etc/yunohost/certs//test.toto.fr-history/20161229.144807-selfsigned
drwxr-xr-x 14 root root 4096 déc.  29 14:48 test.toto.fr-history
root@totofr:/etc/yunohost/apps# ls -l /etc/yunohost/certs | grep test.toto.fr-history
lrwxrwxrwx  1 root root   70 déc.  29 14:48 test.toto.fr -> /etc/yunohost/certs//test.toto.fr-history/20161229.144807-selfsigned
drwxr-xr-x 14 root root 4096 déc.  29 14:48 test.toto.fr-history
root@totofr:/etc/yunohost/apps# ls -l /etc/yunohost/certs/test.toto.fr-history | grep 20161229.144807-selfsigned
drwxr-xr-x 2 root root 4096 déc.  29 14:48 20161229.144807-selfsigned
root@totofr:/etc/yunohost/apps# ls -l /etc/yunohost/certs/test.toto.fr-history/20161229.144807-selfsigned
total 24
lrwxrwxrwx 1 root root        34 déc.  29 14:48 ca.pem -> /etc/ssl/certs/ca-yunohost_crt.pem
-rw-r----- 1 root metronome 5655 déc.  29 14:48 crt.pem
-rw-r----- 1 root metronome 1704 déc.  29 14:48 key.pem
-rw------- 1 root root      8886 déc.  29 14:48 openssl.cnf
root@totofr:/etc/yunohost/apps# 

There is a problem with the script at the end.
How to look what the script do exactly when generate the certificate at the end the script. I think it must change the group owner to metronome, doesn’t it ?

Thanks !

So indeed, this :

shows that metronome has no right on key.pem. However I do not quite understand how this happens, as this is not the behavior I got on my machines…

The permissions are set here … Maybe somehow the permissions are not correctly propagated when moving the file to the final destination here ?

Merci
I watched for the codes… but i’m a bit too noob with Python. I tried to follow the MOOC Python but it’s a little hard :slight_smile:
I tried to add another domain and generate lets encrypt certificate.
Same problem.
It’s not a problem i know that i need to change manually the group owner for lets encrypt certs ( maybe when renewing )
chgrp metronome /*/key.pem
It’s a little work
Perhaps with a newer upgrade of yunohost the problem will be solved.
Thanks

Hi!
I’ve quite the same problem, but no solution working :

/var/log/metronome/metronome.err : I have this for all domains, all with let’s encrypt certificates :

Mar 23 10:09:55 certmanager error SSL/TLS: Failed to load '/etc/yunohost/certs/domain.tld/key.pem': Check that the permissions allow Metronome to read this file. (for pubsub.domain.tld)

But the permissions seem correct :

root@lamo:/etc/yunohost/certs/domain.tld# ls -l
total 8
-rw-r----- 1 root metronome 3611 mars  23 01:28 crt.pem
-rw-r----- 1 root metronome 2484 mars  23 01:28 key.pem

Have you got an idea of what could be wrong ?

Can you check the permissions for other files/folders such as :

/etc/yunohost
/etc/yunohost/certs
/etc/yunohost/certs/domain.tld (the folder, not the files inside the folder)

/etc/yunohost :
drwxr-xr-x 5 root root 4096 mars 23 00:46 yunohost

/etc/yunohost/certs :
drwx------ 22 root root 4096 mars 23 01:36 certs

/etc/yunohost/cert/domain.tld
lrwxrwxrwx 1 root root 70 mars 23 01:28 domain.tld -> /etc/yunohost/certs//domain.tld-history/20170323.012831-letsencrypt

/etc/yunohost/certs :
drwx------ 22 root root 4096 mars 23 01:36 certs

Here it is. Not sure why you have those permission on this folder, but that means nobody other than root can open /etc/yunohost/certs

To fix the issue, you can run :

chmod +rx /etc/yunohost/certs

bingo, merci !