Public bug reported:
/var/www/html/.well-known/ already exists, and is set to
owner=letsencrypt, group=root.
$ sudo -u letsencrypt /usr/bin/letsencrypt renew --webroot -w /var/www/html/
--force
Processing /etc/letsencrypt/renewal/SERVER.conf
2017-04-22 22:48:11,135:WARNING:letsencrypt.cli:Attempting to renew cert from
/etc/letsencrypt/renewal/SERVER.conf produced an unexpected error: The webroot
plugin is not working; there may be problems with your existing configuration.
The error was: PluginError("Couldn't create root for {0} http-01 challenge
responses: {1}", 'zhe.luke.wf', OSError(1, 'Operation not permitted')).
Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/SERVER/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
>From looking at `strace`:
stat("/var/www/html/.well-known", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
mkdir("/var/www/html/.well-known/acme-challenge", 0755) = 0
stat("/var/www/html/", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
chown("/var/www/html/.well-known/acme-challenge", 0, 0) = -1 EPERM (Operation
not permitted)
Diving in to the code, webroot.py[1] is checking for EACCESS and then letting
you on your way, when it really should be checking for EPERM.
[1]:
https://github.com/certbot/certbot/blob/49d8fd7d61ceba091f7afde4a194a74dd2d3ca8a/letsencrypt/plugins/webroot.py#L83
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: letsencrypt 0.4.1-1
ProcVersionSignature: Ubuntu 4.4.0-59.80-generic 4.4.35
Uname: Linux 4.4.0-59-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.5
Architecture: amd64
Date: Sat Apr 22 22:57:59 2017
InstallationDate: Installed on 2014-04-18 (1100 days ago)
InstallationMedia:
JournalErrors:
Error: command ['journalctl', '-b', '--priority=warning', '--lines=1000']
failed with exit code 1: Hint: You are currently not seeing messages from other
users and the system.
Users in the 'systemd-journal' group can see all messages. Pass -q to
turn off this notice.
No journal files were opened due to insufficient permissions.
PackageArchitecture: all
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: python-letsencrypt
UpgradeStatus: Upgraded to xenial on 2016-06-13 (313 days ago)
** Affects: python-letsencrypt (Ubuntu)
Importance: Medium
Status: New
** Tags: amd64 apport-bug uec-images xenial
** Changed in: python-letsencrypt (Ubuntu)
Milestone: None => xenial-updates
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1685579
Title:
webroot fails if group of `.well-known/` is not the process's group
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-letsencrypt/+bug/1685579/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
