Today I’ve upgraded my web/mail/calendar server to 20.09.
ACME returned the following error when trying the activate the renew service:
Could not load RSA private key from file accounts/acme-v02.api.letsencrypt.org/webmaster@mydomain.com//keys/webmaster@mydomain.com.key: permission denied
After digging through the filesystem to find out where the keys are stored, I finally tried to move the /var/lib/acme directory away
After doing so, ACME started to work (after having to solve some additional non-Nix related acme issues).
This all is not mentioned in the release notes, so I suggest to expand the release notes to indicate ACME had a breaking change.
Another minor thing, the nginx state dir does not exist anymore. This is mentioned in the release notes, but the same release notes also specify a new feature (world writable) for the same (non-existing) state dir.
I’m probably the last person who can contribute docs about ACME, because to me the ACME module is magic black box, and I have no idea what and why is changed in the past months. As a regular user, I do not follow ACME module development. Also, as a regular user, I do not specifically care about the details of ACME.
My contribution is opening this topic, to raise awareness. Hopefully that’s sufficient.
Is there a quick manual fix for this without moving /var/lib/acme and having to get new certs?
EDIT: make a copy of /var/lib/acme. try to switch to new config and copy back the files of the failing hostnames (don’t forget the files in the .lego directory.
I just had this problem upgrading 20.03->20.09. When I looked at the permissions on the files in question, there was an odd mix of ownership, with acme:acme, acme:nginx, and nginx:nginx. I wasn’t sure what the intended result was, because the nginx user was not in the acme group and the acme user was not in the nginx group, so I compromised by setting the entire folder to acme:nginx. The next rebuild successfully launched the services.
I suspect a chown somewhere in the acme setup is missing a -R.