26

Here is the error I'm getting:

Reloading nginx configuration: nginx: [emerg] SSL_CTX_use_certificate_chain_file("/path/to/cert.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory error:20074002:BIO routines:FILE_CTRL:system lib error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib) nginx: configuration file /etc/nginx/nginx.conf test failed

I'm 100% sure that the file is at that location but Nginx seems to think that it's not there. I merged the domain.crt and intermediate.crt manually in that order. I've been scratching my head over this one all day. I hope someone has seen this error and has a solution.(and a side note it's not an error in pasting that the file location is show only once and not again after 'no such file or directory').

tgoza
  • 363
  • 1
  • 3
  • 5
  • 3
    `path/to/cert.pem` is certainly _not_ a valid location. – Michael Hampton Sep 09 '13 at 00:29
  • 3
    You are correct to assume that is not the actual path. However I could easily make that a valid part of the location. But either way I am unable to provide you with specifics because of the company that this is being done for. I have to leave out the username. – tgoza Sep 09 '13 at 13:16

6 Answers6

24

Are you sure that the Nginx user has access to the directory?

Also check the permissions of the .pem file, if Nginx cannot access it, it can show as 'no such file or directory'.

If the permissions are right, you might check the actual path again. How you pasted it (which I know you removed the dir) there is no beginning / which could be the problem.

EDIT

Try moving your SSL setup into the following structure (as well as change the nginx.conf to reflect):

sudo mkdir /etc/nginx/ssl
sudo chown -R root:root /etc/nginx/ssl
sudo chmod -R 600 /etc/nginx/ssl

Nginx could be failing on your .pem because the permissions are too open (need source to verify that Nginx does this) but the above setup should work fine.

Jim
  • 391
  • 2
  • 8
  • I double checked the path and it does contain the `/` at the beginning so I changed the question to reflect that. The file is located at `/home/user/subdirs` and all of the file and directory permissions within there are owned by user.www-data (username.group name) and 775 set. And I think that nginx has access to anything owned by www-data, though I could be mistaken. – tgoza Sep 09 '13 at 13:14
  • Always the simple mistakes that take forever to figure out :) Glad you got it worked out. – Jim Sep 16 '13 at 21:10
  • how did it look exactly? I have mine in `$root/keys/` so my cert line looks like `ssl_certificate keys/cert.pem`...do they have to be in the webroot? – bright-star Dec 18 '13 at 08:09
  • Using absolute paths did the trick. – bright-star Dec 18 '13 at 08:11
  • I was using a docker-container and was hitting this issue everytime I recreated the container. adding `chmod -R 600 /etc/nginx/ssl` in my entrypoint solve the issue thanks – Dimitri Kopriwa Jun 29 '17 at 07:55
5

I will leave my answer for my problem, in case someone come across this topic.

I have nginx run inside docker container, and have the same error trying to access the private key file. After scratching my head for several hours, I come to a realization that my docker's nginx does not have the mount volume that contains my data.

The only option to add mount volume is to remove and re-create the container with the -v option: https://docs.docker.com/engine/tutorials/dockervolumes/

docker run -d -P --name docker-nginx -v /etc/ssl/certs:/etc/ssl/certs nginx

Sometimes, trivial things are hard to see. Hope this help.

bizi
  • 151
  • 1
  • 2
  • For the same reason: "trivial things are hard to see", I would like to note that if you are using Docker and a volume to letsencrypt, you should point to the "archive" folder and not the "live" folder. This is because the "live" folder contains just symlinks to the archive one – EuberDeveloper Mar 05 '22 at 02:01
3

A possible scenario:

sometimes it might happens that, when configuring SSL files (private key and certificate) for the Virtualhost which is being configured,it was forgotten to specify the absolute path where these files reside.

For example, if you follow this official doc from Nginx: http://nginx.org/en/docs/http/configuring_https_servers.html

server {
    listen              443 ssl;
    server_name         www.example.com;
    ssl_certificate     tdmssl.crt;
    ssl_certificate_key tdmssl.key;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;
    ...
}

Suppose that you store the SSL files inside "/etc/nginx/conf.d":

root@ilg40:/etc/nginx/conf.d# pwd
/etc/nginx/conf.d
root@ilg40:/etc/nginx/conf.d# ll
total 16
drwxr-xr-x 2 root root 4096 Jan 24 17:39 ./
drwxr-xr-x 5 root root 4096 Jan 24 21:15 ../
-rw-r--r-- 1 root root 1359 Jan 24 17:39 tdmssl.crt
-rw-r--r-- 1 root root 1675 Jan 24 17:39 tdmssl.key

What happens?

By default, when not specified the absolute path for an ordinary file which is used by Nginx, Nginx will search for the files at "/etc/nginx"

From /var/log/nginx/error.log

2017/01/24 21:05:10 [emerg] 13113#0: 
BIO_new_file("/etc/nginx/tdmssl.crt") 
failed(SSL:error:02001002:system library:fopen:
No such file or directory:fopen('/etc/nginx/tdmssl.crt','r') 
error:2006D080:BIO routines:BIO_new_file:no such file)

What must be done ?

To specify the absolute path of the additional files which are used by your Virtualhost configuration.

Like this:

root@ilg40:/etc/nginx/conf.d# cd
root@ilg40:~# cat /etc/nginx/sites-available/tdm 
server {

    listen          443 ssl;
    server_name         tjsdatamanager.redtjs.com;
    ssl_certificate     /etc/nginx/conf.d/tdmssl.crt;
    ssl_certificate_key /etc/nginx/conf.d/tdmssl.key;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;

    location / {
        include proxy_params;
        proxy_pass http://unix:/etc/tdm/flask/wsgi.sock;
    }

}
ivanleoncz
  • 1,643
  • 6
  • 19
  • 32
0

try to start with /root :

ssl_certificate         /root/path/to/cert.crt;
ssl_certificate_key     /root/path/to/cert.pem;

I solved the problem like this.

Joy

Mr. Squirrel.Downy
  • 101
0

I have encountered the same problem.

[symption]
It can't start with "systemctl restart nginx".
But the command below can start nginx.
"/usr/sbin/nginx"

[cause]
I have used certificate file directly that downloaded from provider.

[resolved]
I have copied the certificate text and pasted it on what I created file (by vim).

José Gomes
  • 3
  • 2
harufumi.abe
  • 101
  • 2
-1

I had the same issue. I had to change the /etc/nginx/sites-enabled/default & default.save files which were auto-added my site name without the .com after it during the setup process, WHICH WAS THE ISSUE IN MY INSTANCE. To keep it short, these two lines needed to be changed in my /etc/nginx/sites-enabled/default. Please note that this file is displayed with a shortcut icon in my file system but I was able to right click the file and edit it with "Edit/Internal Editor" option.

HTTPS - proxy requests on to local Node.js ap# HTTPS - proxy requests on to local Node.js app:

server {
    listen 443;
    server_name switchmagic.com;

    ssl on;
    # Use certificate and key provided by Let's Encrypt:
    ssl_certificate /etc/letsencrypt/live/switchmagic.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/switchmagic.com/privkey.pem;
    # ...
}

When I went through the files and added the .com, which is the naming convention I used to add the file, to the switchmagic references in the file directories which were throwing the errors, all was well! I found a lot of Devs asking the same question so I wanted to throw my solution out there to help as the answers I found were mostly about root permissions, but root permissions were not the issue in my case. Rock on Devs.

Volte
  • 103
  • 4
user3777549
  • 101