Trying to use letsencrypt, having write error

Get help with all aspects of SABnzbd
Forum rules
Help us help you:
  • Are you using the latest stable version of SABnzbd? Downloads page.
  • Tell us what system you run SABnzbd on.
  • Adhere to the forum rules.
  • Do you experience problems during downloading?
    Check your connection in Status and Interface settings window.
    Use Test Server in Config > Servers.
    We will probably ask you to do a test using only basic settings.
  • Do you experience problems during repair or unpacking?
    Enable +Debug logging in the Status and Interface settings window and share the relevant parts of the log here using [ code ] sections.
Post Reply
herkalurk
Newbie
Newbie
Posts: 7
Joined: September 5th, 2016, 12:38 am

Trying to use letsencrypt, having write error

Post by herkalurk »

I'm not sure why, but sab is trying to write something in the cert directory. By default letsencrypt uses root for that and doesn't allow any other user to write to the directory. I'm more concerned why sab even needs to write anything. Shouldn't it just read the cert and load it into memory?

Centos 7 x86-64
Python 2.7.5

Code: Select all

2016-09-05 00:34:34,071::INFO::[SABnzbd:527] pyOpenSSL... found (True)
2016-09-05 00:34:34,071::INFO::[SABnzbd:1372] SSL version OpenSSL 1.0.1e-fips 11 Feb 2013
2016-09-05 00:34:34,072::INFO::[SABnzbd:1373] pyOpenSSL version 0.13.1
2016-09-05 00:34:34,072::INFO::[SABnzbd:1374] SSL potentially supported protocols ['SSLv2', 'SSLv23', 'SSLv3', 'TLSv1', 'TLSv1_1', 'TLSv1_2']
2016-09-05 00:34:34,072::INFO::[SABnzbd:1375] SSL actually supported protocols ['t1', 'v23', 'v3', 'v2']
2016-09-05 00:34:34,127::ERROR::[misc:1155] Error creating SSL key and certificate
2016-09-05 00:34:34,127::INFO::[misc:1156] Traceback:
Traceback (most recent call last):
  File "/home/user/newsgroup/SABnzbd-1.0.3/sabnzbd/misc.py", line 1152, in create_https_certificates
    open(ssl_key, 'w').write(crypto.dump_privatekey(crypto.FILETYPE_PEM, pkey))
IOError: [Errno 13] Permission denied: u'/etc/letsencrypt/live/www.site.com/privkey.pem'
2016-09-05 00:34:34,128::WARNING::[SABnzbd:1406] Disabled HTTPS because of missing CERT and KEY files
2016-09-05 00:34:34,130::INFO::[SABnzbd:1522] Starting web-interface on 0.0.0.0:8085
2016-09-05 00:34:34,130::INFO::[_cplogging:216] [05/Sep/2016:00:34:34] ENGINE Bus STARTING
2016-09-05 00:34:34,136::INFO::[_cplogging:216] [05/Sep/2016:00:34:34] ENGINE Started monitor thread '_TimeoutMonitor'.
2016-09-05 00:34:34,237::INFO::[_cplogging:216] [05/Sep/2016:00:34:34] ENGINE Serving on http://0.0.0.0:8085
2016-09-05 00:34:34,238::INFO::[_cplogging:216] [05/Sep/2016:00:34:34] ENGINE Bus STARTED
Top
User avatar
sander
Release Testers
Release Testers
Posts: 8840
Joined: January 22nd, 2008, 2:22 pm

Re: Trying to use letsencrypt, having write error

Post by sander »

Hi,

So you point SABnzbd to the existing Letsencrypt keys in another directory? Nice approach!

Now your problem: the error stems from "create_https_certificates(https_cert, https_key)" -- which of course needs writing rights -- which happens from SABnzbd.py if:

Code: Select all

    if enable_https:
        # If either the HTTPS certificate or key do not exist, make some self-signed ones.
        if not (https_cert and os.path.exists(https_cert)) or not (https_key and os.path.exists(https_key)):
            create_https_certificates(https_cert, https_key)
So that if-statement is true. So: values not filled out, or os.path.exists() is False.

My first guess would be that those files are unreadable for the account SABnzbd is running under.
My second guess would be that you made a typo in one (or two) of those file names.

Ultimate debugging:
As you're on Linux and thus you run from source code, you can put in a debug-print statement to find the values of those four test variables. Can you do that yourself, or do you need help?
Top
User avatar
sander
Release Testers
Release Testers
Posts: 8840
Joined: January 22nd, 2008, 2:22 pm

Re: Trying to use letsencrypt, having write error

Post by sander »

I filled out the debug print statements, and this is the result:

Code: Select all

2016-09-05 19:56:28,019::INFO::[SABnzbd:1360] SSL actually supported protocols ['v23', 't1', 'v3']
SJ: /home/sander/.sabnzbd/admin/server.cert
SJ: True
SJ: /home/sander/.sabnzbd/admin/server.key
SJ: True
2016-09-05 19:56:28,025::INFO::[SABnzbd:1512] Starting web-interface on :::9090
But now files in a root-owned directory:

Code: Select all

$ sudo su -
root@flappie:~# ll /root/server.*
-rw-r--r-- 1 root root 631 sep  5 19:57 /root/server.cert
-rw-r--r-- 1 root root 916 sep  5 19:58 /root/server.key
... but unreadable for a normal user:

Code: Select all

$ ls -al /root/server.cert
ls: cannot access /root/server.cert: Permission denied
$ ls -al /root/server.key
ls: cannot access /root/server.key: Permission denied
So SABnzbd (running as a normal user) cannot use them.
Top
herkalurk
Newbie
Newbie
Posts: 7
Joined: September 5th, 2016, 12:38 am

Re: Trying to use letsencrypt, having write error

Post by herkalurk »

I triple checked the spelling, no errors.

I just figured out the issue. Previously to ensure all users could read the certificates, I had run a command to change all directories to be readable by group and everyone. Apparently I gave the directories 644 permissions instead of 755 permissions. I pushed 755 permissions to all directories and restarted sab with the corrected paths and now I'm running on a legit certificate. I have my sab,sickbeard, and couchpotato sites all port forwarded on my router so I can access them anywhere. Have a free public cert is great now.
Top
Post Reply

Return to “General Help”