# Bad SSL Folder access right in /etc/nginx

**URL:** https://discourse.roots.io/t/bad-ssl-folder-access-right-in-etc-nginx/9613
**Category:** trellis
**Tags:** letsencrypt
**Created:** 2017-05-16T08:53:37Z
**Posts:** 3

## Post 1 by @patrice — 2017-05-16T08:53:37Z

Hi,

Nginx is runing as www-data (set in /etc/nginx/nginx.conf : user www-data;)

Letsencrypt task create the ssl folder as root.

/etc/nginx/  
drwx------ 3 root root 4096 May 16 09:51 ssl

I have set the admin\_user as ubuntu in group\_vars/production/users.yml  
admin\_user: ubuntu

nginx -T :

nginx: [alert] could not open error log file: open() “/var/log/nginx/error.log” failed (13: Permission denied)

2017/05/16 10:49:51 [warn] 28558#28558: the “user” directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:7

2017/05/16 10:49:51 [emerg] 28558#28558: BIO\_new\_file("/etc/nginx/ssl/letsencrypt/xxxxx.com-1de5126-bundled.cert") failed (SSL: error:0200100D:system library:fopen:Permission denied:fopen(’/etc/nginx/ssl/letsencrypt/xxxx.com-1de5126-bundled.cert’,‘r’) error:2006D002:BIO routines:BIO\_new\_file:system lib)  
nginx: configuration file /etc/nginx/nginx.conf test failed

/var/log/nginx$ ls -l

-rw-r----- 1 www-data adm 69603 May 16 10:20 access.log  
-rw-r----- 1 www-data adm 575 May 16 09:51 error.log

My trellis setup is a fresh install, cloned from the repo yesterday.  
Any idea ? Not a specialist in security, so i do not want to do a “chmod” somewhere without knowing before what i’m doing ^^

Thanks for your help

---

## Post 2 by @fullyint — 2017-05-16T15:54:48Z

As I understand it, when you run `nginx -t`

> nginx checks the configuration file syntax and then tries to open files referenced in the configuration file ([ref](http://manpages.ubuntu.com/manpages/xenial/en/man8/nginx.8.html))

and probably does so as the current user. So if you run `nginx -t` as a non-root user, it doesn’t have permission. But if you invoke sudo, such that the test “tries to open files” as root, the output shows no errors ( not for me, at least): `sudo nginx -t`

`ps aux -P | grep nginx` shows that the nginx master process is running as root, which [seems appropriate](https://unix.stackexchange.com/a/134304), so it shouldn’t have permissions trouble with files.

Was there a problem you were running into other than the warnings and errors when running `nginx -T` without `sudo`?

---

## Post 3 by @patrice — 2017-05-17T06:01:57Z

Hum, nginx was not runing as root. I have remade a deploy :

ansible-playbook server.yml -e env=production --tags nginx

This time, it work. So, problem now solved, thanks for your help.