我正在使用 Ubuntu 20.04 运行 LEMP 电子邮件/Web 服务器。我的 Nginx 用户是 www-data。我还在 /var/www/roundcube 中安装了 roundcube。在我的 Nginx 日志中,我收到以下错误:
2023/07/01 00:00:18 [emerg] 337875#337875: cannot load certificate "/etc/letsencrypt/live/mail.example.com/fullchain.pem": BIO_new_file() failed (SSL: error:0200100D:system library:fopen:Permission denied:fopen('/etc/letsencrypt/live/mail.example.com/fullchain.pem','r') error:2006D002:BIO routines:BIO_new_file:system lib)
我的 mail.example.com.conf 虚拟主机文件如下所示:
server {
# Restrict access to LAN / Work / Home IP's
allow lan.ip.address.0/24; # LAN IP Address
allow xxx.xx.xxx.xxx/32; # Home IP address
allow xxx.xxx.xxx.xxx/32; # Work IP Address
deny all;
error_page 403 =444;
# Begin Server Directives
server_name mail.example.com;
root /var/www/roundcube/;
index index.php index.html index.htm;
# Logs
error_log /var/log/nginx/mail.example.com.error.log;
access_log /var/log/nginx/mail.example.com.access.log;
location / {
try_files $uri $uri/ /index.php;
}
location ~ \.php$ {
# Pass FastCGI to PHP7.4 with included settings in the snippet
include snippets/fastcgi-php.conf;
}
location ~ /.well-known/acme-challenge {
allow all;
}
location ~ ^/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
deny all;
}
location ~ ^/(bin|SQL)/ {
deny all;
}
# A long browser cache lifetime can speed up repeat visits to your page
location ~ \.(jpg|jpeg|gif|png|webp|svg|woff|woff2|ttf|css|js|ico|xml)$ {
access_log off;
log_not_found off;
expires 360d;
}
listen *:443 ssl;
http2 on;
ssl_certificate /etc/letsencrypt/live/mail.example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mail.example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
# Perfect Forward Secrecy Diffie-Hellman 4098 parameters
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
#ssl_dhparam /etc/ssl/private/dhparams4096.pem; # Managed by admin
add_header Strict-Transport-Security "max-age=31536000" always; # managed by Certbot
ssl_trusted_certificate /etc/letsencrypt/live/mail.example.com/chain.pem; # managed by Certbot
ssl_stapling on; # managed by Certbot
ssl_stapling_verify on; # managed by Certbot
}
server {
if ($host = mail.example.com) {
return 301 https://$host$request_uri;
}
# managed by Certbot
# Restrict access to LAN / Work / Home IP's
allow lan.ip.address.0/24; # LAN IP Address
allow xxx.xx.xxx.xxx/32; # Home IP address
allow xxx.xxx.xxx.xxx/32; # Work IP Address
deny all;
error_page 403 =444;
# Begin Server Directives
listen *:80;
server_name mail.example.com;
root /var/www/roundcube/;
index index.php index.html index.htm;
error_log /var/log/nginx/mail.example.com.error.log;
access_log /var/log/nginx/mail.example.com.error.log;
location / {
try_files $uri $uri/ /index.php;
}
location ~ \.php$ {
#try_files $uri =404;
# Pass FastCGI to PHP7.4 with included settings in the snippet
include snippets/fastcgi-php.conf;
}
location ~ /.well-known/acme-challenge {
allow all;
}
location ~ ^/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
deny all;
}
location ~ ^/(bin|SQL)/ {
deny all;
}
# LINUXBABE + Extra Extensions
# A long browser cache lifetime can speed up repeat visits to your page
location ~ \.(txt|flv|pdf|avi|mov|ppt|wmv|mp3|ogg|webm|aac|jpg|ogg|ogv|svgz|eot|otf|mp4|rss|atom|zip|tgz|gz|rar|bz2|doc|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|jpeg|gif|png|swf|jpeg|webp|svg|woff|woff2|ttf|css|js|ico|xml|otf|woff|woff2)$ {
access_log off;
log_not_found off;
expires 1y;
}
}
的输出ls -la /etc/letsencrypt/为:
drwxr-xr-x 9 root root 4096 Jul 1 14:49 .
drwxr-xr-x 156 root root 12288 Jul 1 20:15 ..
drwxr-xr-x 4 root root 4096 Dec 31 23:12 accounts
drwxr-x--- 10 root root 4096 Jan 10 22:58 archive
-rw-r--r-- 1 root root 1435 Dec 8 2021 cli.ini
-rw-r--r-- 1 root root 121 Dec 8 2021 cli.nin.orig
drwxr-xr-x 2 root root 28672 May 29 12:01 csr
drwx------ 2 root root 24576 May 29 12:01 keys
drwxr-x--- 10 root root 4096 Jan 10 22:58 live
-rw-r--r-- 1 root root 741 Jun 22 2021 options-ssl-nginx.conf
drwxr-xr-x 2 root root 4096 May 29 12:01 renewal
drwxr-xr-x 5 root root 4096 Dec 31 23:12 renewal-hooks
-rw-r--r-- 1 root root 424 Jun 22 2021 ssl-dhparams.pem
-rw-r--r-- 1 root root 64 Jun 22 2021 .updated-options-ssl-nginx-conf-digest.txt
-rw-r--r-- 1 root root 64 Jun 22 2021 .updated-ssl-dhparams-pem-digest.txt
的输出ls -la /etc/letsencrypt/live为:
total 44
drwxr-x--- 10 root root 4096 Jan 10 22:58 .
drwxr-xr-x 9 root root 4096 Jul 1 14:49 ..
drwxr-xr-x 2 root root 4096 May 29 12:00 mail.example.com
- 这个错误到底是什么意思?
- 导致此错误的原因是什么?
- 我该如何修复这个错误?
答案1
回答您的问题:
错误信息非常简单明了,看看里面的这个代码片段:
错误:0200100D:系统库:fopen:权限被拒绝:
因此,错误消息意味着系统无法打开您在配置中指定的文件,因为您的 www 用户没有适当的权限。
使用 Nginx 时,需要注意的是,它始终需要对需要访问的任何文件的整个路径具有读取和执行权限。由于您已经提供了 yome 文件夹权限的输出,我们可以看到该
/etc/letsencrypt/live文件夹缺少 www 用户的读取和执行权限:drwxr-x--- 10 root root 4096 1月10日 22:58 直播
该目录也可能
/etc不具备适当的权限。要修复该错误,您可以为路径分配适当的权限,即
chmod o+rx /etc/letsencrypt/live,您可以将证书移动到 www 用户已经允许访问的某个地方,例如靠近(但不在)您的 webroot 文件夹的某个地方。将文件所有权(或组所有权)分配给 Nginx 需要访问的敏感路径和文件也是一种常见的做法,因为这样可以对文件保持更严格的权限,并且不允许系统上的每个用户读取它们。