I’m trying to setup HTTPS on a server. For that I added this to my nixos configuration:
security.acme = {
acceptTerms = true;
certs = {
"example.com" = {
email = "example@gmail.com";
webroot = "/root/site";
};
};
};
The directory /root/site is being served on port 80. When I run the nixos-rebuild test command, it fails with an output saying:
warning: the following units failed: acme-example.com.service
...
error presenting token: could not create required directories in webroot for HTTP challenge: mkdir /root/site: permission denied
How do I fix it? Also, does the acme agent run the challenge upon every renewal? Can I change the site configuration once the certificate has been issued?
You should set security.acme.group to a group capable of writing to /root/site. You can also manually create the /root/site/.well-known/acme-challenge directory and make it owned by the acme user:
sudo install -dm775 -o acme -g acme /root/site/.well-known/acme-challenge
1 Like
Additionally, you might consider if /root is the most appropriate directory for that…
2 Likes
This directory already exists and is owned by the acme user:
[root@server:~/site]# ls -ld .well-known/acme-challenge/
drwxr-xr-x 2 acme acme 4096 May 4 00:50 .well-known/acme-challenge/
[root@server:~/site]#
nixos-rebuild test fails with the same error.
What about sudo -u acme ls -ld /root/site/.well-known/acme-challenge/ (to check how the acme user views it)?
1 Like
Never mind. I generated a certificate manually using certbot.