让我们以“错误:EACCES:权限被拒绝,打开'/etc/letsencrypt/live/domain.net/privkey.pem"开头的方式加密SSL. [英] Let's encrypt SSL couldn't start by "Error: EACCES: permission denied, open '/etc/letsencrypt/live/domain.net/privkey.pem'"

查看:392
本文介绍了让我们以“错误:EACCES:权限被拒绝,打开'/etc/letsencrypt/live/domain.net/privkey.pem"开头的方式加密SSL.的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我尝试通过Node.js使用SSL,但由于permission denied,它不起作用.

I tried to use SSL by Node.js but it doesn't work because permission denied.

try {
var TLSoptions = {
    key: fs.readFileSync("/etc/letsencrypt/live/domain.work/privkey.pem"),
    cert: fs.readFileSync("/etc/letsencrypt/live/domain.work/cert.pem")
};

https.createServer(TLSoptions, app).listen(port, host, function() {
   console.log("TLS Website started.")
}); catch(e) {
    console.log(e)
}

=> 

{ Error: EACCES: permission denied, open '/etc/letsencrypt/live/domain.work/privkey.pem'
at Object.fs.openSync (fs.js:663:18)
... (Librarys dump)
errno: -13,
code: 'EACCES',
syscall: 'open',
path: '/etc/letsencrypt/live/domain.work/privkey.pem' }

所以我尝试重新制作* .pem文件.

So I tried re-make files of *.pem.

rm -f /etc/letsencrypt/live
rm -f /etc/letsencrypt/archive    
rm -f /etc/letsencrypt/renewal
sudo ./letsencrypt-auto certonly -a standalone -d domain.work

并检查文件权限.

/etc/letsencrypt/live/domain.work$ ls -lsa
total 12
4 drwxr-xr-x 2 root root 4096 Jan  3 21:56 .
4 drwx------ 3 root root 4096 Jan  3 21:56 ..
0 lrwxrwxrwx 1 root root   37 Jan  3 21:56 cert.pem -> 
../../archive/domain.work/cert1.pem
0 lrwxrwxrwx 1 root root   38 Jan  3 21:56 chain.pem -> 
../../archive/domain.work/chain1.pem
0 lrwxrwxrwx 1 root root   42 Jan  3 21:56 fullchain.pem -> 
../../archive/domain.work/fullchain1.pem
0 lrwxrwxrwx 1 root root   40 Jan  3 21:56 privkey.pem -> 
../../archive/domain.work/privkey1.pem

/etc/letsencrypt/archive/domain.work$ ls -lsa
total 24
4 drwxr-xr-x 2 root root 4096 Jan  3 21:56 .
4 drwx------ 3 root root 4096 Jan  3 21:56 ..
4 -rw-r--r-- 1 root root 1789 Jan  3 21:56 cert1.pem
4 -rw-r--r-- 1 root root 1647 Jan  3 21:56 chain1.pem
4 -rw-r--r-- 1 root root 3436 Jan  3 21:56 fullchain1.pem
4 -rw-r--r-- 1 root root 1708 Jan  3 21:56 privkey1.pem

但是它没有解决,我找不到任何错误和问题.
如何解决这个问题?

but It is not resolved and I cannot find any mistakes and problems.
How to resolve this problem?

推荐答案

使用sudo颁发证书时,它们将由root拥有. 由于节点不是以root用户身份运行,并且证书文件夹上的权限不允许所有者以外的任何人打开它们,因此您的节点应用程序看不到它们.

When you use sudo to issue the certificates, they will be owned by root. Since node is not run as root, and the permissions on the certificate folder do not allow them to be opened by anyone except the owner, your node app cannot see them.

要了解该解决方案,让我们假设节点正在以用户nodeuser

To understand the solution, let us assume node is running as the user nodeuser

解决方案1(临时):
您可以将证书的所有者切换为您的节点用户.
$ sudo chown nodeuser -R /etc/letsencrypt
但是,这可能会破坏查看证书的任何其他项,例如Nginx或Apache.
它也只会持续到您的下一次更新(不超过90天). 另一方面,无论您拥有哪种证书来续订证书,也都可以设置所有者.

Solution #1 (temporary):
You could switch the owner of the certificates to your node user.
$ sudo chown nodeuser -R /etc/letsencrypt
However, this may break any other items that look at the cert, such as Nginx or Apache.
It will also only last till your next update, which is no more than 90 days. On the other hand, whatever script you have that renews the cert can also set the owner.

解决方案2(请勿执行此操作):
以root用户身份运行节点.
sudo node index.js
这将以root用户身份运行节点,这意味着极其不安全的节点表面可以访问系统上的所有内容.请不要这样做.

Solution #2 (do not do this):
Run node as root.
sudo node index.js
This will run node as a root user, which means that the terribly insecure surface of node can access everything on your system. Please don't do this.

解决方案3(也不要这样做):
向所有人打开证书.
证书存储在/etc/letsencrypt/archive/${domain}/cert1.pem中,并从/etc/letsencrypt/live/${domain}/cert1.pem链接到.

Solution #3 (do not do this either):
Open the certificates to everyone.
The certificates are stored in /etc/letsencrypt/archive/${domain}/cert1.pem, and are linked to from /etc/letsencrypt/live/${domain}/cert1.pem.

这两个路径中的所有文件夹均为+ x,这意味着系统上的所有用户都可以打开这些文件夹,但"live"和"archive"文件夹本身除外.
您也可以通过更改其权限来使其打开.

All folders in both of these paths are +x, meaning that all users on the system can open the folders, with the exception of the "live" and "archive" folders themselves.
You can make those open as well by changing their permissions. 

$ sudo chmod +x /etc/letsencrypt/live
$ sudo chmod +x /etc/letsencrypt/archive

这很糟糕,因为它允许来自其他意外来源的访问.通常向所有人打开文件夹是一个坏主意.

This is bad as it allows access from other unexpected sources. Generally opening folders to everyone is a bad idea.

解决方案4(执行此操作):
另一方面,您可以创建一个受限组,并只允许为他们打开权限.

Solution #4 (do this):
On the other hand, you can create a limited group, and allow the permissions to only be opened for them. 

// Create group with root and nodeuser as members
$ sudo addgroup nodecert
$ sudo adduser nodeuser nodecert
$ sudo adduser root nodecert

// Make the relevant letsencrypt folders owned by said group.
$ sudo chgrp nodecert /etc/letsencrypt/live
$ sudo chgrp nodecert /etc/letsencrypt/archive

// Allow group to open relevant folders
$ sudo chmod 710 /etc/letsencrypt/live
$ sudo chmod 710 /etc/letsencrypt/archive

这应该允许节点使用证书访问文件夹,而不将其打开给其他任何人.

That should allow node to access the folders with the certs, while not opening it to anyone else.

这些更改之后,您应该重新启动或至少注销并登录.
(对权限和组的许多更改都需要一个新的会话,而PM2在重新启动之前一直存在问题.)

You should then reboot or at least logout and in after these changes.
(Many changes to permission and groups require a new session, and we had issues with PM2 until reboot.)

这篇关于让我们以“错误:EACCES:权限被拒绝,打开'/etc/letsencrypt/live/domain.net/privkey.pem"开头的方式加密SSL.的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆