Nginx 紧急情况:无法加载证书“/etc/letsencrypt/live/mail.example.com/fullchain.pem”。如何修复此 Nginx 错误?

Nginx 紧急情况:无法加载证书“/etc/letsencrypt/live/mail.example.com/fullchain.pem”。如何修复此 Nginx 错误?

我正在使用 Ubuntu 20.04 运行 LEMP 电子邮件/Web 服务器。我的 Nginx 用户是 www-data。我还在 /var/www/roundcube 中安装了 roundcube。在我的 Nginx 日志中,我收到以下错误:

2023/07/01 00:00:18 [emerg] 337875#337875: cannot load certificate "/etc/letsencrypt/live/mail.example.com/fullchain.pem": BIO_new_file() failed (SSL: error:0200100D:system library:fopen:Permission denied:fopen('/etc/letsencrypt/live/mail.example.com/fullchain.pem','r') error:2006D002:BIO routines:BIO_new_file:system lib)

我的 mail.example.com.conf 虚拟主机文件如下所示:

server {
    # Restrict access to LAN / Work / Home IP's
    allow lan.ip.address.0/24; # LAN IP Address
    allow xxx.xx.xxx.xxx/32; # Home IP address
    allow xxx.xxx.xxx.xxx/32; # Work IP Address
    deny all;
    error_page 403 =444;

    # Begin Server Directives
    server_name mail.example.com;
    root /var/www/roundcube/;
    index index.php index.html index.htm;

    # Logs
    error_log /var/log/nginx/mail.example.com.error.log;
    access_log /var/log/nginx/mail.example.com.access.log;

    location / {
        try_files $uri $uri/ /index.php;
    }

    location ~ \.php$ {
        # Pass FastCGI to PHP7.4 with included settings in the snippet
        include snippets/fastcgi-php.conf;
    }

    location ~ /.well-known/acme-challenge {
        allow all;
    }
    location ~ ^/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
        deny all;
    }
    location ~ ^/(bin|SQL)/ {
        deny all;
    }
    # A long browser cache lifetime can speed up repeat visits to your page
    location ~ \.(jpg|jpeg|gif|png|webp|svg|woff|woff2|ttf|css|js|ico|xml)$ {
        access_log off;
        log_not_found off;
        expires 360d;
    }

    listen *:443 ssl;
    http2 on;
    ssl_certificate /etc/letsencrypt/live/mail.example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mail.example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    # Perfect Forward Secrecy Diffie-Hellman 4098 parameters
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
    #ssl_dhparam /etc/ssl/private/dhparams4096.pem; # Managed by admin

    add_header Strict-Transport-Security "max-age=31536000" always; # managed by Certbot

    ssl_trusted_certificate /etc/letsencrypt/live/mail.example.com/chain.pem; # managed by Certbot
    ssl_stapling on; # managed by Certbot
    ssl_stapling_verify on; # managed by Certbot

}
server {
    if ($host = mail.example.com) {
        return 301 https://$host$request_uri;
    }
    # managed by Certbot

    # Restrict access to LAN / Work / Home IP's
    allow lan.ip.address.0/24; # LAN IP Address
    allow xxx.xx.xxx.xxx/32; # Home IP address
    allow xxx.xxx.xxx.xxx/32; # Work IP Address
    deny all;
    error_page 403 =444;

    # Begin Server Directives
    listen *:80;
    server_name mail.example.com;
    root /var/www/roundcube/;
    index index.php index.html index.htm;

    error_log /var/log/nginx/mail.example.com.error.log;
    access_log /var/log/nginx/mail.example.com.error.log;

    location / {
        try_files $uri $uri/ /index.php;
    }

    location ~ \.php$ {
        #try_files $uri =404;
        # Pass FastCGI to PHP7.4 with included settings in the snippet
        include snippets/fastcgi-php.conf;
    }

    location ~ /.well-known/acme-challenge {
        allow all;
    }
    location ~ ^/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
        deny all;
    }
    location ~ ^/(bin|SQL)/ {
        deny all;
    }
    # LINUXBABE + Extra Extensions
    # A long browser cache lifetime can speed up repeat visits to your page
    location ~ \.(txt|flv|pdf|avi|mov|ppt|wmv|mp3|ogg|webm|aac|jpg|ogg|ogv|svgz|eot|otf|mp4|rss|atom|zip|tgz|gz|rar|bz2|doc|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|jpeg|gif|png|swf|jpeg|webp|svg|woff|woff2|ttf|css|js|ico|xml|otf|woff|woff2)$ {
        access_log off;
        log_not_found off;
        expires 1y;
    }
}

的输出ls -la /etc/letsencrypt/为:

drwxr-xr-x   9 root root  4096 Jul  1 14:49 .
drwxr-xr-x 156 root root 12288 Jul  1 20:15 ..
drwxr-xr-x   4 root root  4096 Dec 31 23:12 accounts
drwxr-x---  10 root root  4096 Jan 10 22:58 archive
-rw-r--r--   1 root root  1435 Dec  8  2021 cli.ini
-rw-r--r--   1 root root   121 Dec  8  2021 cli.nin.orig
drwxr-xr-x   2 root root 28672 May 29 12:01 csr
drwx------   2 root root 24576 May 29 12:01 keys
drwxr-x---  10 root root  4096 Jan 10 22:58 live
-rw-r--r--   1 root root   741 Jun 22  2021 options-ssl-nginx.conf
drwxr-xr-x   2 root root  4096 May 29 12:01 renewal
drwxr-xr-x   5 root root  4096 Dec 31 23:12 renewal-hooks
-rw-r--r--   1 root root   424 Jun 22  2021 ssl-dhparams.pem
-rw-r--r--   1 root root    64 Jun 22  2021 .updated-options-ssl-nginx-conf-digest.txt
-rw-r--r--   1 root root    64 Jun 22  2021 .updated-ssl-dhparams-pem-digest.txt

的输出ls -la /etc/letsencrypt/live为:

total 44
drwxr-x--- 10 root root 4096 Jan 10 22:58 .
drwxr-xr-x  9 root root 4096 Jul  1 14:49 ..
drwxr-xr-x  2 root root 4096 May 29 12:00 mail.example.com
  1. 这个错误到底是什么意思?
  2. 导致此错误的原因是什么?
  3. 我该如何修复这个错误?

答案1

回答您的问题:

  1. 错误信息非常简单明了,看看里面的这个代码片段:

    错误:0200100D:系统库:fopen:权限被拒绝:

    因此,错误消息意味着系统无法打开您在配置中指定的文件,因为您的 www 用户没有适当的权限。

  2. 使用 Nginx 时,需要注意的是,它始终需要对需要访问的任何文件的整个路径具有读取和执行权限。由于您已经提供了 yome 文件夹权限的输出,我们可以看到该/etc/letsencrypt/live文件夹​​缺少 www 用户的读取和执行权限:

    drwxr-x--- 10 root root 4096 1月10日 22:58 直播

    该目录也可能/etc不具备适当的权限。

  3. 要修复该错误,您可以为路径分配适当的权限,即chmod o+rx /etc/letsencrypt/live,您可以将证书移动到 www 用户已经允许访问的某个地方,例如靠近(但不在)您的 webroot 文件夹的某个地方。将文件所有权(或组所有权)分配给 Nginx 需要访问的敏感路径和文件也是一种常见的做法,因为这样可以对文件保持更严格的权限,并且不允许系统上的每个用户读取它们。

相关内容