search

zadam / trilium

Build your personal knowledge base with Trilium Notes
GNU Affero General Public License v3.0
27.2k stars 1.9k forks source link

(Bug report) TlS configuration EACCES: permission denied #4420

Closed 9acca9 closed 11 months ago

9acca9 commented 11 months ago

Trilium Version

0.60.4

What operating system are you using?

Other Linux

What is your setup?

Server access only

Operating System Version

Manjaro Linux

Description

Im trying to config SSL/TLS with Let's encrypt. I already have my certificates.

So, folllowing the wiki https://github.com/zadam/trilium/wiki/TLS-configuration

I put the path to the certificates:

[Network]
# host setting is relevant only for web deployments - set the host on which the server will listen
# host=0.0.0.0
# port setting is relevant only for web deployments, desktop builds run on a fixed port (changeable with TRILIUM_PORT>
port=8085
# true for TLS/SSL/HTTPS (secure), false for HTTP (unsecure).
https=true
# path to certificate (run "bash bin/generate-cert.sh" to generate self-signed certificate). Relevant only if https=t>
certPath=/etc/letsencrypt/live/www.xxxxxxxxxx.xyz/fullchain.pem
keyPath=/etc/letsencrypt/live/www.xxxxxxxxxxx.xyz/privkey.pem

Then restart Trilium, and i get this errors:

Error: EACCES: permission denied, open '/etc/letsencrypt/live/www.xxxxxxxx.xyz/privkey.pem'
    at Object.openSync (node:fs:590:3)
    at Object.readFileSync (node:fs:458:35)
    at startTrilium (/opt/trilium-server/src/www:79:21)
    at Object.<anonymous> (/opt/trilium-server/src/www:148:1)
    at Module._compile (node:internal/modules/cjs/loader:1191:14)
    at Object.Module._extensions..js (node:internal/modules/cjs/loader:1245:10)
    at Module.load (node:internal/modules/cjs/loader:1069:32)
    at Function.Module._load (node:internal/modules/cjs/loader:904:12)
    at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:81:12)
    at node:internal/main/run_main_module:22:47 {
  errno: -13,
  syscall: 'open',
  code: 'EACCES',
  path: '/etc/letsencrypt/live/www.xxxxxxxxxxx.xyz/privkey.pem'
}
Error: EACCES: permission denied, open '/etc/letsencrypt/live/www.xxxxxxxxxx.xyz/privkey.pem'
    at Object.openSync (node:fs:590:3)
    at Object.readFileSync (node:fs:458:35)
    at startTrilium (/opt/trilium-server/src/www:79:21)
    at Object.<anonymous> (/opt/trilium-server/src/www:148:1)
    at Module._compile (node:internal/modules/cjs/loader:1191:14)
    at Object.Module._extensions..js (node:internal/modules/cjs/loader:1245:10)
    at Module.load (node:internal/modules/cjs/loader:1069:32)
    at Function.Module._load (node:internal/modules/cjs/loader:904:12)
    at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:81:12)
    at node:internal/main/run_main_module:22:47 {
  errno: -13,
  syscall: 'open',
  code: 'EACCES',
  path: '/etc/letsencrypt/live/www.xxxxxxxxxxxxxxxyz/privkey.pem'
}
Table counts: notes: 267, note_revisions: 33, branches: 286, attributes: 459, etapi_tokens: 0
All consistency checks passed with no errors detected (took 12ms)

Ok, permission denied, but... how i can give permission to trillium? Thanks!

Error logs

No response

sottey commented 11 months ago

This is more a Linux question than a trilium question. Look at the directory where you store your trilium data. Then make sure the cert location has the same permissions and owner/group as the data dir.

9acca9 commented 11 months ago

ok. I follow this response from another web (just change the names of user and group in relation to Trilium) I paste here for if somebody found this having the same "question".

On the other hand, you can create a limited group, and allow the permissions to only be opened for them.

// Create group with root and nodeuser as members
$ sudo addgroup nodecert
$ sudo adduser nodeuser nodecert
$ sudo adduser root nodecert

// Make the relevant letsencrypt folders owned by said group.
$ sudo chgrp -R nodecert /etc/letsencrypt/live
$ sudo chgrp -R nodecert /etc/letsencrypt/archive

// Allow group to open relevant folders
$ sudo chmod -R 750 /etc/letsencrypt/live
$ sudo chmod -R 750 /etc/letsencrypt/archive

That should allow node to access the folders with the certs, while not opening it to anyone else.

You should then reboot or at least logout and in after these changes.
(Many changes to permission and groups require a new session, and we had issues with PM2 until reboot.)

Thanks!