Nginx when using variable in ssl_certificate path get permissions error

Question

In the Nginx configuration, trying to load ssl_certificate dynamically but

using $ssl_server_name variable

   ssl_certificate /etc/letsencrypt/live/$ssl_server_name/fullchain.pem;
   ssl_certificate_key /etc/letsencrypt/live/$ssl_server_name/privkey.pem;

getting this permission errors

│2019/09/22 08:29:42 [error] 7714#7714: *3 cannot load certificate "/etc/letsencrypt/live/example.com/fullchain.pem": BIO_new_file() failed (SSL: error:0200100D:system library:fopen:Permission denied:fopen('/etc/letsencrypt/live/example.com/fullchain.pem','r') error:2006D002:BIO routines:BIO_new_file:system lib) while SSL handshaking, client: , server: 0.0.0.0:443

but without using variable, its working !

  ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

is there any way to load ssl_certificate based on server_name dynamically?

tried few reference but still unable to solve.

`live` contains symlinks to `archive`. When initially created, `live` and `archive` are accessible only to `root`. You need to allow the Nginx user (whatever it is for your OS) read access. That may be as simple as changing the permissions of those two directories. The linked answer in your question, also suggests running certbot as the Nginx user. — Richard Smith, Sep 22 '19 at 18:03
How did you start nginx? In a normal installation it starts as root by the system, and then drops privileges to the nginx user. You should ensure that if you changed this, that you revert the change. — Michael Hampton, Sep 22 '19 at 19:07
running nginx as root. but defined www-data as user in nginx.conf — Mezbah, Sep 22 '19 at 19:19
Pretty sure variables get evaluated later than the priv drop. I'd say you're probably outta luck unless you want to open your SSL data to the world. You'd be far better off programmatically generating the config anyway. — womble, Sep 23 '19 at 01:18

score 6 · Answer 1 · answered Jul 05 '22 at 15:05

Just adding the response here in case anyone runs in to the same issue.

When nginx starts, it starts as root. If you are not using variables the certificate files can be loaded at this point (as root).

However if you are using variables, the loading of these files needs to wait until the request arrives, at which point nginx is no longer running as root bus as the user you've specified in the .conf. And it looks like this user is not able to read those files.

This is the reason it works without variables (opening files as root) and it doesn't when using them (trying to open files as another user).

You just need to make the nginx user be able to read those files.