Hi all, my Phoenix server is failing to start on my EC2 instance because the server says it cannot access my SSL’s keyfile. I see this eror:
***(ArgumentError) could not start Cowboy2 adapter, the file /etc/letsencrypt/live/www.someapp.com/privkey.pem required by SSL's :keyfile either does not exist, or the application does not have permission to access it***
The key file is accurately specified and exists. When I ls the folder with the symlinks (/etc/letsencrypt/live/www.someapp.com/) I get:
[ec2-user@ip-10-0-1-32 ~]$ sudo ls -l /etc/letsencrypt/live/www.someapp.com
total 4
lrwxrwxrwx 1 root root 39 Jul 19 00:18 cert.pem -> ../../archive/www.someapp.com/cert1.pem
lrwxrwxrwx 1 root root 40 Jul 19 00:18 chain.pem -> ../../archive/www.someapp.com/chain1.pem
lrwxrwxrwx 1 root root 44 Jul 19 00:18 fullchain.pem -> ../../archive/www.someapp.com/fullchain1.pem
lrwxrwxrwx 1 root root 42 Jul 19 00:18 privkey.pem -> ../../archive/www.someapp.com/privkey1.pem
-rw-r--r-- 1 root root 692 Jul 19 00:18 README
Those symlink to these files:
[ec2-user@ip-10-0-1-32 ~]$ sudo ls -l /etc/letsencrypt/archive/www.someapp.com
total 20
-rw-r--r-- 1 root root 2208 Jul 19 00:18 cert1.pem
-rw-r--r-- 1 root root 3749 Jul 19 00:18 chain1.pem
-rw-r--r-- 1 root root 5957 Jul 19 00:18 fullchain1.pem
-rw------- 1 root root 3272 Jul 19 00:18 privkey1.pem
What am I missing? Why is this not working? Any help is appreciated.
1 Like
-rw------- 1 root root 3272 Jul 19 00:18 privkey1.pem
It looks like privkey1.pem is owned by root and can only be read by the owner. Maybe your app is running with a different user, which is not permitted to read the file? If so, you might need to chown or chmod the file to give the right permissions.
2 Likes
Thanks! Your answer pointed me on the right path to at least get the server working. It turns out, that was one of a few permissions issues I needed to fix. To get it working I needed to
sudo chmod 644 /etc/letsencrypt/archive/www.someapp.com/privkey1.pem
sudo chmod 777 /etc/letsencrypt/archive
sudo chmod 777 /etc/letsencrypt/live
I know setting 777 for the parent folders is very poor security and the developers of Certbot do not recommend doing this: see https://github.com/certbot/certbot/issues/7412 and https://community.letsencrypt.org/t/how-should-i-configured-permissions-for-this-server/144822
Researching this has me wondering what the proper way to do permissioning for my letsencrypt files? What is the recommended approach for setting up SSL with Phoenix/Cowboy? I read the nginx will load those files as root (so the aformentioned chmodding is not needed) and then will drop privileges after loading the files. Does phoenix have a way of doing the same thing? Ideally I’d like to not touch any of the perms or ownership in the letsencrypt directory.
1 Like
Long time I don’t use Let’s Encrypt, but I think the standard way was to keep the original permissions on the archive folder, and rather copy and chown the key to a directory in the correct user home tree.
This reply to the post on the Let’s Encrypt forum that you linked above seems to confirm that.
2 Likes
Got it, yeah that confirms what’s on that linked post. Thanks again.
2 Likes
Absolutely never make key files writeable! There are ways to handle your current predicament as @lucaong said.
2 Likes
