NGINX SSL certificate permission SSL error :0200100D:system

Question

Getting following error in NGINX server, Using LetsEncrypts free SSL Certificate.

2016/06/23 19:53:13 [warn] 5013#0: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:1

2016/06/23 19:53:13 [emerg] 5013#0: BIO_new_file("/etc/letsencrypt/live/abc/fullchain.pem") failed (SSL: error:0200100D:system library:fopen:Permission denied:fopen('/etc/letsencrypt/live/abc/fullchain.pem','r') error:2006D002:BIO routines:BIO_new_file:system lib)

score 13 · Answer 1 · answered Jun 23 '16 at 21:00

13

Both problems have one root cause.

This error usually happens, when you try to start nginx with non-root user. You could try to start as root or under sudo.
Looks like you have permission on your pem file, which not allow nginx to read it when you start it from non-root user, you could try to change file permission or start nginx as root or under sudo.

answered Jun 23 '16 at 21:00

Alexander Tolkachev

906
9
20

I have the same though than @Alexander T, it seems that your nginx was started with no root rights, but your certificate is probably owned by root (to check permission and owner of your certificate `ls -l /etc/letsencrypt/live/abc/fullchain.pem`) – jquiaios Jun 24 '16 at 06:19
2

Foolishly forgot to run `service nginx restart` as root. sudo-ing it solved it for me – jcaruso Jul 14 '18 at 18:15

score 12 · Answer 2 · answered Feb 18 '21 at 09:47

12

If your chmod and chown is all correct on the file, this is probably because you copied a file into a folder - maybe home folder (say) - then mv'd the file into position for NGINX. SeLinux remembers the original file creation location and applies the rights wherever the file is mv'd to - to reset the SeLinux permissions to the current location/file permissions use

restorecon filename

This usually sorts it

answered Feb 18 '21 at 09:47

Paul Horrix

121
1
2

This fixed it for me. The crt and key files were generated in a user folder and despite changing the ownership and running nginx as root, the file was giving permission denied. Running restorecon fixed it. Thanks! – fractal5 Jun 20 '22 at 16:42

score 8 · Answer 3 · answered Dec 01 '20 at 12:19

8

Hello I also had the same similar issue.

setenforce 0

It was solved this way.

answered Dec 01 '20 at 12:19

Zendem

490
5
8

2

This can impact your entire system security, I would recommend setting SELinux properly instead of deactivating it. – Julien B. Nov 07 '21 at 13:57
I think this answer could be an OK answer if it explains what it's doing, and why it's not recommended. – mwfearnley Dec 23 '21 at 12:53

score 5 · Answer 4 · edited Aug 21 '21 at 12:48

5

If you run nginx worker process from www-data user, it needs just set rights on /etc/letsencrypt/ folder:

chown -R www-data:www-data /etc/letsencrypt/
chmod -R 755 /etc/letsencrypt/

It should works

edited Aug 21 '21 at 12:48

lejlun

4,140
2
15
31

answered Aug 18 '21 at 15:57

ndK

51
1
2

score 1 · Answer 5 · answered May 16 '22 at 09:18

1

In my case(Oracle Linux 8), similar issue resolved after changing contexts of .pem files.

$ chcon -t httpd_sys_content_t *.pem

answered May 16 '22 at 09:18

Donggi Kim

172
2
10

score 0 · Answer 6 · edited May 18 '22 at 14:44

0

In my case, I solved it by copying the files to the /etc/ssl/certs/ folder and changing the path in nginx.conf

edited May 18 '22 at 14:44

monk

699
5
13

answered May 11 '22 at 17:53

Ferreira

1

NGINX SSL certificate permission SSL error :0200100D:system

6 Answers6

Linked