SSL Certificates - Permission denied

[Paul Reed]

I'm using the pre-installed 'Jessie' node-red on a RP2, and hit a slight problem whilst trying to run NR in https mode.

In settings.js I have;

      https: {

      key: fs.readFileSync('/etc/letsencrypt/archive/mydomain.co.uk/privkey1.pem'),

      cert: fs.readFileSync('/etc/letsencrypt/archive/mydomain.co.uk/cert1.pem')

      },

which are the correct absolute paths for the certificates. If I start NR, I get;

Error loading settings file: /home/pi/.node-red/settings.js

{ [Error: EACCES, permission denied '/etc/letsencrypt/archive/mydomain.co.uk/privkey1.pem']

  errno: 3,

  code: 'EACCES',

However, if I copy the certificates to a folder within .node-red, and update settings.js to the certificate's absolute path (ie /home/pi/.node-red/certs/cert1.pem) everything works fine.

I've checked the permissions of the certificates at both locations and they are both identical root:root.

As the SSL certificates are automatically renewed every 3 months, I really need to be able to link to the actual certificates, otherwise I will have to manually copy them to .node-red every 3 months.

Paul

[Mark Setrem]

are you running Node-red as pi? or root?

[Dave C-J]

Paul - what are the permissions on the files ? usually certs and the like  are 600 or 400 (owner only rw or ro)

If so then only root could read them. You can either change the owner to pi - or allow others to read (644) - up to you depending on who else may get access to the filesystem.

[Paul Reed]

@Mark, the 'jessie' pre-installed version uses systemd to run NR, and looking at the unit file, it appears to be running as pi.

[Service]

Type=simple

# Run as normal pi user - feel free to change...

User=pi

Group=pi

@Dave, the file permissions of the certificates are 644, exactly the same as the certificates in the .node-red directory, yet they appear to be read OK there.

Paul

[Paul Reed]

Checking through the path of the certificates;

/etc/letsencrypt/archive/mydomain.co.uk/privkey1.pem

I can see that the 'archive' directory's permissions are set at 700 (owner rwx) whilst all others in the path are set at 755

Could that be the issue?

Paul

[Dave C-J]

yes - will only be read by root... so Pi can't see it.

[Paul Reed]

I've found a confirmation post in the letsencrypt forum from someone else experiencing the same issue.

It's obviously more an issue for letsencrypt than node-red, but thanks for the advice.

Paul

[Dave C-J]

Well... protecting certs is obviously a good idea... so 700 is good thing to do...  so it's down to the user to decide to either open things up (maybe 744 ? to allow read) 

[Paul Reed]

For the benefit of anyone else having this issue with Letsencrypt now or in the future, I've found that directories /etc/letsencrypt/live & /etc/letsencrypt/archive both need to have permissions set at 755 otherwise node-red access to the certificates is denied (744 is denied).

This is far from ideal, and as Dave comments in the post above, it's a user decision!

 

The archive directory contains the actual certificates within a sub directory, which are renewed every 3 months with a different name.

The live directory contains symlinks to the certificates within ~/archive so the symlink names remain constant, ie

cert.pem -> ../../archive/mydomain.co.uk/cert24.pem

So in .node-red it's important that you provide the paths to 'live' and not 'archive', as the certificate names will change every 3 months, but the symlink names will not.

Example;

      https: {

      key: fs.readFileSync('/etc/letsencrypt/live/mydomain.co.uk/privkey.pem'),

      cert: fs.readFileSync('/etc/letsencrypt/live/mydomain.co.uk/cert.pem')

      },

Paul