Let's Encrypt SSL Certificate File Not Found Error, but still working
Solution 1
After several sleepless nights, I finally got it to work. (overkill statement) We all know it was permissions, but exactly where was something to check.
I kept on working with /ect/letsencrypt/live and the directories and files under that. I kept changing permissions from the original to 0755 and 0777. What I did not immediately see was that /etc/letsencrypt/live was a link created from /etc/letsencrypt/archive and it had a 0700 permission. That's why it wasn't able to read the file. After changing the permission of /etc/letsencrypt/archive to 0755, apachectl configtest
already responded with Syntax OK
.
Although the original issue was resolved, I will refer this back to Let's Encrypt because this was all Auto Installation of Certificates. Something like this should not happen in "auto". But my setup might have something to do with the permission issue since I installed it using a non-root user (but I did sudo).
Hope this helps someone.
Solution 2
In my case the files and permissions where not the issue. I was trying to restart the server with apachectl restart
or test the config (apachectl -t
or apachectl configtest
). The user running the command (me) simply didn't have the proper permissions to access the certificates. I just had to prefix the commands with sudo
to run them as root! No more errors, the config test returns "Syntax OK" and I can restart the server. (OK I'm a bit embarrassed it took me so long to figure that one out...)
Solution 3
Agreeing with timeSmith's answer that the permissions on these files and folders are intentionally tight, and should be left as 0700
.
You need to run service httpd
or apachectl
commands as sudo
so that these processes have root privileges and get read access to the letsencrypt certificate folders and files.
Solution 4
The permissions on the cert files are best left very tight. To allow the appropriate processes access to the cert files: start apache using the following commands.
sudo service httpd start
Alternately restart gracefully using this command:
sudo service httpd graceful
Solution 5
As originally commented by Ian Terle, changing the permissions on the "live" directory now fixes the issue:
sudo chmod -R 0755 /etc/letsencrypt/live
Note: I was observing the same error as the OP.
This was confirmed on:
Ubuntu 16.04.2 LTS
Apache/2.4.18 (Ubuntu)
Related videos on Youtube
jarvis
Updated on September 18, 2022Comments
-
jarvis over 1 year
I'm running SSL Certificates from Let's Encrypt. I've got them installed on my Ubuntu machine running Apache. The setup works fine and I can launch the website, see the green padlock and even got an A+ on SSL Labs.
The problem is that when I do apachectl configtest the server would return a file not found error:
SSLCertificateFile: file '/etc/letsencrypt/live/www.example.com/fullchain.pem' not exist or is empty.
But
sudo service apache2 restart
works just fine.I got this question running at Let's Encrypt Community but the issue hasn't been resolved yet.
sudo cat /etc/letsencrypt/live/www.example.com/fullchain.pem
works, returns valid certificate details.sudo x509 -text -noout -in /etc/letsencrypt/live/www.example.com/fullchain.pem
does not work and returns the error below:
Error opening Certificate /etc/letsencrypt/live/www.example.com/fullchain.pem 139774254929568:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/etc/letsencrypt/live/www.example.com/fullchain.pem.','r') 139774254929568:error:2007402:BIO routines:FILE_CTRL:system lib:bss_file.c:400: ubable to load certificate
Any ideas on why I'm getting errors on apachectl configtest and openssl?
Thanks guys!
-
DerfK about 8 yearsAlmost certainly some permission or other error preventing apache from reading the file
-
Tim about 8 yearsYep, likely permissions, like @DerfK said.
-
jarvis about 8 years@DerfK I'm thinking the same. /etc/letsencrypt/live is owned by root with 0700 permission. I tried changing it to 0755 but I continue to get the same error. Everything else inside that directory is 0755 already,, still owned by root.
-
DerfK about 8 years@jarvis in that case it might be SELinux related. Check its audit log and see
audit2allow
-
Grodriguez over 7 yearsSame here. Permissions for
/etc/letsencrypt/archive
and/etc/letsencrypt/live
needed to be manually set to 0755 -
mrtnmgs over 6 yearsThis problem drove me crazy for a while, until I realized it was a much simpler issue than I thought... see my answer below serverfault.com/a/887247/300817
-
-
Cassiano almost 8 yearsI don't know what I'm doing wrong. I have the same issue in
apachectl configtest
. The file exists, thesudo openssl ...
outputs all right. Tried to set permissionssudo chmod -R 0755 /etc/letsencrypt/archive/
and the problem persists... Any ideas? -
Joel almost 8 yearsI had this same issue, I did restart, it 'errored' but actually restarted ok. I simply changed the /live directory permissions and it started working again.
-
Ian Tearle over 7 yearsHave just come across this, whilst the answer is correct, I think with the updates letsencrypt have done recently changing permissions on archive doesn't work. Doing so directly on the live folder does now however.
sudo chmod -R 0755 /etc/letsencrypt/live
-
Fer about 7 yearsI had the same error yet permissions did not solve it for me. I had a working setup that completely broke down after restarting the server. After the restart, it turned out that the linked .pem files were linking to files that did not exist at all. More details here: community.letsencrypt.org/t/…
-
semtex41 over 5 yearsSeeing downvotes, so I suspect this was probably related to a bug of some variety. Please comment if this is now fixed/patched/deprecated.
-
Josh almost 5 yearsThis isn't the issue on Debian machines it seems, but it was the issue on my fedora server. Thanks for saving me many hours.
-
Josh over 4 yearsJokes, it happened on my ubuntu machine too... like a year later...
-
Preston Bennett about 4 yearsyup apachectl command not found until sudo prefaced it. thanks @mrtnmgs
-
youcantexplainthat almost 4 yearsI am not sure it is necessary to start apache with sudo. Certificates seem to work without doing so.
-
youcantexplainthat almost 4 yearsSimply running the config test as sudo is sufficient. There is no need to change the folder permissions.
-
Dimme almost 4 yearsRunning any kind of web server as sudo is a very dangerous practice.
-
timeSmith over 3 yearsYes, if semtex41's answer works then definitely do that.