Release notes 20.03->20.09 instructions may need an update (ACME)

Today I’ve upgraded my web/mail/calendar server to 20.09.

ACME returned the following error when trying the activate the renew service:

Could not load RSA private key from file accounts/ permission denied

After digging through the filesystem to find out where the keys are stored, I finally tried to move the /var/lib/acme directory away

After doing so, ACME started to work (after having to solve some additional non-Nix related acme issues).

This all is not mentioned in the release notes, so I suggest to expand the release notes to indicate ACME had a breaking change.

Another minor thing, the nginx state dir does not exist anymore. This is mentioned in the release notes, but the same release notes also specify a new feature (world writable) for the same (non-existing) state dir.

FYI the following issues may be related:,

That said, I fully agree that the release notes should cover the ACME changes :slight_smile:

If you would like to contribute some docs, I wouldn’t mind reviewing them. Just follow backporting conventions :slight_smile:

I’m probably the last person who can contribute docs about ACME, because to me the ACME module is magic black box, and I have no idea what and why is changed in the past months. As a regular user, I do not follow ACME module development. Also, as a regular user, I do not specifically care about the details of ACME.

My contribution is opening this topic, to raise awareness. Hopefully that’s sufficient.


@kvtb, thanks for raising the issue.

In what I’ve read from you on this forum, I believe you give yourself way less credit than you deserve.


Is there a quick manual fix for this without moving /var/lib/acme and having to get new certs?

EDIT: make a copy of /var/lib/acme. try to switch to new config and copy back the files of the failing hostnames (don’t forget the files in the .lego directory.

1 Like

I just had this problem upgrading 20.03->20.09. When I looked at the permissions on the files in question, there was an odd mix of ownership, with acme:acme, acme:nginx, and nginx:nginx. I wasn’t sure what the intended result was, because the nginx user was not in the acme group and the acme user was not in the nginx group, so I compromised by setting the entire folder to acme:nginx. The next rebuild successfully launched the services.

I suspect a chown somewhere in the acme setup is missing a -R.