NGINX Amplify and LetsEncrypt

by ,

We have by far the largest RPM repository with NGINX module packages and VMODs for Varnish. If you want to install NGINX, Varnish, and lots of useful performance/security software with smooth yum upgrades for production use, this is the repository for you.
Active subscription is required.

With the great NGINX Amplify service, you may be getting the issue of its agent not being able to read LetsEncrypt SSL certificates which were configured in NGINX.

The main symptom is that you cannot see certificate details in Config analysis of Amplify, and there is this error instead:

OSError: Permission denied

The fix

Reason of the issue is that the Amplify agent runs under non-privileged user (typically, nginx) but LetsEncrypt certificates are owned by root.

NGINX itself has no issue reading those certificates because they are loaded by the NGINX master process, which is run by root as well.

So our fix would be to allow LetsEncrypt certificates to be read by nginx user as well:

setfacl --recursive --modify u:nginx:rX,d:u:nginx:rX \
  /etc/letsencrypt/archive \

Now you can restart Amplify agent’s service so it can re-read your certificates.

Did you think it would be more complicated? 😀

P.S. If you’re affected by this other Amplify+LetsEncrypt “compatibility” issue, vote up for it to be resolved!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: