Hello, [mostly FYI, with a question at the end] beans.o.o was down for a while with an interesting[tm] error: [Sat Sep 26 00:48:37.062786 2020] [ssl:emerg] [pid 30948] AH02565: Certificate and private key beans.opensuse.org:443:0 from /etc/apache2/ ssl.crt/cert.pem and /etc/apache2/ssl.key/privkey.pem do not match [Sat Sep 26 00:48:37.062809 2020] [:emerg] [pid 30948] AH00020: Configuration Failed, exiting and the result was that apache refused to start. Trying to force-renew the certificate explained the problem: # dehydrated --force --cron [...] + Done! + Creating fullchain.pem... cp: cannot stat '/etc/apache2/ssl.key/privkey.pem': Permission denied Reloading apache2 service apache2.service is not active, cannot reload. /etc/apache2/ssl.key has an acl for dehydrated, but... # getfacl ssl.key/ # file: ssl.key/ # owner: root # group: root user::rwx user:dehydrated:rwx #effective:--- <--------- :-( group::--- mask::--- other::--- default:user::rwx default:user:dehydrated:rwx default:group::--- default:mask::rwx default:other::--- The solution was easy: # chmod g+rwx ssl.key/ After that, dehydrated could write to ssl.key again, and apache happily started. However, the directory is packaged with 700 permissions [1], so the problem might come back with the next apache update. If someone has an idea for a more permanent solution (that also survives apache updates), please speak up ;-) Regards, Christian Boltz [1] # rpm -qvl apache2 |grep ssl.key drwx------ 2 root root 0 Apr 8 2011 /etc/apache2/ssl.key -- Look at Debian... its stable, works on a variety of platforms.... and development is racing along at the speed of a turtle with 3 broken legs. [Joseph M. Gaffney in opensuse] -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org