3

I have a digital ocean droplet running Ubuntu 16.04. I followed this guide to use HTTPS with my NodeJS server.

In short

I used certbot to create an SSL certificate, which meant that at this directory /etc/letsencrypt/live/yourdomain.com/, 3 files were created:

  1. privkey.pem
  2. cert.pem
  3. chain.pem

So in my server code, I have to fetch these files, which I do:

// Certificate
const privateKey = fs.readFileSync('/etc/letsencrypt/live/yourdomain.com/privkey.pem', 'utf8');
const certificate = fs.readFileSync('/etc/letsencrypt/live/yourdomain.com/cert.pem', 'utf8');
const ca = fs.readFileSync('/etc/letsencrypt/live/yourdomain.com/chain.pem', 'utf8');

The Problem

When I tried to run my server using the command node server, or using pm2 start server I got this error message:

  { Error: EACCES: permission denied, open '/etc/letsencrypt/live/yourdomain.com/privkey.pem'
    at Object.fs.openSync (fs.js:646:18)
    at Object.fs.readFileSync (fs.js:551:33)
    at Object.<anonymous> (/home/myuser/mywebsite/lib/server-configurations.js:13:21)
    at Module._compile (module.js:653:30)
    at Object.Module._extensions..js (module.js:664:10)
    at Module.load (module.js:566:32)
    at tryModuleLoad (module.js:506:12)
    at Function.Module._load (module.js:498:3)
    at Module.require (module.js:597:17)
    at require (internal/module.js:11:18)
  errno: -13,
  code: 'EACCES',
  syscall: 'open',
  path: '/etc/letsencrypt/live/yourdomain.com/privkey.pem' }

BUT

When I tried launching it using sudo node server it did work without any problems.

Small Notice

I know I can change the permissions on the files but I would rather not do that as I have read multiple times that it is better not to change the permissions on these files.

And most importantly...

Thank you for your help :)

Community
  • 1
  • 1
0_jump
  • 379
  • 6
  • 16
  • Why is it better to not change the permissions on these files instead of launching your app as root ? – TGrif Mar 03 '19 at 10:56
  • @TGrif I do not really know, but I have seen it so many times said to not change the permissions in Linux especially for sensitive data. I am not really an expert on Linux as it is my first time managing a Linux server (or managing a server for that matter). I would love to know if you think there is no problem in changing the permissions, and if you think there is a flaw in my thinking about this. – 0_jump Mar 03 '19 at 19:32
  • My advice on this is to never launch your app as root. So I think you have to deal with your cert files permission in a way or another. – TGrif Mar 06 '19 at 22:54

2 Answers2

1

I did change permissions according to Let's encrypt SSL couldn't start by "Error: EACCES: permission denied, open '/etc/letsencrypt/live/domain.net/privkey.pem'" That worked for running

node file.js

Still now pm2's process somehow can't access the certs even though it should be running as the same user as node... perplexing.

Jeroenv3
  • 404
  • 3
  • 9
  • I am having the exact same problem. After changing permissions I can run the program myself, but PM2 cannot, even though it's supposed to be running it as my user. Did you ever find a solution? – bumbleshoot Dec 07 '20 at 23:24
  • I had the same issue, rebooted the machine, it worked. – ecdpalma Mar 18 '21 at 23:20
0

You can use this certbot script.

More info on certbot renewals might be helpful, as well as other solutions for this issue on the Let's Encrypt forums.

tehp
  • 5,018
  • 1
  • 24
  • 31