Hi everyone i use the beta v2.5.2 version actually it seems when using letsEncrypt certificate the group for *pem changed from root:metronome to root:root
And vice-versa when changed from LetsEncrypt certificate to self-signed certificate it changed from root:root to root:metronome.
Conclusion if you want to use xmpp on your instance with letsencript certificate :
You need to manually changed the group owner in order to metronome to work with letsEncrypt cert
I can’t reproduce this. Are you sure that the certificate with root:root permissions wasn’t the one you got after uninstalling the letsencrypt_ynh app ? Can you confirm that if you install a LE cert with yunohost domain cert-install
, you get root:root permissions ?
N.B. : the files in /etc/yunohost/certs/domain.tld might be symlinks. Make sure to follow the links to check which permission really applies.
Hi Captain,
Here is the record of my terminal
root@totofr:/etc/yunohost/certs# ls -la
total 52
drwxr-xr-x 12 root root 4096 déc. 26 14:21 .
drwxr-xr-x 5 root root 4096 déc. 20 15:14 ..
lrwxrwxrwx 1 root root 66 déc. 20 15:14 toto.fr -> /etc/yunohost/certs//toto.fr-history/20161220.151444-letsencrypt
drwxr-xr-x 3 root root 4096 déc. 20 15:14 toto.fr-backups
drwxr-xr-x 3 root root 4096 déc. 20 15:14 toto.fr-history
lrwxrwxrwx 1 root root 71 déc. 20 15:18 shop.toto.fr -> /etc/yunohost/certs//shop.toto.fr-history/20161220.151822-letsencrypt
drwxr-xr-x 3 root root 4096 déc. 20 15:18 shop.toto.fr-backups
drwxr-xr-x 3 root root 4096 déc. 20 15:18 shop.toto.fr-history
lrwxrwxrwx 1 root root 70 déc. 26 14:21 test.toto.fr -> /etc/yunohost/certs//test.toto.fr-history/20161226.142112-selfsigned
drwxr-xr-x 6 root root 4096 déc. 26 14:21 test.toto.fr-history
lrwxrwxrwx 1 root root 69 déc. 20 21:01 www.toto.fr -> /etc/yunohost/certs//www.toto.fr-history/20161220.210105-selfsigned
drwxr-xr-x 3 root root 4096 déc. 20 21:01 www.toto.fr-history
drwxr-xr-x 2 root root 4096 oct. 6 21:55 yunohost.org
root@totofr:/etc/yunohost/certs# ls -la toto.fr
toto.fr/ toto.fr-backups/ toto.fr-history/
root@totofr:/etc/yunohost/certs# ls -la toto.fr
lrwxrwxrwx 1 root root 66 déc. 20 15:14 toto.fr -> /etc/yunohost/certs//toto.fr-history/20161220.151444-letsencrypt
root@totofr:/etc/yunohost/certs# ls -la toto.fr/
total 16
drw-r-xr-x 2 root root 4096 déc. 20 15:14 .
drwxr-xr-x 3 root root 4096 déc. 20 15:14 ..
-rw-r----- 1 root metronome 3603 déc. 20 15:14 crt.pem
-rw-r----- 1 root metronome 2488 déc. 20 15:14 key.pem
root@totofr:/etc/yunohost/certs# ls -la test.toto.fr
lrwxrwxrwx 1 root root 70 déc. 26 14:21 test.toto.fr -> /etc/yunohost/certs//test.toto.fr-history/20161226.142112-selfsigned
root@totofr:/etc/yunohost/certs# ls -la test.toto.fr/
total 32
drwxr-xr-x 2 root root 4096 déc. 26 14:21 .
drwxr-xr-x 6 root root 4096 déc. 26 14:21 ..
lrwxrwxrwx 1 root root 34 déc. 26 14:21 ca.pem -> /etc/ssl/certs/ca-yunohost_crt.pem
-rw-r----- 1 root **metronome** 5654 déc. 26 14:21 crt.pem
-rw-r----- 1 root **metronome** 1704 déc. 26 14:21 key.pem
-rw------- 1 root root 8886 déc. 26 14:21 openssl.cnf
root@totofr:/etc/yunohost/certs# yunohost domain cert-install test.toto.fr
Succès ! Installation avec succès d’un certificat Let’s Encrypt pour le domaine test.toto.fr !
root@totofr:/etc/yunohost/certs# ls -la test.toto.fr/
total 16
drw-r-xr-x 2 root root 4096 déc. 26 14:28 .
drwxr-xr-x 7 root root 4096 déc. 26 14:28 ..
-rw-r----- 1 root **metronome** 3615 déc. 26 14:28 crt.pem
-rw-r----- 1 root **root** 2484 déc. 26 14:27 key.pem
I used the Web admin UI to return to the selfsigned certificate and there is the result in the terminal
root@totofr:/etc/yunohost/certs# ls -la test.toto.fr/
total 32
drwxr-xr-x 2 root root 4096 déc. 26 14:33 .
drwxr-xr-x 8 root root 4096 déc. 26 14:33 ..
lrwxrwxrwx 1 root root 34 déc. 26 14:33 ca.pem -> /etc/ssl/certs/ca-yunohost_crt.pem
-rw-r----- 1 root **metronome** 5654 déc. 26 14:33 crt.pem
-rw-r----- 1 root **metronome** 1704 déc. 26 14:33 key.pem
-rw------- 1 root root 8886 déc. 26 14:33 openssl.cnf
I can reproduce the problem each times i add another domain and generate a Letsencrypt certificate using the command line or the Web admin UI
Edit : I’m dumb and didn’t real the log correctly the first time
So the command shows :
which is what expected … i.e. metronome has permissions on the certs… (And note that the link gives permissions to everybody since it has rwxrwxrwx
)
Can you please double check that you get the error message in metronome despite this ?
Hi i doubled check
my metronome logs were empty with the self-signed certificate.
After generated the letsencrypt certificate metronome restarts and here is the metronome.log
Dec 27 09:54:15 mod_posix info Successfully daemonized to PID 27412
Dec 27 09:54:15 certmanager error SSL/TLS: Failed to load '/etc/yunohost/certs/test.toto.fr/key.pem': Check that the permissions allow Metronome to read this file. (for test.toto.fr)
Dec 27 09:54:15 certmanager error SSL/TLS: Failed to load '/etc/yunohost/certs/test.toto.fr/key.pem': Previous error (see logs), or other system error. (for test.toto.fr)
And metronome.err
Dec 27 09:54:15 certmanager error SSL/TLS: Failed to load '/etc/yunohost/certs/test.toto.fr/key.pem': Check that the permissions allow Metronome to read this file. (for test.toto.fr)
Dec 27 09:54:15 certmanager error SSL/TLS: Failed to load '/etc/yunohost/certs/test.toto.fr/key.pem': Previous error (see logs), or other system error. (for test.toto.fr)
There is definitively an error on my instance.
Maybe only with my instance.
If i returned to a self signed certificate, the problem disappear look at the metronome.log with the last line at 10:02 AM it’s the last line 6 mins later after returning to a selfsigned certificate.
Dec 27 10:02:15 mod_posix info Successfully daemonized to PID 27823
If i use letsencrypt i need to change manually the owner group of the key.pem to metronome.
Hello @madmaxlamenace,
Can you check that the whole path has the correct permissions please? It’s very possible that a subdirectory doesn’t have the good permission and thus metronome can’t reach the end path.
Here is my working personal setup for reference:
root@browny:/etc/yunohost/apps# ls -l / | grep etc
drwxr-xr-x 139 root root 12288 déc. 28 17:54 etc
root@browny:/etc/yunohost/apps# ls -l /etc | grep yunohost
drwxr-xr-x 6 root root 4096 déc. 16 01:26 yunohost
root@browny:/etc/yunohost/apps# ls -l /etc/yunohost | grep certs
drwxr-xr-x 34 root root 4096 déc. 24 02:40 certs
root@browny:/etc/yunohost/apps# ls -l /etc/yunohost/certs | grep atom.browny.pink
lrwxrwxrwx 1 root root 73 déc. 11 23:57 atom.browny.pink -> /etc/yunohost/certs//atom.browny.pink-history/20161211.235715-letsencrypt
drwxr-xr-x 3 root root 4096 déc. 11 23:57 atom.browny.pink-backups
drwxr-xr-x 3 root root 4096 déc. 11 23:57 atom.browny.pink-history
root@browny:/etc/yunohost/apps# ls -l /etc/yunohost/certs | grep atom.browny.pink-history
lrwxrwxrwx 1 root root 73 déc. 11 23:57 atom.browny.pink -> /etc/yunohost/certs//atom.browny.pink-history/20161211.235715-letsencrypt
drwxr-xr-x 3 root root 4096 déc. 11 23:57 atom.browny.pink-history
root@browny:/etc/yunohost/apps# ls -l /etc/yunohost/certs/atom.browny.pink-history | grep 20161211.235715-letsencrypt
drw-r-xr-x 2 root root 4096 déc. 11 23:57 20161211.235715-letsencrypt
root@browny:/etc/yunohost/apps# ls -l /etc/yunohost/certs/atom.browny.pink-history/20161211.235715-letsencrypt
total 8
-rw-r----- 1 root metronome 3619 déc. 11 23:57 crt.pem
-rw-r----- 1 root metronome 2488 déc. 11 23:57 key.pem
He re is the logs but they are the sames as below the trird time i paste the same lines of my terminal in my opinion the script forget to change the owner group at the end when generating the lets encypt certificate
root@totofr:/etc/yunohost/apps# ls -l / | grep etc
drwxr-xr-x 116 root root 12288 déc. 28 22:31 etc
root@totofr:/etc/yunohost/apps# ls -l /etc/ | grep yunohost
drwxr-xr-x 5 root root 4096 déc. 20 15:14 yunohost
root@totofr:/etc/yunohost/apps# ls -l /etc/yunohost/ | grep certs
drwxr-xr-x 12 root root 4096 déc. 27 10:02 certs
root@totofr:/etc/yunohost/apps# ls -l /etc/yunohost/certs | grep test.toto.fr
lrwxrwxrwx 1 root root 70 déc. 27 10:02 test.toto.fr -> /etc/yunohost/certs//test.toto.fr-history/20161227.100214-selfsigned
drwxr-xr-x 12 root root 4096 déc. 27 10:02 test.toto.fr-history
At this point i generate the lets encrypt certificate
root@totofr:/etc/yunohost/apps# ls -l /etc/yunohost/certs | grep test.toto.fr
lrwxrwxrwx 1 root root 71 déc. 29 14:32 test.toto.fr -> /etc/yunohost/certs//test.toto.fr-history/20161229.143255-letsencrypt
drwxr-xr-x 13 root root 4096 déc. 29 14:32 test.toto.fr-history
root@totofr:/etc/yunohost/apps# ls -l /etc/yunohost/certs | grep test.toto.fr
lrwxrwxrwx 1 root root 71 déc. 29 14:32 test.toto.fr -> /etc/yunohost/certs//test.toto.fr-history/20161229.143255-letsencrypt
drwxr-xr-x 13 root root 4096 déc. 29 14:32 test.toto.fr-history
root@totofr:/etc/yunohost/apps# ls -l /etc/yunohost/certs | grep test.toto.fr-history
lrwxrwxrwx 1 root root 71 déc. 29 14:32 test.toto.fr -> /etc/yunohost/certs//test.toto.fr-history/20161229.143255-letsencrypt
drwxr-xr-x 13 root root 4096 déc. 29 14:32 test.toto.fr-history
root@totofr:/etc/yunohost/apps# ls -l /etc/yunohost/certs/test.toto.fr | grep 20161229.143255-letsencrypt
lrwxrwxrwx 1 root root 71 déc. 29 14:32 /etc/yunohost/certs/test.toto.fr -> /etc/yunohost/certs//test.toto.fr-history/20161229.143255-letsencrypt
root@totofr:/etc/yunohost/apps# ls -l /etc/yunohost/certs/test.toto.fr-history | grep 20161229.143255-letsencrypt
drw-r-xr-x 2 root root 4096 déc. 29 14:32 20161229.143255-letsencrypt
root@totofr:/etc/yunohost/apps# ls -l /etc/yunohost/certs/test.toto.fr-history/20161229.143255-letsencrypt
total 8
-rw-r----- 1 root metronome 3615 déc. 29 14:32 crt.pem
-rw-r----- 1 root root 2488 déc. 29 14:32 key.pem
At this point i returned to the self signed certificate and here is the result
root@totofr:/etc/yunohost/apps# ls -l /etc/ | grep yunohost
drwxr-xr-x 5 root root 4096 déc. 20 15:14 yunohost
root@totofr:/etc/yunohost/apps# ls -l /etc/yunohost/ | grep certs
drwxr-xr-x 12 root root 4096 déc. 29 14:48 certs
root@totofr:/etc/yunohost/apps# ls -l /etc/yunohost/certs | grep test.toto.fr
lrwxrwxrwx 1 root root 70 déc. 29 14:48 test.toto.fr -> /etc/yunohost/certs//test.toto.fr-history/20161229.144807-selfsigned
drwxr-xr-x 14 root root 4096 déc. 29 14:48 test.toto.fr-history
root@totofr:/etc/yunohost/apps# ls -l /etc/yunohost/certs | grep test.toto.fr-history
lrwxrwxrwx 1 root root 70 déc. 29 14:48 test.toto.fr -> /etc/yunohost/certs//test.toto.fr-history/20161229.144807-selfsigned
drwxr-xr-x 14 root root 4096 déc. 29 14:48 test.toto.fr-history
root@totofr:/etc/yunohost/apps# ls -l /etc/yunohost/certs/test.toto.fr-history | grep 20161229.144807-selfsigned
drwxr-xr-x 2 root root 4096 déc. 29 14:48 20161229.144807-selfsigned
root@totofr:/etc/yunohost/apps# ls -l /etc/yunohost/certs/test.toto.fr-history/20161229.144807-selfsigned
total 24
lrwxrwxrwx 1 root root 34 déc. 29 14:48 ca.pem -> /etc/ssl/certs/ca-yunohost_crt.pem
-rw-r----- 1 root metronome 5655 déc. 29 14:48 crt.pem
-rw-r----- 1 root metronome 1704 déc. 29 14:48 key.pem
-rw------- 1 root root 8886 déc. 29 14:48 openssl.cnf
root@totofr:/etc/yunohost/apps#
There is a problem with the script at the end.
How to look what the script do exactly when generate the certificate at the end the script. I think it must change the group owner to metronome, doesn’t it ?
Thanks !
So indeed, this :
shows that metronome has no right on key.pem. However I do not quite understand how this happens, as this is not the behavior I got on my machines…
The permissions are set here … Maybe somehow the permissions are not correctly propagated when moving the file to the final destination here ?
Merci
I watched for the codes… but i’m a bit too noob with Python. I tried to follow the MOOC Python but it’s a little hard
I tried to add another domain and generate lets encrypt certificate.
Same problem.
It’s not a problem i know that i need to change manually the group owner for lets encrypt certs ( maybe when renewing )
chgrp metronome /*/key.pem
It’s a little work
Perhaps with a newer upgrade of yunohost the problem will be solved.
Thanks
Hi!
I’ve quite the same problem, but no solution working :
/var/log/metronome/metronome.err : I have this for all domains, all with let’s encrypt certificates :
Mar 23 10:09:55 certmanager error SSL/TLS: Failed to load '/etc/yunohost/certs/domain.tld/key.pem': Check that the permissions allow Metronome to read this file. (for pubsub.domain.tld)
But the permissions seem correct :
root@lamo:/etc/yunohost/certs/domain.tld# ls -l
total 8
-rw-r----- 1 root metronome 3611 mars 23 01:28 crt.pem
-rw-r----- 1 root metronome 2484 mars 23 01:28 key.pem
Have you got an idea of what could be wrong ?
Can you check the permissions for other files/folders such as :
/etc/yunohost
/etc/yunohost/certs
/etc/yunohost/certs/domain.tld
(the folder, not the files inside the folder)
/etc/yunohost :
drwxr-xr-x 5 root root 4096 mars 23 00:46 yunohost
/etc/yunohost/certs :
drwx------ 22 root root 4096 mars 23 01:36 certs
/etc/yunohost/cert/domain.tld
lrwxrwxrwx 1 root root 70 mars 23 01:28 domain.tld -> /etc/yunohost/certs//domain.tld-history/20170323.012831-letsencrypt
/etc/yunohost/certs :
drwx------ 22 root root 4096 mars 23 01:36 certs
Here it is. Not sure why you have those permission on this folder, but that means nobody other than root can open /etc/yunohost/certs
To fix the issue, you can run :
chmod +rx /etc/yunohost/certs
bingo, merci !