Ssl cert rollover not working - permisisons issue?

Support
1

Problem Description

root@srv-pfb68:/srv/something.co.uk/config/ssl# symbiosis-ssl --verbose something.co.uk
* Examining certificates for something.co.uk
	SSL set 0: Not valid for something.co.uk -- certificate has expired (10)
	!! Failed: Permission denied @ rb_file_s_symlink - (/srv/something.co.uk/config/ssl/sets/1, /srv/something.co.uk/config/ssl/current)



root@srv-pfb68:~# ls -al /srv/something.co.uk/config/ssl/ -d
drwxrws--x 5 sympl sympl 4096 Sep 22 10:47 /srv/something.co.uk/config/ssl/

root@srv-pfb68:~# ls -al /srv/something.co.uk/config/ssl/sets
total 16
drwxrws--x 4 sympl ssl-cert 4096 Nov 21 06:25 .
drwxrws--x 5 sympl sympl    4096 Sep 22 10:47 ..
drwxrws--x 2 sympl ssl-cert 4096 Sep 22 10:47 0
drwxrws--x 2 sympl ssl-cert 4096 Nov 21 06:25 1

What are the correct/required permissions?

Environment

  • Sympl Version [9.0/10.0]: sympl-core 10.0.200923.0
  • Sympl Testing Version? [Yes/No] No
  • Debian Version [Buster/Stretch]: Buster
  • Hardware Type? [Dedicated/Virtual/Pi] Virtual Machine via Brightbox.
2

My domains all have the same permissions as yours, so I don’t think there is anything wrong in that respect:

ls -ld /srv/roguetory.org.uk/config/ssl
drwxrws--x 4 sympl sympl 4096 Dec 17 07:02 /srv/roguetory.org.uk/config/ssl

$ ls -ld /srv/roguetory.org.uk/config/ssl/sets
drwxrws--x 4 sympl ssl-cert 4096 Dec 17 07:02 /srv/roguetory.org.uk/config/ssl/sets

ls -la /srv/roguetory.org.uk/config/ssl/sets
total 16
drwxrws--x 4 sympl ssl-cert 4096 Dec 17 07:02 .
drwxrws--x 4 sympl sympl    4096 Dec 17 07:02 ..
drwxrws--x 2 sympl ssl-cert 4096 Oct 18 15:11 0
drwxrws--x 2 sympl ssl-cert 4096 Dec 17 07:02 1
3

Sounds like something went wrong with the ‘current’ symlink - the symlink should normally be owned by sympl:sympl, but you can reset it’s permissions with chown -h sympl:sympl /srv/example.com/config/ssl/current, or just remove it and run sudo sympl-ssl to recreate it.

4

Ah hah, finally figured out the problem …

/srv/something.co.uk was owned by debian:debian (uid/gid 1000).

chown sympl:sympl /srv/something.co.uk allowed sympl-ssl to work.