nginx won't reload: SSL_CTX_use_certificate_chain_file failed

Question

I was trying to increase client_max_body_size limits in my nginx.conf file, but after executing service nginx restart, the system returned an error:

2017/02/21 14:39:18 [emerg] 17371#0: SSL_CTX_use_certificate_chain_file
("/etc/letsencrypt/live/mywebsiteaddress.com/fullchain.pem")
failed (SSL: error:0200100D:system library:fopen:Permission
denied error:20074002:BIO routines:FILE_CTRL:system lib error:140DC002:SSL
routines:SSL_CTX_use_certificate_chain_file:system lib)
nginx: configuration file /etc/nginx/nginx.conf test failed

I have no idea what might be the issue. Can somebody please help me? Thank you!

Some solutions suggest to check sestatus -v - but all I get is sestatus: command not found

I'm on Ubuntu 12.04.5 LTS.

Answer 1

The most important part of the error message is fopen:Permission denied error:. It means that nginx server (which is usually running as nginx user) can't access certificate file in /etc/letsencrypt/live/mywebsiteaddress.com/fullchain.pem

As you already tested permissions of the file (its 0777), it probably means that nginx can't enter the directories on path.

You should check permissions on /etc/letsencrypt/live/mywebsiteaddress.com/, /etc/letsencrypt/live/ and /etc/letsencrypt/ to verify that nginx can enter the directories (check this answer for details).

If the directories don't have user nor group set to nginx, you can add the enter directory permission to others with

chmod o+X /etc/letsencrypt/DIRECTORY_NAME

If some of directories on the path are owned by nginx group (which probably should be), you should add enter directory permission to group with

chmod g+X /etc/letsencrypt/DIRECTORY_NAME

Other reasons which can generate permission defined are SELinux (but this is unprobable in Ubuntu 12 and you already checked it), chroot, and many others but these are also unprobable (and you would probably mention using some special configuration).