1

I'm trying to use the let's encrypt certificate for both Apache HTTPD and TOMCAT service of my ubuntu server VPS.

I found where there are letsencrypt stored certs looking into apache configuration, it was write by certboot script, and Apache is well working with this cert.

I use the same link for tomcat server.xml configuration but I got a permission denied error in its log:

SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-apr-8443"]
java.lang.Exception: Unable to load certificate key /etc/letsencrypt/live/mysite.org/privkey.pem (error:0200100D:system library:fopen:Permission denied)
        at org.apache.tomcat.jni.SSLContext.setCertificate(Native Method)
        at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:657)
        at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:742)
        at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:458)
        at org.apache.catalina.connector.Connector.initInternal(Connector.java:960)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        at org.apache.catalina.core.StandardService.initInternal(StandardService.java:568)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:851)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:580)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:603)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:310)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:484)

Oct 11, 2017 9:40:07 AM org.apache.catalina.core.StandardService initInternal
SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]]
org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8443]]
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
        at org.apache.catalina.core.StandardService.initInternal(StandardService.java:568)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:851)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:580)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:603)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:310)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:484)
Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed
        at org.apache.catalina.connector.Connector.initInternal(Connector.java:964)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        ... 12 more
Caused by: java.lang.Exception: Unable to load certificate key /etc/letsencrypt/live/mysite.org/privkey.pem (error:0200100D:system library:fopen:Permission denied)
        at org.apache.tomcat.jni.SSLContext.setCertificate(Native Method)
        at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:657)
        at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:742)
        at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:458)
        at org.apache.catalina.connector.Connector.initInternal(Connector.java:960)
        ... 13 more

Oct 11, 2017 9:40:07 AM org.apache.catalina.startup.Catalina load

Looking into permission I found this:

root@myvps:~# ls -la /etc/letsencrypt/live/mysite.org/
total 12
drwxr-xr-x 2 root root 4096 Sep 20 06:30 .
drwx------ 4 root root 4096 May 23 07:27 ..
lrwxrwxrwx 1 root root   39 Sep 20 06:30 cert.pem -> ../../archive/mysite.org/cert3.pem
lrwxrwxrwx 1 root root   40 Sep 20 06:30 chain.pem -> ../../archive/mysite.org/chain3.pem
lrwxrwxrwx 1 root root   44 Sep 20 06:30 fullchain.pem -> ../../archive/mysite.org/fullchain3.pem
lrwxrwxrwx 1 root root   42 Sep 20 06:30 privkey.pem -> ../../archive/mysite.org/privkey3.pem
-rw-r--r-- 1 root root  543 May 23 07:27 README
root@myvps:~# ls -la /etc/letsencrypt/archive/mysite.org/
total 56
drwxr-xr-x 2 root root 4096 Sep 20 06:30 .
drwx------ 4 root root 4096 May 23 07:27 ..
-rw-r--r-- 1 root root 1818 May 23 07:27 cert1.pem
-rw-r--r-- 1 root root 1814 Jul 22 06:30 cert2.pem
-rw-r--r-- 1 root root 1814 Sep 20 06:30 cert3.pem
-rw-r--r-- 1 root root 1647 May 23 07:27 chain1.pem
-rw-r--r-- 1 root root 1647 Jul 22 06:30 chain2.pem
-rw-r--r-- 1 root root 1647 Sep 20 06:30 chain3.pem
-rw-r--r-- 1 root root 3465 May 23 07:27 fullchain1.pem
-rw-r--r-- 1 root root 3461 Jul 22 06:30 fullchain2.pem
-rw-r--r-- 1 root root 3461 Sep 20 06:30 fullchain3.pem
-rw-r--r-- 1 root root 1704 May 23 07:27 privkey1.pem
-rw-r--r-- 1 root root 1704 Jul 22 06:30 privkey2.pem
-rw-r--r-- 1 root root 1704 Sep 20 06:30 privkey3.pem

As far as I know this answer to ls command shows that there is READ permission for symlink and real file for everybody. Am I right? So why tomcat is complaining about permissions if I'm pointing its cert to /etc/letsencrypt/live/mysite.org/cert.pem?

Tobia
  • 1,210
  • 8
  • 37
  • 73
  • www-data and tomcat8. And they are both out of root group. – Tobia Oct 11 '17 at 07:39
  • Could you show the exact logging info? – Lenniey Oct 11 '17 at 07:43
  • Because I don't think this is a permissions problem, at least not completely. Did you create your tomcat SSL keystore etc.? – Lenniey Oct 11 '17 at 07:47
  • Try `usermod -a -G ssl-cert tomcat8` and see if the permissions issue persists. – Lenniey Oct 11 '17 at 07:55
  • I update my question with tomcat logs. I also tried adding tomcat to ssl group but it doesn't change. I'm using direct certificate file and not the keystore in tomcat configuration. I want to underline that the error logged is only in the private key file and not in the public cert, but both files have the same permissions on filesystem. – Tobia Oct 12 '17 at 10:08

1 Answers1

2

The problem was that /etc/letsencrypt/live and /etc/letsencrypt/archive folder are accessibile only by root with permission 700. Then also if the inner files are accessibile, tomcat cannot read them due to parent folder permission while traversing it.

I have to change the folder permission of /etc/letsencrypt/live and /etc/letsencrypt/archive to 750 and add tomcat to usergroup root and now it works.

Maybe it is be better to change the group owner of these folders to other than root group something like ssl-cert.

Tobia
  • 1,210
  • 8
  • 37
  • 73
  • 1
    _Maybe it is be better to change the group owner of these folders to other than root group something like ssl-cert._ Yes it definitely is. I strongly advise against 77(7) permissions anywhere it isn't needed. Better check the proper permissions and groups. – Lenniey Oct 12 '17 at 15:58
  • In this case I think at least 0750 permission is needed by cert folder otherwise tomcat cannot read certs. I found out that apache can read the cert with root priviles becase it starts as root, reads certs and after switches to www-data user. Tomcat doesn't work like Apache. – Tobia Oct 13 '17 at 10:08
  • Yes, but you had *770* in your answer ;). 740 + correct groups etc. is fine. – Lenniey Oct 13 '17 at 10:10
  • 1
    Yes my comment wasn't to say that you were wrong... the opposite, You were right, I looked better the minimun permission required for folder traversing and than I change my question and commented here. I added that a group permission is needed because tomcat start as tomcat and not like apache that starts as root and the it switches. I was a bit confused due the apache user-change after startup, then I could not understand how it could read from that folder. – Tobia Oct 13 '17 at 10:15
  • This was very interesting for my solution: https://community.letsencrypt.org/t/can-you-explain-the-folder-permission-of-lets-encrypt-on-ubuntu/44086 – Tobia Oct 13 '17 at 10:16
  • Ah alright. Yes apache is different than tomcat. Glad you got it working! – Lenniey Oct 13 '17 at 10:54