[resolved] Some update has broken nginx's ability to load SSL certs

kyle_h · 2025-11-17 02:37:48

Was alerted today that my website is "down", surprising me as I haven't done anything to it. Testing reveals the user meant they cannot connect via https.

starting by running nginx -t:

2025/11/17 02:26:07 [warn] 5089#5089: could not build optimal types_hash, you should increase either types_hash_max_size: 1024 or types_hash_bucket_size: 64; ignoring types_hash_bucket_size
2025/11/17 02:26:07 [emerg] 5089#5089: cannot load certificate "/etc/letsencrypt/live/winged-horse.fyi/fullchain.pem": BIO_new_file() failed (SSL: error:8000000D:system library::Permission denied:calling fopen(/etc/letsencrypt/live/winged-horse.fyi/fullchain.pem, r) error:10080002:BIO routines::system lib)
nginx: configuration file /etc/nginx/nginx.conf test failed

So, permission denied on accessing fullchain.pem. interesting.

ls -l on /etc/letsencrypt/live/winged-horse.fyi/fullchain.pem

lrwxrwxrwx 1 root root 45 Nov 17 02:20 /etc/letsencrypt/live/winged-horse.fyi/fullchain.pem -> ../../archive/winged-horse.fyi/fullchain2.pem

so it's a symlink, pointing to a file in /etc/letsencrypt/archive/winged-horse.fyi. running ls -l on that directory:

-rw-r--r-- 1 root root 1294 Nov 17 01:51 cert1.pem
-rw-r--r-- 1 root root 1294 Nov 17 02:20 cert2.pem
-rw-r--r-- 1 root root 1566 Nov 17 01:51 chain1.pem
-rw-r--r-- 1 root root 1566 Nov 17 02:20 chain2.pem
-rw-r--r-- 1 root root 2860 Nov 17 01:51 fullchain1.pem
-rw-r--r-- 1 root root 2860 Nov 17 02:20 fullchain2.pem
-rw------- 1 root root  241 Nov 17 01:51 privkey1.pem
-rw------- 1 root root  241 Nov 17 02:20 privkey2.pem

as an experiment, i backed up that directory and then chmod 777 the lot. It made no difference. so I don't think it's actually a filesystem permission problem.

generating new certs with certbot, of course, did nothing.

Anyone have any suggestions as for what to try?

Last edited by kyle_h (2025-11-19 01:13:24)

-thc · 2025-11-17 06:23:02

I ran into a similar problem lately. Serving software sometimes refuses to access files outside their own configuration ("/etc/software").
Try copying the certificate and key to "/etc/nginx".

kyle_h · 2025-11-17 10:12:50

copying the cert and key to /etc/nginx makes no difference. (of course I pointed nginx.conf to them)

Last edited by kyle_h (2025-11-17 10:16:42)

-thc · 2025-11-17 10:26:16

Strange. Can you please post the certificate file here?

kyle_h · 2025-11-17 11:02:05

This site doesn't seem to support post attachments, and my web server is unreliable, I don't know how I would do that.

Lone_Wolf · 2025-11-17 11:52:09

Since a *.pem certificate is essentially a text file , put it on a pastebin hosting site.
See https://wiki.archlinux.org/title/List_o … ted_client for options.

kyle_h · 2025-11-17 13:19:33

turns out that the permissions error from nginx -t was a false positive, (of course my user account cannot access ssl keys!),

The actual problem turned out to be my ISP updating the firmware on my router remotely and trashing the config.

seth · 2025-11-17 14:46:10

Please always remember to mark resolved threads by editing your initial posts subject - so others will know that there's no task left, but maybe a solution to find.
Thanks.

Arch Linux

#1 2025-11-17 02:37:48

[resolved] Some update has broken nginx's ability to load SSL certs

#2 2025-11-17 06:23:02

Re: [resolved] Some update has broken nginx's ability to load SSL certs

#3 2025-11-17 10:12:50

Re: [resolved] Some update has broken nginx's ability to load SSL certs

#4 2025-11-17 10:26:16

Re: [resolved] Some update has broken nginx's ability to load SSL certs

#5 2025-11-17 11:02:05

Re: [resolved] Some update has broken nginx's ability to load SSL certs

#6 2025-11-17 11:52:09

Re: [resolved] Some update has broken nginx's ability to load SSL certs

#7 2025-11-17 13:19:33

Re: [resolved] Some update has broken nginx's ability to load SSL certs

#8 2025-11-17 14:46:10

Re: [resolved] Some update has broken nginx's ability to load SSL certs

Board footer