webroot fails if group of `.well-known/` is not the process's group

Bug #1685579 reported by Luke Faraone on 2017-04-23
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-certbot (Ubuntu)

Bug Description

/var/www/html/.well-known/ already exists, and is set to owner=letsencrypt, group=root.

$ sudo -u letsencrypt /usr/bin/letsencrypt renew --webroot -w /var/www/html/ --force
Processing /etc/letsencrypt/renewal/SERVER.conf
2017-04-22 22:48:11,135:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/SERVER.conf produced an unexpected error: The webroot plugin is not working; there may be problems with your existing configuration.
The error was: PluginError("Couldn't create root for {0} http-01 challenge responses: {1}", 'zhe.luke.wf', OSError(1, 'Operation not permitted')). Skipping.

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/SERVER/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

From looking at `strace`:

stat("/var/www/html/.well-known", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
mkdir("/var/www/html/.well-known/acme-challenge", 0755) = 0
stat("/var/www/html/", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
chown("/var/www/html/.well-known/acme-challenge", 0, 0) = -1 EPERM (Operation not permitted)

Diving in to the code, webroot.py[1] is checking for EACCESS and then letting you on your way, when it really should be checking for EPERM.

[1]: https://github.com/certbot/certbot/blob/49d8fd7d61ceba091f7afde4a194a74dd2d3ca8a/letsencrypt/plugins/webroot.py#L83

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: letsencrypt 0.4.1-1
ProcVersionSignature: Ubuntu 4.4.0-59.80-generic 4.4.35
Uname: Linux 4.4.0-59-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.5
Architecture: amd64
Date: Sat Apr 22 22:57:59 2017
InstallationDate: Installed on 2014-04-18 (1100 days ago)

 Error: command ['journalctl', '-b', '--priority=warning', '--lines=1000'] failed with exit code 1: Hint: You are currently not seeing messages from other users and the system.
       Users in the 'systemd-journal' group can see all messages. Pass -q to
       turn off this notice.
 No journal files were opened due to insufficient permissions.
PackageArchitecture: all
 PATH=(custom, no user)
SourcePackage: python-letsencrypt
UpgradeStatus: Upgraded to xenial on 2016-06-13 (313 days ago)

Luke Faraone (lfaraone) wrote :
Changed in python-letsencrypt (Ubuntu):
milestone: none → xenial-updates
affects: python-letsencrypt (Ubuntu) → python-certbot (Ubuntu)
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers