my work around was to force an ACL with default other read permissions on /home/.acme
-- Open WebMail Project (http://openwebmail.org) ---------- Original Message ----------- From: Tomohiro Hosaka <boku...@gmail.com> To: BlueOnyx General Mailing List <blueonyx@mail.blueonyx.it> Sent: Mon, 25 Feb 2019 09:33:07 +0900 Subject: [BlueOnyx:22712] Re: invalid cert letsencrypt > Hi. > > I also got a similar error from yesterday. > > As a result of examination, I found out that acme.sh is operating on > umask 0027. > > # fgrep acme /var/log/httpd/error_log | tail > [Mon Feb 25 08:56:00 2019] [error] [client 36.3.106.34] > mod_mime_magic: can't read > `/home/.acme/WZ07_OOEDRtIrOFksk7JlExUApqFuIauj1U_LYI6PRk' > > [Mon Feb 25 08:56:00 2019] [error] [client 36.3.106.34] (13) > Permission denied: file permissions deny server access: /home/.acme/WZ07_OOEDRtIrOFksk7JlExUApqFuIauj1U_LYI6PRk > [Mon Feb 25 09:06:41 2019] [error] [client 66.133.109.36] > mod_mime_magic: can't read > `/home/.acme/gnoptWZFVzp9bXEeeLm1peyYr4_-rLNO4nXaiLaHwRM' > [Mon Feb 25 09:06:41 2019] [error] [client 66.133.109.36] > (13)Permission denied: file permissions deny server access: > /home/.acme/gnoptWZFVzp9bXEeeLm1peyYr4_-rLNO4nXaiLaHwRM > [Mon Feb 25 09:06:44 2019] [error] [client 36.3.106.34] > mod_mime_magic: can't read > `/home/.acme/gnoptWZFVzp9bXEeeLm1peyYr4_-rLNO4nXaiLaHwRM' > > [Mon Feb 25 09:06:44 2019] [error] [client 36.3.106.34] (13) > Permission denied: file permissions deny server access: > /home/.acme/gnoptWZFVzp9bXEeeLm1peyYr4_-rLNO4nXaiLaHwRM > [Mon Feb 25 09:13:57 2019] [error] [client 66.133.109.36] > mod_mime_magic: can't read `/home/.acme/iPdu0NMac_Gf45uRV7h_2YIRmrmjh1GxbPWnohaO838' > [Mon Feb 25 09:13:57 2019] [error] [client 66.133.109.36] > (13)Permission denied: file permissions deny server access: > /home/.acme/iPdu0NMac_Gf45uRV7h_2YIRmrmjh1GxbPWnohaO838 > [Mon Feb 25 09:13:59 2019] [error] [client 36.3.106.34] > mod_mime_magic: can't read > `/home/.acme/iPdu0NMac_Gf45uRV7h_2YIRmrmjh1GxbPWnohaO838' > > [Mon Feb 25 09:13:59 2019] [error] [client 36.3.106.34] (13) > Permission denied: file permissions deny server access: /home/.acme/iPdu0NMac_Gf45uRV7h_2YIRmrmjh1GxbPWnohaO838 > > # ls -alt /home/.acme > drwxr-xr-x 3 root root 4096 2月 25 03:49 2019 . > -rw-r----- 1 root root 87 2月 25 03:49 2019 > stpjboYdlWKv4sDxfRUnypt6XeDgI8YUlTc1-UOhqh8 > -rw-r----- 1 root root 87 2月 24 03:18 2019 > jMUJ_Yc2NMm8cM_HNzXcgriCy8b2WK2IgJEDTUM9h0s > -rw-r----- 1 root root 87 2月 23 03:36 2019 > sykYYLtK4lshvptUDveRMJRgzF2fOWdIzKP8VMPs3pY > -rw-r----- 1 root root 87 2月 22 03:32 2019 > sEzuPRmmA6o2vVffGUMdXpQwjeBD3OO91l3JLvNMEV8 > -rw-r----- 1 root root 87 2月 21 03:24 2019 > LhfUzEkuQq5F3TNTkSnYgukeUkWzoE41DHmhrBMfcmc > -rw-r----- 1 root root 87 2月 20 03:46 2019 > YsuRaWKPrYlO9ZHKwLTb76q2-YmsuiJnqpjDb03h4D4 > -rw-r----- 1 root root 87 2月 19 03:15 2019 > QWOvIc-1R8Ifhiel7VXb-BUXcWcupHJ5GBXPEgqpckE > -rw-r----- 1 root root 87 2月 18 03:30 2019 > acaUgNlTTmzzCcTlRQXbcVdQ7dsrn_5b5EGofM5gQng > -rw-r----- 1 root root 87 2月 17 03:35 2019 > otFMLENF3OMqGnhRffLxWlzVVp_MteDOFNEkPS62S0U > -rw-r----- 1 root root 87 2月 16 03:27 2019 > RzbR8Jo9H2mR0oNc9l2bbfSFaF5MhLUCw1QQwz2x9jE > -rw-r----- 1 root root 87 2月 15 03:18 2019 > 3pAsCHt2ALiWeC3B-Wq2yrb4Q7TweUh-yIKPW-EVWKA > -rw-r----- 1 root root 87 2月 14 03:46 2019 > VooZ4e4MtAMIZH6duwGZlJ2YW_45PpwMS3LTARaHg_E > -rw-r----- 1 root root 87 2月 13 03:12 2019 > _b0OH2p5ZRLDciV4AE9P3Jd6cvWKqHwtiu2XpuVY2Ow > -rw-r----- 1 root root 87 2月 12 03:50 2019 > t8DB7wURREeWFOQQwPRXC_w7r0B0hVncWNv9vYO5iaY > -rw-r----- 1 root root 87 2月 11 03:53 2019 > 1jgh2OK6MJghNhghRKHLDMLiEppBDPT17_jmwTNbC8w > -rw-r----- 1 root root 87 2月 10 03:35 2019 > 3A3HRPZvMiMiVZUu6nNzGye87PBRnRE5JlvRd6-AxKw > -rw-r----- 1 root root 87 2月 9 03:08 2019 > F5zPAq5pleoBGQg8NRvNjRcmec0aleVYeZkW0TPpHk4 > -rw-r----- 1 root root 87 2月 9 03:08 2019 > xns5JBt7st3yTTPOYdIdX4pHxbdVXZkWzdpt_PTtIvg > -rw-r----- 1 root root 87 2月 8 03:24 2019 > 2IODzHZ-_jmOahcXwxiqDiqoAv5hy0_r35rmOasvXjY > -rw-r----- 1 root root 87 2月 8 03:24 2019 > uV3VhxYu2Rl9QfFTHM_p9ZJlnCQ0hnJieo407Pmjjn8 > -rw-r----- 1 root root 87 2月 7 03:07 2019 > HemSwlaxxwEDSasMpwt4pLgkdKBbajZm89BMpLfh-p4 > -rw-r----- 1 root root 87 2月 7 03:07 2019 > f8cmQZx9lnNmroVzJG6KQigyzp6Iccrmn1HjtDpmjf4 > -rw-r----- 1 root root 87 2月 6 03:43 2019 > QtH26DeuACLRiY6c3l390foz2s382iwL7T7m12scY4Q > -rw-r----- 1 root root 87 2月 6 03:42 2019 > ldy98EisvgMMyozOWkSAZL7ACLS6EG-3_nGxr_FEk58 > -rw-r----- 1 root root 87 2月 5 03:41 2019 > Zxh4Xur02AbIjxUx8LaJra3LoWxQC8VzU1x-6KdzsSk > -rw-r----- 1 root root 87 2月 5 03:41 2019 > 2uChDzKRLXk-GkY4otS7uW96ZJOsxp7HQfcj_2AlrGc > -rw-r----- 1 root root 87 2月 4 04:21 2019 > 689v9kv_8c5VmX1ErNiMYK8RLOM8EqQliNC5wsXpyD0 > -rw-r----- 1 root root 87 2月 4 04:21 2019 > Vdg4uROIWFSDYnV0j0TMOBfR5XUQomQhMLb1YgdopD4 > -rw-r----- 1 root root 87 2月 3 03:20 2019 > NV1N1hwBopeFzQDdB4cBLpcQ_FcOT8XUzUlBsRrFeD8 > -rw-r----- 1 root root 87 2月 3 03:20 2019 > nq2BwY27PrvruagKL_hlJFNSx97re8HkeArfU1bZk-U > -rw-r--r-- 1 root root 87 2月 2 03:50 2019 > t_dgmZrfNin7fYA1-GjLQfFDBJoh_OAEUKmozDoMFjM <----- -rw-r--r-- > -rw-r--r-- 1 root root 87 2月 2 03:50 2019 > eTf6ALWlmBeTl2Jfc9VxBLoitPlz2Mpjw-qCX8Q3ov0 > -rw-r--r-- 1 root root 87 2月 2 03:50 2019 > SBp4xeuhNapgatN9FOeVrUY6E-tycbH7bCpduGo59tk > -rw-r--r-- 1 root root 87 2月 2 03:50 2019 > o_7aUo_Yh1mKnZVT--udhnCG1tvWj63bMTubqQSRckc > -rw-r--r-- 1 root root 87 2月 2 03:50 2019 > WxOHuKH1L7aObr3D-p3He27ubReB9P1gs32VPyzBD8Y > -rw-r--r-- 1 root root 87 2月 2 03:50 2019 > IXiq_Y-tT7dYV8VOIvTNLs8zmtD8KybSDeanWwUQHZo > -rw-r--r-- 1 root root 87 2月 2 03:49 2019 > t730jKPgKUuWx8NPD2K7TQnqZHje6sKBGjH3l96Om3I > -rw-r--r-- 1 root root 87 2月 2 03:49 2019 > zaAP7rQ_930ATzW98vfSn_d6l9k-RsMAW9ViTtTiYQI > -rw-r--r-- 1 root root 87 2月 2 03:49 2019 > lmH_EGMw-WasMscXje81EMzD23SQe34aoCZnP5HrtIA > -rw-r--r-- 1 root root 87 2月 2 03:49 2019 > Jyp0ITip2y5lfAgRiIhIVkSXg2cMj7QjnbVKy0APzT4 > ^ > ^ > ^ > > # tail -70 /var/log/yum.log > Jan 17 06:00:52 Updated: kernel-headers-2.6.32-754.10.1.el6.x86_64 > Jan 17 06:00:52 Updated: 1:cups-libs-1.4.2-80.el6_10.x86_64 > Jan 23 06:00:35 Updated: rsyslog-8.1901.0-1.el6.x86_64 > Jan 23 06:00:35 Updated: rsyslog-mmrm1stspace-8.1901.0-1.el6.x86_64 > Jan 23 06:00:36 Updated: rsyslog-mmjsonparse-8.1901.0-1.el6.x86_64 > Jan 23 06:00:36 Updated: rsyslog-relp-8.1901.0-1.el6.x86_64 > Jan 25 06:00:35 Updated: base-ssl-locale-en_US-1.3.2-0BX03.el6.noarch > Jan 25 06:00:36 Updated: base-ssl-locale-it_IT-1.3.2-0BX03.el6.noarch > Jan 25 06:00:36 Updated: base-ssl-ui-1.3.2-0BX03.el6.noarch > Jan 25 06:00:37 Updated: base-ssl-locale-nl_NL-1.3.2-0BX03.el6.noarch > Jan 25 06:00:38 Installed: blueonyx-le-acme-2.8.0-3.noarch > Jan 25 06:00:38 Updated: base-ssl-glue-1.3.2-0BX03.el6.noarch > Jan 25 06:00:39 Updated: base-ssl-locale-de_DE-1.3.2-0BX03.el6.noarch > Jan 25 06:00:39 Updated: base-ssl-locale-pt_PT-1.3.2-0BX03.el6.noarch > Jan 25 06:00:39 Updated: base-ssl-locale-da_DK-1.3.2-0BX03.el6.noarch > Jan 25 06:00:40 Updated: base-ssl-locale-es_ES-1.3.2-0BX03.el6.noarch > Jan 25 06:00:40 Updated: base-ssl-locale-fr_FR-1.3.2-0BX03.el6.noarch > Jan 25 06:00:40 Updated: base-ssl-locale-ja_JP-1.3.2-0BX03.el6.noarch > Jan 25 06:00:41 Updated: base-ssl-capstone-1.3.2-0BX03.el6.noarch > Jan 25 06:00:45 Erased: blueonyx-letsencrypt > Jan 29 06:00:43 Updated: base-ssl-glue-1.3.2-0BX05.el6.noarch > Jan 29 06:00:43 Updated: blueonyx-le-acme-2.8.0-4.noarch > Jan 29 06:00:44 Updated: base-ssl-locale-nl_NL-1.3.2-0BX05.el6.noarch > Jan 29 06:00:44 Updated: base-ssl-ui-1.3.2-0BX05.el6.noarch > Jan 29 06:00:45 Updated: base-ssl-locale-it_IT-1.3.2-0BX05.el6.noarch > Jan 29 06:00:45 Updated: base-ssl-locale-fr_FR-1.3.2-0BX05.el6.noarch > Jan 29 06:00:45 Updated: base-ssl-locale-ja_JP-1.3.2-0BX05.el6.noarch > Jan 29 06:00:46 Updated: base-ssl-locale-en_US-1.3.2-0BX05.el6.noarch > Jan 29 06:00:46 Updated: base-ssl-locale-es_ES-1.3.2-0BX05.el6.noarch > Jan 29 06:00:46 Updated: base-ssl-locale-da_DK-1.3.2-0BX05.el6.noarch > Jan 29 06:00:47 Updated: base-ssl-locale-pt_PT-1.3.2-0BX05.el6.noarch > Jan 29 06:00:47 Updated: base-ssl-locale-de_DE-1.3.2-0BX05.el6.noarch > Jan 29 06:00:47 Updated: base-ssl-capstone-1.3.2-0BX05.el6.noarch > Feb 04 06:00:31 Updated: base-ssl-glue-1.3.2-0BX08.el6.noarch > Feb 04 06:00:31 Updated: base-ssl-locale-nl_NL-1.3.2-0BX08.el6.noarch > Feb 04 06:00:32 Updated: base-ssl-ui-1.3.2-0BX08.el6.noarch > Feb 04 06:00:32 Updated: base-ssl-locale-it_IT-1.3.2-0BX08.el6.noarch > Feb 04 06:00:33 Updated: base-ssl-locale-ja_JP-1.3.2-0BX08.el6.noarch > Feb 04 06:00:33 Updated: base-ssl-locale-fr_FR-1.3.2-0BX08.el6.noarch > Feb 04 06:00:33 Updated: base-ssl-locale-en_US-1.3.2-0BX08.el6.noarch > Feb 04 06:00:34 Updated: base-ssl-locale-es_ES-1.3.2-0BX08.el6.noarch > Feb 04 06:00:34 Updated: base-ssl-locale-da_DK-1.3.2-0BX08.el6.noarch > Feb 04 06:00:35 Updated: base-ssl-locale-pt_PT-1.3.2-0BX08.el6.noarch > Feb 04 06:00:35 Updated: base-ssl-locale-de_DE-1.3.2-0BX08.el6.noarch > Feb 04 06:00:35 Updated: base-ssl-capstone-1.3.2-0BX08.el6.noarch > Feb 07 06:00:30 Updated: base-ssl-glue-1.3.2-0BX10.el6.noarch > Feb 07 06:00:30 Updated: base-ssl-locale-fr_FR-1.3.2-0BX10.el6.noarch > Feb 07 06:00:31 Updated: base-ssl-locale-pt_PT-1.3.2-0BX10.el6.noarch > Feb 07 06:00:31 Updated: base-ssl-locale-ja_JP-1.3.2-0BX10.el6.noarch > Feb 07 06:00:31 Updated: base-ssl-locale-de_DE-1.3.2-0BX10.el6.noarch > Feb 07 06:00:32 Updated: base-ssl-locale-it_IT-1.3.2-0BX10.el6.noarch > Feb 07 06:00:32 Updated: base-ssl-locale-es_ES-1.3.2-0BX10.el6.noarch > Feb 07 06:00:33 Updated: base-ssl-locale-en_US-1.3.2-0BX10.el6.noarch > Feb 07 06:00:33 Updated: base-ssl-ui-1.3.2-0BX10.el6.noarch > Feb 07 06:00:34 Updated: base-ssl-locale-da_DK-1.3.2-0BX10.el6.noarch > Feb 07 06:00:34 Updated: base-ssl-locale-nl_NL-1.3.2-0BX10.el6.noarch > Feb 07 06:00:34 Updated: base-ssl-capstone-1.3.2-0BX10.el6.noarch > > Feb 14 06:00:32 Updated: base-swupdate-locale-it_IT-1.6.1- 0BX22.el6.noarch > Feb 14 06:00:33 Updated: base-swupdate-glue-1.6.1-0BX22.el6.noarch > > Feb 14 06:00:34 Updated: base-swupdate-locale-en_US-1.6.1- 0BX22.el6.noarch > > Feb 14 06:00:34 Updated: base-swupdate-locale-da_DK-1.6.1- 0BX22.el6.noarch > > Feb 14 06:00:35 Updated: base-swupdate-locale-nl_NL-1.6.1- 0BX22.el6.noarch > Feb 14 06:00:35 Updated: base-swupdate-ui-1.6.1-0BX22.el6.noarch > > Feb 14 06:00:36 Updated: base-swupdate-locale-es_ES-1.6.1- 0BX22.el6.noarch > > Feb 14 06:00:36 Updated: base-swupdate-locale-de_DE-1.6.1- 0BX22.el6.noarch > > Feb 14 06:00:36 Updated: base-swupdate-locale-pt_PT-1.6.1- 0BX22.el6.noarch > > Feb 14 06:00:37 Updated: base-swupdate-locale-ja_JP-1.6.1- 0BX22.el6.noarch > > Feb 14 06:00:37 Updated: base-swupdate-locale-fr_FR-1.6.1- 0BX22.el6.noarch > > Feb 14 06:00:38 Updated: base-swupdate-capstone-1.6.1-0BX22.el6.noarch > Feb 18 06:00:28 Updated: solarspeed-ioncube-10.3.2-1.x86_64 > > # diff -u /usr/sausalito/acme/acme_wrapper.sh-00 > /usr/sausalito/acme/acme_wrapper.sh > --- /usr/sausalito/acme/acme_wrapper.sh-00 2019-01-24 > 06:34:43.000000000 +0900 > > +++ /usr/sausalito/acme/acme_wrapper.sh 2019-02-25 > 09:16:33.905178185 +0900 @@ -6,4 +6,5 @@ export LE_CONFIG_HOME="/usr/sausalito/acme/data" > #alias acme.sh="/usr/sausalito/acme/acme.sh --config-home > '/usr/sausalito/acme/data'" > > +umask 022 > /usr/sausalito/acme/acme.sh --config-home > '/usr/sausalito/acme/data' "$@ > > # /usr/sausalito/sbin/letsencrypt_autorenew.pl -a > It worked fine :) > > Thank you. > > Tomohiro Hosaka > > 2019年2月22日(金) 5:38 neal pressman <blueo...@naitram.net>: > > > > > for some reason this vhost is not working with lets encrypt: > > > > i think its related to the acme rewrite. the other vhost on the same > > system dose not have this problem > > > > [Thu Feb 21 14:54:38 2019] [error] [client 64.78.149.164] mod_mime_magic: > > can't read `/home/.acme/6YT48dMOsucrKzLbxmmJ44VeKqzOxM7UiiQoXCPUqeI', > > referer: http://www.XXXXXXXXX.com/.well-known/acme- > > challenge/6YT48dMOsucrKzLbxmmJ44VeKqzOxM7UiiQoXCPUqeI > > [Thu Feb 21 14:54:38 2019] [error] [client 64.78.149.164] (13)Permission > > denied: file permissions deny server access: > > /home/.acme/6YT48dMOsucrKzLbxmmJ44VeKqzOxM7UiiQoXCPUqeI, referer: > > http://www.XXXXXXXXX.com/.well-known/acme- > > challenge/6YT48dMOsucrKzLbxmmJ44VeKqzOxM7UiiQoXCPUqeI > > > > > > dont understand why i would have a permission issue from one vhost and not > > another > > > > -- > > Open WebMail Project (http://openwebmail.org) > > > > > > ---------- Original Message ----------- > > From: "neal pressman" <blueo...@naitram.net> > > To: BlueOnyx General Mailing List <blueonyx@mail.blueonyx.it> > > Sent: Thu, 21 Feb 2019 09:14:57 -0400 > > Subject: [BlueOnyx:22708] invalid cert letsencrypt > > > > > i have one domain that is not able to renew its cert. is there a way > > > to completely remove the cert and start over? > > > > > > [Thu Feb 21 08:09:22 EST 2019] > > di='/usr/sausalito/acme/certs/www.XXXXXXX.com/' > > > [Thu Feb 21 08:09:22 EST 2019] d='www.XXXXXXX.com' > > > > > > [Thu Feb 21 08:09:22 EST 2019] Using config > > home:/usr/sausalito/acme/data > > > > > > [Thu Feb 21 08:09:22 EST 2019] ACME_DIRECTORY='https://acme- > > v01.api.letsencrypt.org/directory' > > > > > > [Thu Feb 21 08:09:22 EST 2019] > > DOMAIN_PATH='/usr/sausalito/acme/certs/www.XXXXXXX.com' > > > [Thu Feb 21 08:09:22 EST 2019] Renew: 'www.XXXXXXX.com' > > > > > > [Thu Feb 21 08:09:22 EST 2019] Le_API='https://acme- > > v01.api.letsencrypt.org/directory' > > > > > > [Thu Feb 21 08:09:22 EST 2019] Using config > > home:/usr/sausalito/acme/data > > > > > > [Thu Feb 21 08:09:22 EST 2019] ACME_DIRECTORY='https://acme- > > v01.api.letsencrypt.org/directory' > > > [Thu Feb 21 08:09:22 EST 2019] Skip invalid cert for: www.XXXXXXX.com > > > [Thu Feb 21 08:09:22 EST 2019] Return code: 0 > > > [Thu Feb 21 08:09:22 EST 2019] ===End cron=== > > > > > > _______________________________________________ > > > Blueonyx mailing list > > > Blueonyx@mail.blueonyx.it > > > http://mail.blueonyx.it/mailman/listinfo/blueonyx > > ------- End of Original Message ------- > > > > _______________________________________________ > > Blueonyx mailing list > > Blueonyx@mail.blueonyx.it > > http://mail.blueonyx.it/mailman/listinfo/blueonyx > > _______________________________________________ > Blueonyx mailing list > Blueonyx@mail.blueonyx.it > http://mail.blueonyx.it/mailman/listinfo/blueonyx ------- End of Original Message ------- _______________________________________________ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx