Trouble with fullchain.pem access denied

I am trying to setup grafana in https.
when I put fullchain.pem and privkey.pem in /etc/grafana everything is working.
but I need to leave those files in letsencrypt/live/ folder. when I try to restart, I get
"logger=server reason=“open /etc/letsencrypt/live/ permission denied”

do you have any idea please

It sounds like you have some kind of problem with your permissions. Depending on what operating system you’re running Grafana on this might have to do with a few different reasons. Based on the information you’ve provided it sounds like you’re using Linux where the single most likely problem is that you have the wrong permissions.

If you haven’t worked with Unix file permissions (which is what Linux uses) I’d recommend Julia Evans’ comic book-style introduction to start with.

It’s also possible that it’s SELinux (Red Hat Enterprise Linux & Fedora) or AppArmor (Ubuntu) that’s causing your problems in which case you should record a rule to allow Grafana to read its certificate configuration. But let’s start with the assumption that we’re being prevented from accessing the files with regular Unix permissions:

Can you post the output from ls -la /etc/letsencrypt/live/ (Just make sure to remove anything you don’t want to share — the only important thing is the line that looks like rwx-r------).

every files under have this permission:
drwx------ 4 root root 4096 févr. 5 18:31 live/
and I am working under Linux
VERSION=“16.04.6 LTS (Xenial Xerus)”

Ah, yeah, it’s the permissions :slight_smile:

What you’ll want to do is allow the Grafana user (called grafana if you’ve used the .deb-package or apt-repo to install Grafana) to access the contents of the directory.

You could try with running the following two commands to make sure the grafana user group (semantics) gets ownership (chown) and reading rights (chmod) for the certificates

# Change ownership of the directory the certificates are stored in to the root user and the grafana users' group.
sudo chown -R root:grafana /etc/letsencrypt/live/
# Allow the group which owns the directory to open and list the content of the directory.
sudo chmod 750 /etc/letsencrypt/live/
# Grant reading-rights for all certificates inside of the directory to the group.
sudo chmod 640 /etc/letsencrypt/live/*

I’m not sure how this will work when refreshing the certificates, I couldn’t find anything good on that topic, sadly :confused:

Thank you I don’t use grafana group but it s working like this thank you

1 Like