With the great NGINX Amplify service, you may be getting the issue of its agent not being able to read LetsEncrypt SSL certificates which were configured in NGINX.
The main symptom is that you cannot see certificate details in Config analysis of Amplify, and there is this error instead:
OSError: Permission denied
The fix
Reason of the issue is that the Amplify agent runs under non-privileged user (typically, nginx
) but LetsEncrypt certificates are owned by root
.
NGINX itself has no issue reading those certificates because they are loaded by the NGINX master process, which is run by root
as well.
So our fix would be to allow LetsEncrypt certificates to be read by nginx
user as well:
setfacl --recursive --modify u:nginx:rX,d:u:nginx:rX \
/etc/letsencrypt/archive \
/etc/letsencrypt/live
Now you can restart Amplify agent’s service so it can re-read your certificates.
Did you think it would be more complicated? 😀
P.S. If you’re affected by this other Amplify+LetsEncrypt “compatibility” issue, vote up for it to be resolved!