acm.esh key ’/var/db/acme/certs.int.unixathome.org.key’ is unreadable

Leave a Comment / Let's Encrypt, Security / By

Today, while mucking about with a new cronjob and log file for acme.sh, I stumbled across these error messages:

[18:37 certs dan ~] % sudo grep unreadable /var/log/acme.sh.log | less  
[Sat Oct  7 18:02:02 UTC 2023] key ’/var/db/acme/certs.int.unixathome.org.key’ is unreadable
[Sat Oct  7 18:02:05 UTC 2023] key ’/var/db/acme/certs.int.unixathome.org.key’ is unreadable
[Sat Oct  7 18:02:08 UTC 2023] key ’/var/db/acme/certs.int.unixathome.org.key’ is unreadable

Why was I stumbling around? This email arrived after the daily cert renewal:

Renew Error Skipped by certs.int.unixathome.org

Error certs:
    beta.bsdcan.org
    dan.langille.org
    freshports.org

Skipped certs:
...

Three skips. Three error messages.

Let’s look at that file:

[18:37 certs dan ~] % sudo ls -l /var/db/acme/certs.int.unixathome.org.key
-rw-r-----  1 root  acme  116 Oct  6 20:21 /var/db/acme/certs.int.unixathome.org.key

That should be readable. I checked some ZFS snapshots from earlier this week. The same permission where there on the old K-format key:

[18:05 r730-01 dvl /jails/certs/.zfs/snapshot/autosnap_2023-10-01_00:00:13_daily] % sudo ls -l var/db/acme
total 108
drwxr-x---  3 169   169     11 Jul 30 19:58 .acme.sh
-rw-------  1 169   169  20959 Mar 29  2023 .bash_history
-rw-------  1 169   169   2750 Mar 29  2023 .joe_state
-rw-------  1 169   169    374 Jan  2  2022 .lesshst
-rw-------  1 169   169   1024 Nov 27  2018 .rnd
-rw-------  1 169   169     87 Aug  3 13:32 .sh_history
-rw-r--r--  1 169   169     29 Jan  3  2022 .zshrc
-rw-r-----  1 root  169    131 Jun 21  2017 Kcerts.int.unixathome.org.+165+59977.key
-rw-r-----  1 root  169    232 Jun 21  2017 Kcerts.int.unixathome.org.+165+59977.private
drwxr-xr-x  2 169   169      6 Dec 19  2020 bin
drwxr-xr-x  2 root  169      2 Mar 15  2019 certs
-rw-r--r--  1 169   169   4226 Dec 19  2020 certs-list

Yep, chmod 0640 and chown root:acme.

So why can’t it read it? Here’s some of my account.conf file:

SAVED_NSUPDATE_SERVER='dns-hidden-master.int.unixathome.org'
SAVED_NSUPDATE_SERVER_PORT='53'
#SAVED_NSUPDATE_KEY='/var/db/acme/Kcerts.int.unixathome.org.+165+59977.key'
SAVED_NSUPDATE_KEY=’/var/db/acme/certs.int.unixathome.org.key’
SAVED_NSUPDATE_ZONE=''

It took me a while, but I figured it out. Backticks, not quotes. Here is the fixed code:

SAVED_NSUPDATE_SERVER='dns-hidden-master.int.unixathome.org'
SAVED_NSUPDATE_SERVER_PORT='53'
#SAVED_NSUPDATE_KEY='/var/db/acme/Kcerts.int.unixathome.org.+165+59977.key'
SAVED_NSUPDATE_KEY='/var/db/acme/certs.int.unixathome.org.key'
SAVED_NSUPDATE_ZONE=''

DOH. Hope this helps you.

Website Pin Facebook Twitter Myspace Friendfeed Technorati del.icio.us Digg Google StumbleUpon Premium Responsive

Leave a Comment

Scroll to Top