Public bug reported: /var/www/html/.well-known/ already exists, and is set to owner=letsencrypt, group=root.
$ sudo -u letsencrypt /usr/bin/letsencrypt renew --webroot -w /var/www/html/ --force Processing /etc/letsencrypt/renewal/SERVER.conf 2017-04-22 22:48:11,135:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/SERVER.conf produced an unexpected error: The webroot plugin is not working; there may be problems with your existing configuration. The error was: PluginError("Couldn't create root for {0} http-01 challenge responses: {1}", 'zhe.luke.wf', OSError(1, 'Operation not permitted')). Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/SERVER/fullchain.pem (failure) 1 renew failure(s), 0 parse failure(s) >From looking at `strace`: stat("/var/www/html/.well-known", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 mkdir("/var/www/html/.well-known/acme-challenge", 0755) = 0 stat("/var/www/html/", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 chown("/var/www/html/.well-known/acme-challenge", 0, 0) = -1 EPERM (Operation not permitted) Diving in to the code, webroot.py[1] is checking for EACCESS and then letting you on your way, when it really should be checking for EPERM. [1]: https://github.com/certbot/certbot/blob/49d8fd7d61ceba091f7afde4a194a74dd2d3ca8a/letsencrypt/plugins/webroot.py#L83 ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: letsencrypt 0.4.1-1 ProcVersionSignature: Ubuntu 4.4.0-59.80-generic 4.4.35 Uname: Linux 4.4.0-59-generic x86_64 ApportVersion: 2.20.1-0ubuntu2.5 Architecture: amd64 Date: Sat Apr 22 22:57:59 2017 InstallationDate: Installed on 2014-04-18 (1100 days ago) InstallationMedia: JournalErrors: Error: command ['journalctl', '-b', '--priority=warning', '--lines=1000'] failed with exit code 1: Hint: You are currently not seeing messages from other users and the system. Users in the 'systemd-journal' group can see all messages. Pass -q to turn off this notice. No journal files were opened due to insufficient permissions. PackageArchitecture: all ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR=<set> LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: python-letsencrypt UpgradeStatus: Upgraded to xenial on 2016-06-13 (313 days ago) ** Affects: python-letsencrypt (Ubuntu) Importance: Medium Status: New ** Tags: amd64 apport-bug uec-images xenial ** Changed in: python-letsencrypt (Ubuntu) Milestone: None => xenial-updates -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1685579 Title: webroot fails if group of `.well-known/` is not the process's group To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-letsencrypt/+bug/1685579/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs