[BlueOnyx:22717] Re: invalid cert letsencrypt
neal pressman
blueonyx at naitram.net
Mon Feb 25 08:32:50 -05 2019
my work around was to force an ACL with default other read permissions on
/home/.acme
--
Open WebMail Project (http://openwebmail.org)
---------- Original Message -----------
From: Tomohiro Hosaka <bokutin at gmail.com>
To: BlueOnyx General Mailing List <blueonyx at mail.blueonyx.it>
Sent: Mon, 25 Feb 2019 09:33:07 +0900
Subject: [BlueOnyx:22712] Re: invalid cert letsencrypt
> Hi.
>
> I also got a similar error from yesterday.
>
> As a result of examination, I found out that acme.sh is operating on
> umask 0027.
>
> # fgrep acme /var/log/httpd/error_log | tail
> [Mon Feb 25 08:56:00 2019] [error] [client 36.3.106.34]
> mod_mime_magic: can't read
> `/home/.acme/WZ07_OOEDRtIrOFksk7JlExUApqFuIauj1U_LYI6PRk'
>
> [Mon Feb 25 08:56:00 2019] [error] [client 36.3.106.34] (13)
> Permission denied: file permissions deny server access:
/home/.acme/WZ07_OOEDRtIrOFksk7JlExUApqFuIauj1U_LYI6PRk
> [Mon Feb 25 09:06:41 2019] [error] [client 66.133.109.36]
> mod_mime_magic: can't read
> `/home/.acme/gnoptWZFVzp9bXEeeLm1peyYr4_-rLNO4nXaiLaHwRM'
> [Mon Feb 25 09:06:41 2019] [error] [client 66.133.109.36]
> (13)Permission denied: file permissions deny server access:
> /home/.acme/gnoptWZFVzp9bXEeeLm1peyYr4_-rLNO4nXaiLaHwRM
> [Mon Feb 25 09:06:44 2019] [error] [client 36.3.106.34]
> mod_mime_magic: can't read
> `/home/.acme/gnoptWZFVzp9bXEeeLm1peyYr4_-rLNO4nXaiLaHwRM'
>
> [Mon Feb 25 09:06:44 2019] [error] [client 36.3.106.34] (13)
> Permission denied: file permissions deny server access:
> /home/.acme/gnoptWZFVzp9bXEeeLm1peyYr4_-rLNO4nXaiLaHwRM
> [Mon Feb 25 09:13:57 2019] [error] [client 66.133.109.36]
> mod_mime_magic: can't read
`/home/.acme/iPdu0NMac_Gf45uRV7h_2YIRmrmjh1GxbPWnohaO838'
> [Mon Feb 25 09:13:57 2019] [error] [client 66.133.109.36]
> (13)Permission denied: file permissions deny server access:
> /home/.acme/iPdu0NMac_Gf45uRV7h_2YIRmrmjh1GxbPWnohaO838
> [Mon Feb 25 09:13:59 2019] [error] [client 36.3.106.34]
> mod_mime_magic: can't read
> `/home/.acme/iPdu0NMac_Gf45uRV7h_2YIRmrmjh1GxbPWnohaO838'
>
> [Mon Feb 25 09:13:59 2019] [error] [client 36.3.106.34] (13)
> Permission denied: file permissions deny server access:
/home/.acme/iPdu0NMac_Gf45uRV7h_2YIRmrmjh1GxbPWnohaO838
>
> # ls -alt /home/.acme
> drwxr-xr-x 3 root root 4096 2月 25 03:49 2019 .
> -rw-r----- 1 root root 87 2月 25 03:49 2019
> stpjboYdlWKv4sDxfRUnypt6XeDgI8YUlTc1-UOhqh8
> -rw-r----- 1 root root 87 2月 24 03:18 2019
> jMUJ_Yc2NMm8cM_HNzXcgriCy8b2WK2IgJEDTUM9h0s
> -rw-r----- 1 root root 87 2月 23 03:36 2019
> sykYYLtK4lshvptUDveRMJRgzF2fOWdIzKP8VMPs3pY
> -rw-r----- 1 root root 87 2月 22 03:32 2019
> sEzuPRmmA6o2vVffGUMdXpQwjeBD3OO91l3JLvNMEV8
> -rw-r----- 1 root root 87 2月 21 03:24 2019
> LhfUzEkuQq5F3TNTkSnYgukeUkWzoE41DHmhrBMfcmc
> -rw-r----- 1 root root 87 2月 20 03:46 2019
> YsuRaWKPrYlO9ZHKwLTb76q2-YmsuiJnqpjDb03h4D4
> -rw-r----- 1 root root 87 2月 19 03:15 2019
> QWOvIc-1R8Ifhiel7VXb-BUXcWcupHJ5GBXPEgqpckE
> -rw-r----- 1 root root 87 2月 18 03:30 2019
> acaUgNlTTmzzCcTlRQXbcVdQ7dsrn_5b5EGofM5gQng
> -rw-r----- 1 root root 87 2月 17 03:35 2019
> otFMLENF3OMqGnhRffLxWlzVVp_MteDOFNEkPS62S0U
> -rw-r----- 1 root root 87 2月 16 03:27 2019
> RzbR8Jo9H2mR0oNc9l2bbfSFaF5MhLUCw1QQwz2x9jE
> -rw-r----- 1 root root 87 2月 15 03:18 2019
> 3pAsCHt2ALiWeC3B-Wq2yrb4Q7TweUh-yIKPW-EVWKA
> -rw-r----- 1 root root 87 2月 14 03:46 2019
> VooZ4e4MtAMIZH6duwGZlJ2YW_45PpwMS3LTARaHg_E
> -rw-r----- 1 root root 87 2月 13 03:12 2019
> _b0OH2p5ZRLDciV4AE9P3Jd6cvWKqHwtiu2XpuVY2Ow
> -rw-r----- 1 root root 87 2月 12 03:50 2019
> t8DB7wURREeWFOQQwPRXC_w7r0B0hVncWNv9vYO5iaY
> -rw-r----- 1 root root 87 2月 11 03:53 2019
> 1jgh2OK6MJghNhghRKHLDMLiEppBDPT17_jmwTNbC8w
> -rw-r----- 1 root root 87 2月 10 03:35 2019
> 3A3HRPZvMiMiVZUu6nNzGye87PBRnRE5JlvRd6-AxKw
> -rw-r----- 1 root root 87 2月 9 03:08 2019
> F5zPAq5pleoBGQg8NRvNjRcmec0aleVYeZkW0TPpHk4
> -rw-r----- 1 root root 87 2月 9 03:08 2019
> xns5JBt7st3yTTPOYdIdX4pHxbdVXZkWzdpt_PTtIvg
> -rw-r----- 1 root root 87 2月 8 03:24 2019
> 2IODzHZ-_jmOahcXwxiqDiqoAv5hy0_r35rmOasvXjY
> -rw-r----- 1 root root 87 2月 8 03:24 2019
> uV3VhxYu2Rl9QfFTHM_p9ZJlnCQ0hnJieo407Pmjjn8
> -rw-r----- 1 root root 87 2月 7 03:07 2019
> HemSwlaxxwEDSasMpwt4pLgkdKBbajZm89BMpLfh-p4
> -rw-r----- 1 root root 87 2月 7 03:07 2019
> f8cmQZx9lnNmroVzJG6KQigyzp6Iccrmn1HjtDpmjf4
> -rw-r----- 1 root root 87 2月 6 03:43 2019
> QtH26DeuACLRiY6c3l390foz2s382iwL7T7m12scY4Q
> -rw-r----- 1 root root 87 2月 6 03:42 2019
> ldy98EisvgMMyozOWkSAZL7ACLS6EG-3_nGxr_FEk58
> -rw-r----- 1 root root 87 2月 5 03:41 2019
> Zxh4Xur02AbIjxUx8LaJra3LoWxQC8VzU1x-6KdzsSk
> -rw-r----- 1 root root 87 2月 5 03:41 2019
> 2uChDzKRLXk-GkY4otS7uW96ZJOsxp7HQfcj_2AlrGc
> -rw-r----- 1 root root 87 2月 4 04:21 2019
> 689v9kv_8c5VmX1ErNiMYK8RLOM8EqQliNC5wsXpyD0
> -rw-r----- 1 root root 87 2月 4 04:21 2019
> Vdg4uROIWFSDYnV0j0TMOBfR5XUQomQhMLb1YgdopD4
> -rw-r----- 1 root root 87 2月 3 03:20 2019
> NV1N1hwBopeFzQDdB4cBLpcQ_FcOT8XUzUlBsRrFeD8
> -rw-r----- 1 root root 87 2月 3 03:20 2019
> nq2BwY27PrvruagKL_hlJFNSx97re8HkeArfU1bZk-U
> -rw-r--r-- 1 root root 87 2月 2 03:50 2019
> t_dgmZrfNin7fYA1-GjLQfFDBJoh_OAEUKmozDoMFjM <----- -rw-r--r--
> -rw-r--r-- 1 root root 87 2月 2 03:50 2019
> eTf6ALWlmBeTl2Jfc9VxBLoitPlz2Mpjw-qCX8Q3ov0
> -rw-r--r-- 1 root root 87 2月 2 03:50 2019
> SBp4xeuhNapgatN9FOeVrUY6E-tycbH7bCpduGo59tk
> -rw-r--r-- 1 root root 87 2月 2 03:50 2019
> o_7aUo_Yh1mKnZVT--udhnCG1tvWj63bMTubqQSRckc
> -rw-r--r-- 1 root root 87 2月 2 03:50 2019
> WxOHuKH1L7aObr3D-p3He27ubReB9P1gs32VPyzBD8Y
> -rw-r--r-- 1 root root 87 2月 2 03:50 2019
> IXiq_Y-tT7dYV8VOIvTNLs8zmtD8KybSDeanWwUQHZo
> -rw-r--r-- 1 root root 87 2月 2 03:49 2019
> t730jKPgKUuWx8NPD2K7TQnqZHje6sKBGjH3l96Om3I
> -rw-r--r-- 1 root root 87 2月 2 03:49 2019
> zaAP7rQ_930ATzW98vfSn_d6l9k-RsMAW9ViTtTiYQI
> -rw-r--r-- 1 root root 87 2月 2 03:49 2019
> lmH_EGMw-WasMscXje81EMzD23SQe34aoCZnP5HrtIA
> -rw-r--r-- 1 root root 87 2月 2 03:49 2019
> Jyp0ITip2y5lfAgRiIhIVkSXg2cMj7QjnbVKy0APzT4
> ^
> ^
> ^
>
> # tail -70 /var/log/yum.log
> Jan 17 06:00:52 Updated: kernel-headers-2.6.32-754.10.1.el6.x86_64
> Jan 17 06:00:52 Updated: 1:cups-libs-1.4.2-80.el6_10.x86_64
> Jan 23 06:00:35 Updated: rsyslog-8.1901.0-1.el6.x86_64
> Jan 23 06:00:35 Updated: rsyslog-mmrm1stspace-8.1901.0-1.el6.x86_64
> Jan 23 06:00:36 Updated: rsyslog-mmjsonparse-8.1901.0-1.el6.x86_64
> Jan 23 06:00:36 Updated: rsyslog-relp-8.1901.0-1.el6.x86_64
> Jan 25 06:00:35 Updated: base-ssl-locale-en_US-1.3.2-0BX03.el6.noarch
> Jan 25 06:00:36 Updated: base-ssl-locale-it_IT-1.3.2-0BX03.el6.noarch
> Jan 25 06:00:36 Updated: base-ssl-ui-1.3.2-0BX03.el6.noarch
> Jan 25 06:00:37 Updated: base-ssl-locale-nl_NL-1.3.2-0BX03.el6.noarch
> Jan 25 06:00:38 Installed: blueonyx-le-acme-2.8.0-3.noarch
> Jan 25 06:00:38 Updated: base-ssl-glue-1.3.2-0BX03.el6.noarch
> Jan 25 06:00:39 Updated: base-ssl-locale-de_DE-1.3.2-0BX03.el6.noarch
> Jan 25 06:00:39 Updated: base-ssl-locale-pt_PT-1.3.2-0BX03.el6.noarch
> Jan 25 06:00:39 Updated: base-ssl-locale-da_DK-1.3.2-0BX03.el6.noarch
> Jan 25 06:00:40 Updated: base-ssl-locale-es_ES-1.3.2-0BX03.el6.noarch
> Jan 25 06:00:40 Updated: base-ssl-locale-fr_FR-1.3.2-0BX03.el6.noarch
> Jan 25 06:00:40 Updated: base-ssl-locale-ja_JP-1.3.2-0BX03.el6.noarch
> Jan 25 06:00:41 Updated: base-ssl-capstone-1.3.2-0BX03.el6.noarch
> Jan 25 06:00:45 Erased: blueonyx-letsencrypt
> Jan 29 06:00:43 Updated: base-ssl-glue-1.3.2-0BX05.el6.noarch
> Jan 29 06:00:43 Updated: blueonyx-le-acme-2.8.0-4.noarch
> Jan 29 06:00:44 Updated: base-ssl-locale-nl_NL-1.3.2-0BX05.el6.noarch
> Jan 29 06:00:44 Updated: base-ssl-ui-1.3.2-0BX05.el6.noarch
> Jan 29 06:00:45 Updated: base-ssl-locale-it_IT-1.3.2-0BX05.el6.noarch
> Jan 29 06:00:45 Updated: base-ssl-locale-fr_FR-1.3.2-0BX05.el6.noarch
> Jan 29 06:00:45 Updated: base-ssl-locale-ja_JP-1.3.2-0BX05.el6.noarch
> Jan 29 06:00:46 Updated: base-ssl-locale-en_US-1.3.2-0BX05.el6.noarch
> Jan 29 06:00:46 Updated: base-ssl-locale-es_ES-1.3.2-0BX05.el6.noarch
> Jan 29 06:00:46 Updated: base-ssl-locale-da_DK-1.3.2-0BX05.el6.noarch
> Jan 29 06:00:47 Updated: base-ssl-locale-pt_PT-1.3.2-0BX05.el6.noarch
> Jan 29 06:00:47 Updated: base-ssl-locale-de_DE-1.3.2-0BX05.el6.noarch
> Jan 29 06:00:47 Updated: base-ssl-capstone-1.3.2-0BX05.el6.noarch
> Feb 04 06:00:31 Updated: base-ssl-glue-1.3.2-0BX08.el6.noarch
> Feb 04 06:00:31 Updated: base-ssl-locale-nl_NL-1.3.2-0BX08.el6.noarch
> Feb 04 06:00:32 Updated: base-ssl-ui-1.3.2-0BX08.el6.noarch
> Feb 04 06:00:32 Updated: base-ssl-locale-it_IT-1.3.2-0BX08.el6.noarch
> Feb 04 06:00:33 Updated: base-ssl-locale-ja_JP-1.3.2-0BX08.el6.noarch
> Feb 04 06:00:33 Updated: base-ssl-locale-fr_FR-1.3.2-0BX08.el6.noarch
> Feb 04 06:00:33 Updated: base-ssl-locale-en_US-1.3.2-0BX08.el6.noarch
> Feb 04 06:00:34 Updated: base-ssl-locale-es_ES-1.3.2-0BX08.el6.noarch
> Feb 04 06:00:34 Updated: base-ssl-locale-da_DK-1.3.2-0BX08.el6.noarch
> Feb 04 06:00:35 Updated: base-ssl-locale-pt_PT-1.3.2-0BX08.el6.noarch
> Feb 04 06:00:35 Updated: base-ssl-locale-de_DE-1.3.2-0BX08.el6.noarch
> Feb 04 06:00:35 Updated: base-ssl-capstone-1.3.2-0BX08.el6.noarch
> Feb 07 06:00:30 Updated: base-ssl-glue-1.3.2-0BX10.el6.noarch
> Feb 07 06:00:30 Updated: base-ssl-locale-fr_FR-1.3.2-0BX10.el6.noarch
> Feb 07 06:00:31 Updated: base-ssl-locale-pt_PT-1.3.2-0BX10.el6.noarch
> Feb 07 06:00:31 Updated: base-ssl-locale-ja_JP-1.3.2-0BX10.el6.noarch
> Feb 07 06:00:31 Updated: base-ssl-locale-de_DE-1.3.2-0BX10.el6.noarch
> Feb 07 06:00:32 Updated: base-ssl-locale-it_IT-1.3.2-0BX10.el6.noarch
> Feb 07 06:00:32 Updated: base-ssl-locale-es_ES-1.3.2-0BX10.el6.noarch
> Feb 07 06:00:33 Updated: base-ssl-locale-en_US-1.3.2-0BX10.el6.noarch
> Feb 07 06:00:33 Updated: base-ssl-ui-1.3.2-0BX10.el6.noarch
> Feb 07 06:00:34 Updated: base-ssl-locale-da_DK-1.3.2-0BX10.el6.noarch
> Feb 07 06:00:34 Updated: base-ssl-locale-nl_NL-1.3.2-0BX10.el6.noarch
> Feb 07 06:00:34 Updated: base-ssl-capstone-1.3.2-0BX10.el6.noarch
>
> Feb 14 06:00:32 Updated: base-swupdate-locale-it_IT-1.6.1-
0BX22.el6.noarch
> Feb 14 06:00:33 Updated: base-swupdate-glue-1.6.1-0BX22.el6.noarch
>
> Feb 14 06:00:34 Updated: base-swupdate-locale-en_US-1.6.1-
0BX22.el6.noarch
>
> Feb 14 06:00:34 Updated: base-swupdate-locale-da_DK-1.6.1-
0BX22.el6.noarch
>
> Feb 14 06:00:35 Updated: base-swupdate-locale-nl_NL-1.6.1-
0BX22.el6.noarch
> Feb 14 06:00:35 Updated: base-swupdate-ui-1.6.1-0BX22.el6.noarch
>
> Feb 14 06:00:36 Updated: base-swupdate-locale-es_ES-1.6.1-
0BX22.el6.noarch
>
> Feb 14 06:00:36 Updated: base-swupdate-locale-de_DE-1.6.1-
0BX22.el6.noarch
>
> Feb 14 06:00:36 Updated: base-swupdate-locale-pt_PT-1.6.1-
0BX22.el6.noarch
>
> Feb 14 06:00:37 Updated: base-swupdate-locale-ja_JP-1.6.1-
0BX22.el6.noarch
>
> Feb 14 06:00:37 Updated: base-swupdate-locale-fr_FR-1.6.1-
0BX22.el6.noarch
>
> Feb 14 06:00:38 Updated: base-swupdate-capstone-1.6.1-0BX22.el6.noarch
> Feb 18 06:00:28 Updated: solarspeed-ioncube-10.3.2-1.x86_64
>
> # diff -u /usr/sausalito/acme/acme_wrapper.sh-00
> /usr/sausalito/acme/acme_wrapper.sh
> --- /usr/sausalito/acme/acme_wrapper.sh-00 2019-01-24
> 06:34:43.000000000 +0900
>
> +++ /usr/sausalito/acme/acme_wrapper.sh 2019-02-25
> 09:16:33.905178185 +0900 @@ -6,4 +6,5 @@ export
LE_CONFIG_HOME="/usr/sausalito/acme/data"
> #alias acme.sh="/usr/sausalito/acme/acme.sh --config-home
> '/usr/sausalito/acme/data'"
>
> +umask 022
> /usr/sausalito/acme/acme.sh --config-home
> '/usr/sausalito/acme/data' "$@
>
> # /usr/sausalito/sbin/letsencrypt_autorenew.pl -a
> It worked fine :)
>
> Thank you.
>
> Tomohiro Hosaka
>
> 2019年2月22日(金) 5:38 neal pressman <blueonyx at naitram.net>:
>
> >
> > for some reason this vhost is not working with lets encrypt:
> >
> > i think its related to the acme rewrite. the other vhost on the same
> > system dose not have this problem
> >
> > [Thu Feb 21 14:54:38 2019] [error] [client 64.78.149.164]
mod_mime_magic:
> > can't read `/home/.acme/6YT48dMOsucrKzLbxmmJ44VeKqzOxM7UiiQoXCPUqeI',
> > referer: http://www.XXXXXXXXX.com/.well-known/acme-
> > challenge/6YT48dMOsucrKzLbxmmJ44VeKqzOxM7UiiQoXCPUqeI
> > [Thu Feb 21 14:54:38 2019] [error] [client 64.78.149.164]
(13)Permission
> > denied: file permissions deny server access:
> > /home/.acme/6YT48dMOsucrKzLbxmmJ44VeKqzOxM7UiiQoXCPUqeI, referer:
> > http://www.XXXXXXXXX.com/.well-known/acme-
> > challenge/6YT48dMOsucrKzLbxmmJ44VeKqzOxM7UiiQoXCPUqeI
> >
> >
> > dont understand why i would have a permission issue from one vhost and
not
> > another
> >
> > --
> > Open WebMail Project (http://openwebmail.org)
> >
> >
> > ---------- Original Message -----------
> > From: "neal pressman" <blueonyx at naitram.net>
> > To: BlueOnyx General Mailing List <blueonyx at mail.blueonyx.it>
> > Sent: Thu, 21 Feb 2019 09:14:57 -0400
> > Subject: [BlueOnyx:22708] invalid cert letsencrypt
> >
> > > i have one domain that is not able to renew its cert. is there a way
> > > to completely remove the cert and start over?
> > >
> > > [Thu Feb 21 08:09:22 EST 2019]
> > di='/usr/sausalito/acme/certs/www.XXXXXXX.com/'
> > > [Thu Feb 21 08:09:22 EST 2019] d='www.XXXXXXX.com'
> > >
> > > [Thu Feb 21 08:09:22 EST 2019] Using config
> > home:/usr/sausalito/acme/data
> > >
> > > [Thu Feb 21 08:09:22 EST 2019] ACME_DIRECTORY='https://acme-
> > v01.api.letsencrypt.org/directory'
> > >
> > > [Thu Feb 21 08:09:22 EST 2019]
> > DOMAIN_PATH='/usr/sausalito/acme/certs/www.XXXXXXX.com'
> > > [Thu Feb 21 08:09:22 EST 2019] Renew: 'www.XXXXXXX.com'
> > >
> > > [Thu Feb 21 08:09:22 EST 2019] Le_API='https://acme-
> > v01.api.letsencrypt.org/directory'
> > >
> > > [Thu Feb 21 08:09:22 EST 2019] Using config
> > home:/usr/sausalito/acme/data
> > >
> > > [Thu Feb 21 08:09:22 EST 2019] ACME_DIRECTORY='https://acme-
> > v01.api.letsencrypt.org/directory'
> > > [Thu Feb 21 08:09:22 EST 2019] Skip invalid cert for:
www.XXXXXXX.com
> > > [Thu Feb 21 08:09:22 EST 2019] Return code: 0
> > > [Thu Feb 21 08:09:22 EST 2019] ===End cron===
> > >
> > > _______________________________________________
> > > Blueonyx mailing list
> > > Blueonyx at mail.blueonyx.it
> > > http://mail.blueonyx.it/mailman/listinfo/blueonyx
> > ------- End of Original Message -------
> >
> > _______________________________________________
> > Blueonyx mailing list
> > Blueonyx at mail.blueonyx.it
> > http://mail.blueonyx.it/mailman/listinfo/blueonyx
>
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx
------- End of Original Message -------
More information about the Blueonyx
mailing list