6

In the Nginx configuration, trying to load ssl_certificate dynamically but

using $ssl_server_name variable

 ssl_certificate /etc/letsencrypt/live/$ssl_server_name/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/$ssl_server_name/privkey.pem;

getting this permission errors

│2019/09/22 08:29:42 [error] 7714#7714: *3 cannot load certificate "/etc/letsencrypt/live/example.com/fullchain.pem": BIO_new_file() failed (SSL: error:0200100D:system library:fopen:Permission denied:fopen('/etc/letsencrypt/live/example.com/fullchain.pem','r') error:2006D002:BIO routines:BIO_new_file:system lib) while SSL handshaking, client: , server: 0.0.0.0:443

but without using variable, its working !

 ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

is there any way to load ssl_certificate based on server_name dynamically?

tried few reference but still unable to solve.

  1. nginx config using variable in ssl_certificate path throws permissions error
  2. https://trac.nginx.org/nginx/ticket/1744
Improve this question
4
  • 1
    live contains symlinks to archive. When initially created, live and archive are accessible only to root. You need to allow the Nginx user (whatever it is for your OS) read access. That may be as simple as changing the permissions of those two directories. The linked answer in your question, also suggests running certbot as the Nginx user. Commented Sep 22, 2019 at 18:03
  • How did you start nginx? In a normal installation it starts as root by the system, and then drops privileges to the nginx user. You should ensure that if you changed this, that you revert the change. Commented Sep 22, 2019 at 19:07
  • running nginx as root. but defined www-data as user in nginx.conf Commented Sep 22, 2019 at 19:19
  • Pretty sure variables get evaluated later than the priv drop. I'd say you're probably outta luck unless you want to open your SSL data to the world. You'd be far better off programmatically generating the config anyway. Commented Sep 23, 2019 at 1:18

1 Answer 1

Reset to default
9

Just adding the response here in case anyone runs in to the same issue.

When nginx starts, it starts as root. If you are not using variables the certificate files can be loaded at this point (as root).

However if you are using variables, the loading of these files needs to wait until the request arrives, at which point nginx is no longer running as root bus as the user you've specified in the .conf. And it looks like this user is not able to read those files.

This is the reason it works without variables (opening files as root) and it doesn't when using them (trying to open files as another user).

You just need to make the nginx user be able to read those files.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.