[mostly FYI, with a question at the end]
beans.o.o was down for a while with an interesting[tm] error:
[Sat Sep 26 00:48:37.062786 2020] [ssl:emerg] [pid 30948] AH02565:
Certificate and private key beans.opensuse.org:443:0 from /etc/apache2/
ssl.crt/cert.pem and /etc/apache2/ssl.key/privkey.pem do not match
[Sat Sep 26 00:48:37.062809 2020] [:emerg] [pid 30948] AH00020:
Configuration Failed, exiting
and the result was that apache refused to start.
Trying to force-renew the certificate explained the problem:
# dehydrated --force --cron
+ Creating fullchain.pem...
cp: cannot stat '/etc/apache2/ssl.key/privkey.pem': Permission denied
Reloading apache2 service
apache2.service is not active, cannot reload.
/etc/apache2/ssl.key has an acl for dehydrated, but...
# getfacl ssl.key/
# file: ssl.key/
# owner: root
# group: root
user:dehydrated:rwx #effective:--- <--------- :-(
The solution was easy:
# chmod g+rwx ssl.key/
After that, dehydrated could write to ssl.key again, and apache happily
However, the directory is packaged with 700 permissions , so the
problem might come back with the next apache update.
If someone has an idea for a more permanent solution (that also survives
apache updates), please speak up ;-)
 # rpm -qvl apache2 |grep ssl.key
drwx------ 2 root root 0 Apr 8 2011 /etc/apache2/ssl.key
Look at Debian... its stable, works on a variety of platforms.... and
development is racing along at the speed of a turtle with 3 broken legs.
[Joseph M. Gaffney in opensuse]
To unsubscribe, e-mail: heroes+unsubscribe(a)opensuse.org
To contact the owner, e-mail: heroes+owner(a)opensuse.org