Ubuntu
python-certbot package

webroot fails if group of `.well-known/` is not the process's group

Bug #1685579 reported by Luke Faraone on 2017-04-23

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	python-certbot (Ubuntu)	New	Medium	Unassigned	Ubuntu xenial-updates

Bug Description

/var/www/html/.well-known/ already exists, and is set to owner=letsencrypt, group=root.

$ sudo -u letsencrypt /usr/bin/letsencrypt renew --webroot -w /var/www/html/ --force
Processing /etc/letsencrypt/renewal/SERVER.conf
2017-04-22 22:48:11,135:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/SERVER.conf produced an unexpected error: The webroot plugin is not working; there may be problems with your existing configuration.
The error was: PluginError("Couldn't create root for {0} http-01 challenge responses: {1}", 'zhe.luke.wf', OSError(1, 'Operation not permitted')). Skipping.

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/SERVER/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

From looking at `strace`:

stat("/var/www/html/.well-known", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
mkdir("/var/www/html/.well-known/acme-challenge", 0755) = 0
stat("/var/www/html/", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
chown("/var/www/html/.well-known/acme-challenge", 0, 0) = -1 EPERM (Operation not permitted)

Diving in to the code, webroot.py[1] is checking for EACCESS and then letting you on your way, when it really should be checking for EPERM.

[1]: https://github.com/certbot/certbot/blob/49d8fd7d61ceba091f7afde4a194a74dd2d3ca8a/letsencrypt/plugins/webroot.py#L83

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: letsencrypt 0.4.1-1
ProcVersionSignature: Ubuntu 4.4.0-59.80-generic 4.4.35
Uname: Linux 4.4.0-59-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.5
Architecture: amd64
Date: Sat Apr 22 22:57:59 2017
InstallationDate: Installed on 2014-04-18 (1100 days ago)
InstallationMedia:

JournalErrors:
Error: command ['journalctl', '-b', '--priority=warning', '--lines=1000'] failed with exit code 1: Hint: You are currently not seeing messages from other users and the system.
Users in the 'systemd-journal' group can see all messages. Pass -q to
turn off this notice.
No journal files were opened due to insufficient permissions.
PackageArchitecture: all
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: python-letsencrypt
UpgradeStatus: Upgraded to xenial on 2016-06-13 (313 days ago)

Tags:

Revision history for this message

Luke Faraone (lfaraone) wrote on 2017-04-23:

NonfreeKernelModules.txt Edit (2.6 KiB, text/plain; charset="utf-8")
Dependencies.txt Edit (2.7 KiB, text/plain; charset="utf-8")

Changed in python-letsencrypt (Ubuntu):
milestone:	none → xenial-updates

Mathew Hodson (mhodson) on 2019-03-06

affects:

python-letsencrypt (Ubuntu) → python-certbot (Ubuntu)

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntupython-certbot package