2

This error is from dovecot where it can't read the certificate because of permissions I tried changing permissions around, presently I have everything on 644 I understand the paths are only links to /etc/letsencrypt/archives file paths so I really don't know what's going on I don't know how perms on links effect the targets

mail dovecot: imap(example_user)<28542><mxY1sjPSlsxHvuNn>: 
 Panic: Settings check unexpectedly failed: ssl_client_ca_dir: 
 access(/etc/letsencrypt/live/mail.servicemouse.com) failed: Permission denied
Nikita Kipriyanov
  • 10,947
  • 2
  • 24
  • 45
fugee ohu
  • 23
  • 1
  • 5

1 Answers1

3

You need to set reasonable permissions for both the directory where links are (/etc/letsencrypt/live) and real files (/etc/letsencrypt/archives). And fix it each time you renew certificates, because new files get "secure" permissions. The following script I what I used some time ago:

#!/bin/bash

#use: certbot renew --post-hook /usr/local/bin/certbot-renew-fix-file-access.sh

chmod 0755 /etc/letsencrypt/
chmod 0711 /etc/letsencrypt/live/
chmod 0750 /etc/letsencrypt/live/example.com/
chmod 0711 /etc/letsencrypt/archive/
chmod 0750 /etc/letsencrypt/archive/example.com/
chmod 0640 /etc/letsencrypt/archive/example.com/{cert,chain,fullchain}*.pem
chmod 0640 /etc/letsencrypt/archive/example.com/privkey*.pem

chown root:root /etc/letsencrypt/
chown root:root /etc/letsencrypt/live/
chown root:mail /etc/letsencrypt/live/example.com/
chown root:root /etc/letsencrypt/archive/
chown root:mail /etc/letsencrypt/archive/example.com/
chown root:mail /etc/letsencrypt/archive/example.com/{cert,chain,fullchain}*.pem
chown root:mail /etc/letsencrypt/archive/example.com/privkey*.pem

/etc/init.d/postfix restart
/etc/init.d/cyrus restart
/etc/init.d/apache2 restart

You need to adapt host name, group name under which your services run if it's not mail and services which need to pick up new cert after renew.

Nikita Kipriyanov
  • 10,947
  • 2
  • 24
  • 45
  • Are you running ubuntu? What do you mean by adapt? – fugee ohu Dec 03 '21 at 07:40
  • All those perms have to be so specific so you can't use one perms mask with the -R option? – fugee ohu Dec 03 '21 at 07:48
  • No, I never run ubuntu on server, but this doesn't matter. The `certbot` does the same everywhere. The perms are like minimal but allowed to work. You can allow everything to everyone, that will be even easier and shorter, but I don't think this is very secure. – Nikita Kipriyanov Dec 03 '21 at 07:48
  • Everthing is chowned root:root on my system Why set group to mail? – fugee ohu Dec 03 '21 at 07:57
  • Notice I change not only group to `mail` but also perms to `xx0` for some objects. So only mail services (who belong to the `mail` group) will be able to access those private keys. You can do simpler way, but it will be less secure. The presented script shows a most secure way to do it (e.g. you'll need to have these keys with these permissions somewhere, one way or another). – Nikita Kipriyanov Dec 03 '21 at 07:59
  • And then you would add users postfix and dovecot to group mail? I don't know what xx0 means Please tell me If I just ran ```chmod -R 644 /etc/letsencrypt/archive``` do you think that would do it? – fugee ohu Dec 03 '21 at 08:06
  • Postfix `master` runs as `root`, so it reads certificates/keys as root and then drops privileges. Apache does the same; notice I restart it, not reload. It's cyrus who runs as `cyrus:mail` on my server and so requires this setup. I never use dovecot, I don't know how it runs its processes; the setup is generic. You can set permissions as you wish, but **I *would not* recommend permitting access to everyone**, like 644 does. Under the term "xx0" I mean "everyone" does not have any access; e.g. real modes could be 640, 440, 400, 750, 100, e.g. something (appropriate) which end with zero. – Nikita Kipriyanov Dec 03 '21 at 08:44
  • How can I see what user and group a process runs as – fugee ohu Dec 04 '21 at 16:54
  • Technically, `ps axu`, but **read a documentation on your particular software**. Postfix runs some processes as root, some as nobody, for example; it is covered in deep in the documentation, while with this brief exploration you can miss this fact. – Nikita Kipriyanov Dec 04 '21 at 17:07
  • So I found postfix, dovecot, cyrus all running as root with no mention of group – fugee ohu Dec 04 '21 at 20:49
  • I ran the script I still have the same problem – fugee ohu Dec 05 '21 at 00:14
  • +1, also answers this: Issue #5257 https://github.com/certbot/certbot/issues/5257 – Laenka-Oss Oct 05 '22 at 17:24