fpietrosanti
commented
8 years ago For some reason, even trough the file where accessibile, it's parent-parent directory was root owned with 700 permissions, and maybe tor2web is doing some kind of file access testing that trigger an access denied.
By changing the letsencrypt permissions as follow, everything worked out, but ideally tor2web shall be able access those files directly: chgrp tor2web /etc/letsencrypt/live/ chgrp tor2web /etc/letsencrypt/archive chmod g+rx /etc/letsencrypt/archive chmod g+rx /etc/letsencrypt/live
I'm wondering if the way tor2web test file access cannot be made compatibile with such restricted permissions, without changing the permissions of letsencrypt.
Tor2web does not load certificates that are a symlink of a symlink, and this does not load proper implementation of letsencrypt in a maintainable way where all /home/tor2web/certs/ files are symlink to the /etc/letsencrypt/live/$DOMAINNAME/files.
Those get setup as: ln -s /etc/letsencrypt/live/$PUBLICHOSTNAME/privkey.pem /home/tor2web/certs/tor2web-key.pem ln -s /etc/letsencrypt/live/$PUBLICHOSTNAME/cert.pem /home/tor2web/certs/tor2web-certificate.pem ln -s /etc/letsencrypt/live/$PUBLICHOSTNAME/fullchain.pem /home/tor2web/certs/tor2web-intermediate.pem
The file on letsencrypt directory /etc/letsencrypt/live are also symlink to /etc/letsencrypt/archive/ .
The error preventing Tor2web to startup is: Tor2web Startup Failure: unexistent file (/home/tor2web/certs/tor2web-key.pem)
If i issue on Linux a cat /home/tor2web/certs/tor2web-key.pem it works properly