Letsencrypt: Tor2web does not load certificates that are a symlink of a symlink in letsencrypt

[fpietrosanti]

Tor2web does not load certificates that are a symlink of a symlink, and this does not load proper implementation of letsencrypt in a maintainable way where all /home/tor2web/certs/ files are symlink to the /etc/letsencrypt/live/$DOMAINNAME/files.

Those get setup as:
ln -s /etc/letsencrypt/live/$PUBLICHOSTNAME/privkey.pem /home/tor2web/certs/tor2web-key.pem
ln -s /etc/letsencrypt/live/$PUBLICHOSTNAME/cert.pem /home/tor2web/certs/tor2web-certificate.pem
ln -s /etc/letsencrypt/live/$PUBLICHOSTNAME/fullchain.pem /home/tor2web/certs/tor2web-intermediate.pem

The file on letsencrypt directory /etc/letsencrypt/live are also symlink to /etc/letsencrypt/archive/ .

The error preventing Tor2web to startup is:
Tor2web Startup Failure: unexistent file (/home/tor2web/certs/tor2web-key.pem)

If i issue on Linux a cat /home/tor2web/certs/tor2web-key.pem it works properly

---

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

[fpietrosanti]

For some reason, even trough the file where accessibile, it's parent-parent directory was root owned with 700 permissions, and maybe tor2web is doing some kind of file access testing that trigger an access denied.

By changing the letsencrypt permissions as follow, everything worked out, but ideally tor2web shall be able access those files directly:
chgrp tor2web /etc/letsencrypt/live/
chgrp tor2web /etc/letsencrypt/archive
chmod g+rx /etc/letsencrypt/archive
chmod g+rx /etc/letsencrypt/live

I'm wondering if the way tor2web test file access cannot be made compatibile with such restricted permissions, without changing the permissions of letsencrypt.

[fpietrosanti]

The fix to do is that:
IF letsencrypt is installed and letsencrypt certificate is configured;
then fix permissions
FI