Nginx

NGINX Amplify and LetsEncrypt

by ,


We have by far the largest RPM repository with dynamic stable NGINX modules and VMODs for Varnish 4.1 and 6.0 LTS. If you want to install nginx, Varnish and lots of useful modules for them, this is your one stop repository to get all performance related software.
You have to maintain an active subscription in order to be able to use the repository!

With the great NGINX Amplify service, you may be getting the issue of its agent not being able to read LetsEncrypt SSL certificates which were configured in NGINX.

The main symptom is that you cannot see certificate details in Config analysis of Amplify, and there is this error instead:

OSError: Permission denied

The fix

Reason of the issue is that the Amplify agent runs under non-privileged user (typically, nginx) but LetsEncrypt certificates are owned by root.

NGINX itself has no issue reading those certificates because they are loaded by the NGINX master process, which is run by root as well.

So our fix would be to allow LetsEncrypt certificates to be read by nginx user as well:

setfacl --recursive --modify u:nginx:rX,d:u:nginx:rX \
  /etc/letsencrypt/archive \
  /etc/letsencrypt/live

Now you can restart Amplify agent’s service so it can re-read your certificates.

Did you think it would be more complicated? 😀

P.S. If you’re affected by this other Amplify+LetsEncrypt “compatibility” issue, vote up for it to be resolved!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.