Bad SSL Folder access right in /etc/nginx

letsencrypt

#1

Hi,

Nginx is runing as www-data (set in /etc/nginx/nginx.conf : user www-data;)

Letsencrypt task create the ssl folder as root.

/etc/nginx/
drwx------ 3 root root 4096 May 16 09:51 ssl

I have set the admin_user as ubuntu in group_vars/production/users.yml
admin_user: ubuntu

nginx -T :

nginx: [alert] could not open error log file: open() “/var/log/nginx/error.log” failed (13: Permission denied)

2017/05/16 10:49:51 [warn] 28558#28558: the “user” directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:7

2017/05/16 10:49:51 [emerg] 28558#28558: BIO_new_file("/etc/nginx/ssl/letsencrypt/xxxxx.com-1de5126-bundled.cert") failed (SSL: error:0200100D:system library:fopen:Permission denied:fopen(’/etc/nginx/ssl/letsencrypt/xxxx.com-1de5126-bundled.cert’,‘r’) error:2006D002:BIO routines:BIO_new_file:system lib)
nginx: configuration file /etc/nginx/nginx.conf test failed

/var/log/nginx$ ls -l

-rw-r----- 1 www-data adm 69603 May 16 10:20 access.log
-rw-r----- 1 www-data adm 575 May 16 09:51 error.log

My trellis setup is a fresh install, cloned from the repo yesterday.
Any idea ? Not a specialist in security, so i do not want to do a “chmod” somewhere without knowing before what i’m doing ^^

Thanks for your help


#2

As I understand it, when you run nginx -t

nginx checks the configuration file syntax and then tries to open files referenced in the configuration file (ref)

and probably does so as the current user. So if you run nginx -t as a non-root user, it doesn’t have permission. But if you invoke sudo, such that the test “tries to open files” as root, the output shows no errors ( not for me, at least): sudo nginx -t

ps aux -P | grep nginx shows that the nginx master process is running as root, which seems appropriate, so it shouldn’t have permissions trouble with files.

Was there a problem you were running into other than the warnings and errors when running nginx -T without sudo?


#3

Hum, nginx was not runing as root. I have remade a deploy :

ansible-playbook server.yml -e env=production --tags nginx

This time, it work. So, problem now solved, thanks for your help.