Smypl-ssl --verbose ... -> Permission denied @ apply2files

Problem Description

Failing to generate SSL cert via letsencrypt, even when being run as root.

Any Error Messages

root@srv-pfb68:~# sympl-ssl --verbose example.co.uk

  • Examining certificates for example.co.uk
    SSL set 0: Not valid for example.co.uk – certificate has expired (10)
    SSL set 0: Not valid for example.co.uk – certificate has expired (10)
    Current SSL set 0: signed by /C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3, expires 2020-09-20 09:00:26 UTC
    The current set is no longer valid for this domain.
    !! Failed: Permission denied @ apply2files - /srv/example.co.uk/config/ssl/current

Environment

smypl-core 9.200909.0

debian buster, all known updates applied.

root@srv-pfb68:~# ls -al /srv/example.co.uk/config/

drwxrws--x 5 sympl  sympl   4096 Oct 23  2017 .
drwxr-xr-x 6 debian debian  4096 Jun 15 19:22 ..
-rw-rw---- 1 sympl  sympl      4 Jan 13  2015 antispam
-rw-rw---- 1 sympl  sympl      4 Jan 13  2015 antivirus
drwxrws--x 2 sympl  sympl   4096 Jan 13  2015 blacklists
drwxrws--x 2 sympl  sympl   4096 Jun 28  2011 dns
-rw-rw---- 1 sympl  sympl     11 Sep 28  2015 ftp-password
drwxrws--x 4 sympl  sympl   4096 Jun 22 10:00 ssl
-rw-rw---- 1 sympl  sympl  25085 Mar 11  2016 webalizer.conf

root@srv-pfb68:~# ls -al /srv/example.co.uk/config/ssl/
total 16
drwxrws--x 4 sympl sympl    4096 Jun 22 10:00 .
drwxrws--x 5 sympl sympl    4096 Oct 23  2017 ..
lrwxrwxrwx 1 root  sympl       7 Jun 22 10:00 current -> sets/0/
drwxrws--x 2 sympl sympl    4096 Oct 23  2017 letsencrypt
drwxrws--x 4 sympl ssl-cert 4096 Aug 21 06:48 sets

root@srv-pfb68:~# ls -al /srv/example.co.uk/config/ssl/letsencrypt/
total 12
drwxrws--x 2 sympl sympl 4096 Oct 23  2017 .
drwxrws--x 4 sympl sympl 4096 Jun 22 10:00 ..
-rw-rw---- 1 sympl sympl 1679 Oct 23  2017 account_key

and

root@srv-pfb68:~# ls -al /srv/example.co.uk/config/ssl/sets/
total 16
drwxrws--x 4 sympl ssl-cert 4096 Aug 21 06:48 .
drwxrws--x 4 sympl sympl    4096 Jun 22 10:00 ..
drwxrws--x 2 sympl ssl-cert 4096 Jun 22 10:00 0
drwxrws--x 2 sympl ssl-cert 4096 Aug 21 06:48 1

Renaming ‘sets’ to ‘sets.old’ and re-running sympl-ssl --verbose … seems to work, which implies it didn’t like the

drwxrws--x 4 sympl ssl-cert 4096 Aug 21 06:48 sets

as it’s now recreated it as :

drwxr-s--- 3 sympl ssl-cert 4096 Sep 22 10:47 sets

Is something else going on? I couldn’t seem to see any other permissions being different.

I think the directories/files were created by doing an rsync from an older symbiosis release on an older debian variant. But I have memory of there being a cron job that changes the ownership of /srv files for Sympl, in which case did it get something wrong?

lrwxrwxrwx 1 root sympl 7 Jun 22 10:00 current → sets/0/
That looks wrong to me.
Mine are all owned by sympl:sympl (except ssl-cert, which is sympl:ssl-cert)
I expect that the rsync did something to the slink owership when you transferred.
sudo chown sympl:sympl will fix it.

1 Like

You should also be able to remove config/SSL/current and let Sympl re-create it.

I can’t say I’ve seen that error before though.

The symlink is owned by root, it’s usually fine, as it is down to the targets to still be readable.

Double check your package versions also - you mentioned buster, but the Sympl version was ‘9.x’, which is Stretch, and may cause other random issues.

Ah - well spotted (stretch vs buster).

I’m not sure how that could have happened, but never mind … easy enough to fix.