Let's Encrypt SSL Certificate File Not Found Error, but still working

Question

I'm running SSL Certificates from Let's Encrypt. I've got them installed on my Ubuntu machine running Apache. The setup works fine and I can launch the website, see the green padlock and even got an A+ on SSL Labs.

The problem is that when I do apachectl configtest the server would return a file not found error:

SSLCertificateFile: file '/etc/letsencrypt/live/www.example.com/fullchain.pem' not exist or is empty.

But sudo service apache2 restart works just fine.

I got this question running at Let's Encrypt Community but the issue hasn't been resolved yet.

sudo cat /etc/letsencrypt/live/www.example.com/fullchain.pem works, returns valid certificate details.

sudo x509 -text -noout -in /etc/letsencrypt/live/www.example.com/fullchain.pem

does not work and returns the error below:

Error opening Certificate /etc/letsencrypt/live/www.example.com/fullchain.pem
139774254929568:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/etc/letsencrypt/live/www.example.com/fullchain.pem.','r')
139774254929568:error:2007402:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
ubable to load certificate

Any ideas on why I'm getting errors on apachectl configtest and openssl?

Thanks guys!

Almost certainly some permission or other error preventing apache from reading the file — DerfK, Apr 28 '16 at 00:18
@DerfK I'm thinking the same. **/etc/letsencrypt/live** is owned by **root** with **0700** permission. I tried changing it to **0755** but I continue to get the same error. Everything else inside that directory is 0755 already,, still owned by root. — jarvis, Apr 28 '16 at 00:22
@jarvis in that case it might be SELinux related. Check its audit log and see `audit2allow` — DerfK, Apr 28 '16 at 16:04
Same here. Permissions for `/etc/letsencrypt/archive` **and** `/etc/letsencrypt/live` needed to be manually set to 0755 — Grodriguez, Jan 31 '17 at 18:16
This problem drove me crazy for a while, until I realized it was a much simpler issue than I thought... see my answer below https://serverfault.com/a/887247/300817 — mrtnmgs, Dec 08 '17 at 17:01

score 15 · Answer 1 · edited Jun 10 '19 at 17:24

15

In my case the files and permissions where not the issue. I was trying to restart the server with apachectl restart or test the config (apachectl -t or apachectl configtest). The user running the command (me) simply didn't have the proper permissions to access the certificates. I just had to prefix the commands with sudo to run them as root! No more errors, the config test returns "Syntax OK" and I can restart the server. (OK I'm a bit embarrassed it took me so long to figure that one out...)

edited Jun 10 '19 at 17:24

Community

1

answered Dec 08 '17 at 17:00

mrtnmgs

271
2
7

This isn't the issue on Debian machines it seems, but it was the issue on my fedora server. Thanks for saving me many hours. – Josh Jun 07 '19 at 19:23
Jokes, it happened on my ubuntu machine too... like a year later... – Josh Aug 13 '19 at 18:35
yup apachectl command not found until sudo prefaced it. thanks @mrtnmgs – Preston Bennett Mar 08 '20 at 15:10

score 7 · Accepted Answer · answered Apr 29 '16 at 17:00

7

After several sleepless nights, I finally got it to work. (overkill statement) We all know it was permissions, but exactly where was something to check.

I kept on working with /ect/letsencrypt/live and the directories and files under that. I kept changing permissions from the original to 0755 and 0777. What I did not immediately see was that /etc/letsencrypt/live was a link created from /etc/letsencrypt/archive and it had a 0700 permission. That's why it wasn't able to read the file. After changing the permission of /etc/letsencrypt/archive to 0755, apachectl configtest already responded with Syntax OK.

Although the original issue was resolved, I will refer this back to Let's Encrypt because this was all Auto Installation of Certificates. Something like this should not happen in "auto". But my setup might have something to do with the permission issue since I installed it using a non-root user (but I did sudo).

Hope this helps someone.

answered Apr 29 '16 at 17:00

jarvis

1,956
4
17
31

1

I don't know what I'm doing wrong. I have the same issue in ``apachectl configtest``. The file exists, the ``sudo openssl ...`` outputs all right. Tried to set permissions ``sudo chmod -R 0755 /etc/letsencrypt/archive/`` and the problem persists... Any ideas? – Cassiano Jun 10 '16 at 11:32
I had this same issue, I did restart, it 'errored' but actually restarted ok. I simply changed the /live directory permissions and it started working again. – Joel Aug 01 '16 at 11:14
2

Have just come across this, whilst the answer is correct, I think with the updates letsencrypt have done recently changing permissions on archive doesn't work. Doing so directly on the live folder does now however. `sudo chmod -R 0755 /etc/letsencrypt/live` – Ian Tearle Aug 15 '16 at 07:35
I had the same error yet permissions did not solve it for me. I had a working setup that completely broke down after restarting the server. After the restart, it turned out that the linked .pem files were linking to files that did not exist at all. More details here: https://community.letsencrypt.org/t/ssl-certificate-does-not-exist-or-is-empty-alternative-root-cause-and-solution/33343 – Fer May 03 '17 at 21:32
1

Simply running the config test as sudo is sufficient. There is no need to change the folder permissions. – youcantexplainthat Jun 28 '20 at 18:43

score 4 · Answer 3 · answered Apr 25 '20 at 15:04

Agreeing with timeSmith's answer that the permissions on these files and folders are intentionally tight, and should be left as 0700.

You need to run service httpd or apachectl commands as sudo so that these processes have root privileges and get read access to the letsencrypt certificate folders and files.

semtex41 · Answer 4 · 2017-04-28T22:00:28.013

2

As originally commented by Ian Terle, changing the permissions on the "live" directory now fixes the issue:

sudo chmod -R 0755 /etc/letsencrypt/live

Note: I was observing the same error as the OP.

This was confirmed on:
Ubuntu 16.04.2 LTS
Apache/2.4.18 (Ubuntu)

edited Apr 28 '17 at 22:00

answered Apr 28 '17 at 21:53

semtex41

149
3

Seeing downvotes, so I suspect this was probably related to a bug of some variety. Please comment if this is now fixed/patched/deprecated. – semtex41 Dec 06 '18 at 01:08

score 2 · Answer 5 · answered Aug 10 '17 at 17:25

2

The permissions on the cert files are best left very tight. To allow the appropriate processes access to the cert files: start apache using the following commands.

sudo service httpd start

Alternately restart gracefully using this command:

sudo service httpd graceful

answered Aug 10 '17 at 17:25

timeSmith

121
1

I am not sure it is necessary to start apache with sudo. Certificates seem to work without doing so. – youcantexplainthat Jun 28 '20 at 18:42
Running any kind of web server as sudo is a very dangerous practice. – Dimme Aug 03 '20 at 12:04
Yes, if [semtex41's answer](https://serverfault.com/questions/773440/lets-encrypt-ssl-certificate-file-not-found-error-but-still-working/847265#847265) works then definitely do that. – timeSmith Oct 15 '20 at 20:31

Let's Encrypt SSL Certificate File Not Found Error, but still working

5 Answers5

Linked