Welcome! Log In Create A New Profile


what permissions should have letsencrypt private keys and bad-bot-blocker config files?

Posted by audioscavenger 
Nginx cannot load some certificate or files owned by root with permission 0600, even though master process is root.
Best security practices from Apache are to run the master process by root, while children are owned by another user: www or www-data

However, I constantly get these errors for root-owned files with 0600 when I restart nginx:

[emerg] 31246#31246: cannot load certificate "/etc/letsencrypt/live/site/fullchain.pem": BIO_new_file() failed (SSL: error:0200100D:system library:fopen('/etc/letsencrypt/live/site/fullchain.pem','r') error:2006D002:BIO routines:BIO_new_file:system lib)
[emerg] 2742#2742: open() "/etc/nginx/conf.d/globalblacklist.conf" failed (13: Permission denied) in /etc/nginx/nginx.conf:66

and also

[warn] 2742#2742: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:11

To restart nginx i use 'sudo service nginx restart'
The master process is owned by root and the children by www-data, as expected:
root 2610 1 - 0.0 01:36 ? 00:00:00 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
www-data 2611 2610 - 0.0 01:36 ? 00:00:00 nginx: worker process
www-data 2612 2610 - 0.0 01:36 ? 00:00:00 nginx: worker process

/etc/nginx is also owned by root. The permissions for let's encrypt private keys are handled by certbot and I am warry of changing them.

What am I doing wrong??
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 57
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready