HAProxy deployment gives Permission denied error trying to move in now certificates.

[pnunn]

Steps to reproduce

Following the tutorial at https://www.haproxy.com/blog/haproxy-and-let-s-encrypt

Get to the deploy step and I get a permissions error when trying to move the new certificate into place.

Debug log

root@knocknoc:~# sudo -u acme -s
acme@knocknoc:/root$ DEPLOY_HAPROXY_HOT_UPDATE=yes DEPLOY_HAPROXY_STATS_SOCKER=/var/run/haproxy/admin.sock DEPLOY_HAPROXY_PEM_PATH=/etc/haproxy/certs acme.sh --deploy -d knocknoc.marketdispatch.com.au --deploy-hook haproxy --debug
[Thu Mar  7 00:26:42 UTC 2024] Lets find script dir.
[Thu Mar  7 00:26:42 UTC 2024] _SCRIPT_='/usr/local/bin/acme.sh'
[Thu Mar  7 00:26:42 UTC 2024] _script='/usr/local/share/acme.sh/acme.sh'
[Thu Mar  7 00:26:42 UTC 2024] _script_home='/usr/local/share/acme.sh'
[Thu Mar  7 00:26:42 UTC 2024] Using default home:/var/lib/acme/.acme.sh
[Thu Mar  7 00:26:42 UTC 2024] Using config home:/var/lib/acme/.acme.sh
[Thu Mar  7 00:26:42 UTC 2024] LE_WORKING_DIR='/var/lib/acme/.acme.sh'
https://github.com/acmesh-official/acme.sh
v3.0.8
[Thu Mar  7 00:26:42 UTC 2024] Running cmd: deploy
[Thu Mar  7 00:26:42 UTC 2024] Using config home:/var/lib/acme/.acme.sh
[Thu Mar  7 00:26:42 UTC 2024] default_acme_server
[Thu Mar  7 00:26:42 UTC 2024] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
[Thu Mar  7 00:26:42 UTC 2024] _ACME_SERVER_HOST='acme.zerossl.com'
[Thu Mar  7 00:26:42 UTC 2024] _ACME_SERVER_PATH='v2/DV90'
[Thu Mar  7 00:26:42 UTC 2024] The domain 'knocknoc.marketdispatch.com.au' seems to have a ECC cert already, lets use ecc cert.
[Thu Mar  7 00:26:42 UTC 2024] DOMAIN_PATH='/var/lib/acme/.acme.sh/knocknoc.marketdispatch.com.au_ecc'
[Thu Mar  7 00:26:42 UTC 2024] DOMAIN_CONF='/var/lib/acme/.acme.sh/knocknoc.marketdispatch.com.au_ecc/knocknoc.marketdispatch.com.au.conf'
[Thu Mar  7 00:26:42 UTC 2024] _deployApi='/usr/local/share/acme.sh/deploy/haproxy.sh'
[Thu Mar  7 00:26:42 UTC 2024] _cdomain='knocknoc.marketdispatch.com.au'
[Thu Mar  7 00:26:43 UTC 2024] _ckey='/var/lib/acme/.acme.sh/knocknoc.marketdispatch.com.au_ecc/knocknoc.marketdispatch.com.au.key'
[Thu Mar  7 00:26:43 UTC 2024] _ccert='/var/lib/acme/.acme.sh/knocknoc.marketdispatch.com.au_ecc/knocknoc.marketdispatch.com.au.cer'
[Thu Mar  7 00:26:43 UTC 2024] _cca='/var/lib/acme/.acme.sh/knocknoc.marketdispatch.com.au_ecc/ca.cer'
[Thu Mar  7 00:26:43 UTC 2024] _cfullchain='/var/lib/acme/.acme.sh/knocknoc.marketdispatch.com.au_ecc/fullchain.cer'
[Thu Mar  7 00:26:43 UTC 2024] DEPLOY_HAPROXY_PEM_PATH='/etc/haproxy/certs'
[Thu Mar  7 00:26:43 UTC 2024] PEM_PATH /etc/haproxy/certs exists
[Thu Mar  7 00:26:43 UTC 2024] DEPLOY_HAPROXY_PEM_NAME
[Thu Mar  7 00:26:43 UTC 2024] DEPLOY_HAPROXY_BUNDLE
[Thu Mar  7 00:26:43 UTC 2024] DEPLOY_HAPROXY_ISSUER
[Thu Mar  7 00:26:43 UTC 2024] DEPLOY_HAPROXY_RELOAD
[Thu Mar  7 00:26:43 UTC 2024] _suffix
[Thu Mar  7 00:26:43 UTC 2024] Deploying PEM file
[Thu Mar  7 00:26:43 UTC 2024] _temppem='/tmp/tmp.IH20BYPEvg'
[Thu Mar  7 00:26:43 UTC 2024] Moving new certificate into place
[Thu Mar  7 00:26:43 UTC 2024] _pem='/etc/haproxy/certs/knocknoc.marketdispatch.com.au.pem'
/usr/local/share/acme.sh/deploy/haproxy.sh: line 163: /etc/haproxy/certs/knocknoc.marketdispatch.com.au.pem: Permission denied
[Thu Mar  7 00:26:43 UTC 2024] Error code 1 returned while moving new certificate into place
[Thu Mar  7 00:26:43 UTC 2024] Error deploy for domain:knocknoc.marketdispatch.com.au
[Thu Mar  7 00:26:43 UTC 2024] Deploy error.

debug 2 code after update

root@knocknoc:~# sudo -u acme -s
acme@knocknoc:/root$ DEPLOY_HAPROXY_HOT_UPDATE=yes DEPLOY_HAPROXY_STATS_SOCKER=/var/run/haproxy/admin.sock DEPLOY_HAPROXY_PEM_PATH=/etc/haproxy/certs acme.sh --deploy -d knocknoc.marketdispatch.com.au --deploy-hook haproxy --debug 2
[Thu Mar  7 00:31:07 UTC 2024] Lets find script dir.
[Thu Mar  7 00:31:07 UTC 2024] _SCRIPT_='/usr/local/bin/acme.sh'
[Thu Mar  7 00:31:07 UTC 2024] _script='/usr/local/share/acme.sh/acme.sh'
[Thu Mar  7 00:31:07 UTC 2024] _script_home='/usr/local/share/acme.sh'
[Thu Mar  7 00:31:07 UTC 2024] Using default home:/var/lib/acme/.acme.sh
[Thu Mar  7 00:31:07 UTC 2024] Using config home:/var/lib/acme/.acme.sh
[Thu Mar  7 00:31:07 UTC 2024] LE_WORKING_DIR='/var/lib/acme/.acme.sh'
https://github.com/acmesh-official/acme.sh
v3.0.8
[Thu Mar  7 00:31:07 UTC 2024] Running cmd: deploy
[Thu Mar  7 00:31:07 UTC 2024] Using config home:/var/lib/acme/.acme.sh
[Thu Mar  7 00:31:07 UTC 2024] default_acme_server
[Thu Mar  7 00:31:07 UTC 2024] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
[Thu Mar  7 00:31:07 UTC 2024] _ACME_SERVER_HOST='acme.zerossl.com'
[Thu Mar  7 00:31:07 UTC 2024] _ACME_SERVER_PATH='v2/DV90'
[Thu Mar  7 00:31:07 UTC 2024] The domain 'knocknoc.marketdispatch.com.au' seems to have a ECC cert already, lets use ecc cert.
[Thu Mar  7 00:31:07 UTC 2024] DOMAIN_PATH='/var/lib/acme/.acme.sh/knocknoc.marketdispatch.com.au_ecc'
[Thu Mar  7 00:31:07 UTC 2024] DOMAIN_CONF='/var/lib/acme/.acme.sh/knocknoc.marketdispatch.com.au_ecc/knocknoc.marketdispatch.com.au.conf'
[Thu Mar  7 00:31:07 UTC 2024] _deployApi='/usr/local/share/acme.sh/deploy/haproxy.sh'
[Thu Mar  7 00:31:07 UTC 2024] _cdomain='knocknoc.marketdispatch.com.au'
[Thu Mar  7 00:31:07 UTC 2024] _ckey='/var/lib/acme/.acme.sh/knocknoc.marketdispatch.com.au_ecc/knocknoc.marketdispatch.com.au.key'
[Thu Mar  7 00:31:07 UTC 2024] _ccert='/var/lib/acme/.acme.sh/knocknoc.marketdispatch.com.au_ecc/knocknoc.marketdispatch.com.au.cer'
[Thu Mar  7 00:31:07 UTC 2024] _cca='/var/lib/acme/.acme.sh/knocknoc.marketdispatch.com.au_ecc/ca.cer'
[Thu Mar  7 00:31:07 UTC 2024] _cfullchain='/var/lib/acme/.acme.sh/knocknoc.marketdispatch.com.au_ecc/fullchain.cer'
[Thu Mar  7 00:31:07 UTC 2024] DEPLOY_HAPROXY_PEM_PATH='/etc/haproxy/certs'
[Thu Mar  7 00:31:07 UTC 2024] PEM_PATH /etc/haproxy/certs exists
[Thu Mar  7 00:31:07 UTC 2024] DEPLOY_HAPROXY_PEM_NAME
[Thu Mar  7 00:31:07 UTC 2024] DEPLOY_HAPROXY_BUNDLE
[Thu Mar  7 00:31:07 UTC 2024] DEPLOY_HAPROXY_ISSUER
[Thu Mar  7 00:31:07 UTC 2024] DEPLOY_HAPROXY_RELOAD
[Thu Mar  7 00:31:07 UTC 2024] _suffix
[Thu Mar  7 00:31:07 UTC 2024] Deploying PEM file
[Thu Mar  7 00:31:07 UTC 2024] _temppem='/tmp/tmp.pp7RsLV6b2'
[Thu Mar  7 00:31:07 UTC 2024] Moving new certificate into place
[Thu Mar  7 00:31:07 UTC 2024] _pem='/etc/haproxy/certs/knocknoc.marketdispatch.com.au.pem'
/usr/local/share/acme.sh/deploy/haproxy.sh: line 163: /etc/haproxy/certs/knocknoc.marketdispatch.com.au.pem: Permission denied
[Thu Mar  7 00:31:07 UTC 2024] Error code 1 returned while moving new certificate into place
[Thu Mar  7 00:31:07 UTC 2024] Error deploy for domain:knocknoc.marketdispatch.com.au
[Thu Mar  7 00:31:07 UTC 2024] Deploy error.

[github-actions[bot]]

Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.

[pnunn]

Update done and debug 2 code added to the above.

[wlallemand]

@pnunn It looks like you didn't have the rights to write the certificate. This up to date tutorial https://github.com/haproxy/wiki/wiki/Letsencrypt-integration-with-HAProxy-and-acme.sh has the steps to achieve this:

root@ubuntu:~# mkdir /etc/haproxy/certs
root@ubuntu:~# chown haproxy:haproxy /etc/haproxy/certs
root@ubuntu:~# chmod 770 /etc/haproxy/certs

But don't forget to add the acme user to the haproxy group.

[wlallemand]

Also be careful if you upgraded, this was not part of the acme.sh repository and only in a PR ( https://github.com/acmesh-official/acme.sh/pull/4581 ) which was merged in dev yesterday. This is still not in the master branch and still require to download the deploy script manually.