search

bunkerity / bunkerweb

🛡️ Open-source and next-generation Web Application Firewall (WAF)
https://www.bunkerweb.io
GNU Affero General Public License v3.0
6.39k stars 360 forks source link

Problem with reverse proxy autoconf and let's encrypt volume permission #105

Closed TheD3C4Y closed 3 years ago

TheD3C4Y commented 3 years ago

if i edit the autoconf-reverse-proxy and try to start it i get an permission error for lets encrypt. i run it for testing purposes on a Turnkey Core Debian instance (i'm logged in as root) and try to bring it up with docker-compose up if i comment out the part with lets encrypt the site comes up without problems (except the certificate warning) 

mywww_1       | [*] Catched reload operation
mywww_1       | Saving debug log to /var/log/letsencrypt/letsencrypt.log
mywww_1       | The following error was encountered:
mywww_1       | [Errno 13] Permission denied: '/etc/letsencrypt/.certbot.lock'
mywww_1       | Either run as root, or set --config-dir, --work-dir, and --logs-dir to writeable paths.
mywww_1       | Saving debug log to /var/log/letsencrypt/letsencrypt.log
mywww_1       | The following error was encountered:
mywww_1       | [Errno 13] Permission denied: '/etc/letsencrypt/.certbot.lock'
mywww_1       | Either run as root, or set --config-dir, --work-dir, and --logs-dir to writeable paths.
mywww_1       | [!] Ignored reload operation because nginx is not running
mywww_1       | [*] Running nginx ...
mywww_1       | nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/sub.mydomain.com/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/sub.mydomain.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)

sub.mydomain.com is obfuscated for privacy, in case you wonder

does it not work because im root or where do i have to set the flags for the directories. its just a plain Debian 10 with Webmin and LVM https://www.turnkeylinux.org/core

fl0ppy-d1sk commented 3 years ago

Hello,

Since v1.2.3 the container doesn't run as root anymore but with a standard user with UID/GID 101 as stated here.

Something like that should do the trick : 

mkdir path/to/letsencrypt/on/host
chown root:101 path/to/letsencrypt/on/host
chmod 770 path/to/letsencrypt/on/host

Keeping this open as a reminder to update the documentation and examples. I think we should check the rights and display a user-friendly error before running certbot (also any other stuff that need to write to a volume).

fl0ppy-d1sk commented 3 years ago

Hello @TheD3C4Y,

bunkerized-nginx should now displays an error about permissions when it can't read/write to a volume. We also updated the documentation. Don't hesitate to open a new issue if needed.