File permission for acme.json can't be changed on Azure Container Instance (ACI)

RufusJWB · November 17, 2023, 3:08pm

I'm running Traefik2 inside an Azure Container Instance (ACI). Everything works fine, except for the persistent storage of the acme.json file. I've mounted an Azure Fileshare into the container and Traefik correctly writes the acme.json file onto that fileshare, but when I restart the container I get this error message:

"The ACME resolver "my-le-resolver" is skipped from the resolvers list because: unable to get ACME account: permissions 777 for /letsencrypt/acme.json are too open, please use 600"

I googled it and found plenty of workarounds, all at the end boiling down to changing the permission manually to 600. But in ACI this isn't possible due to restrictions in the way, how file shares are mounted:

/letsencrypt # ls -l
total 16
-rwxrwxrwx 1 root root 16048 Nov 14 10:32 acme.json
/letsencrypt # chmod -v 600 acme.json
mode of 'acme.json' changed to 0600 (rw-------)
/letsencrypt # ls -l
total 16
-rwxrwxrwx 1 root root 16048 Nov 14 10:32 acme.json
/letsencrypt #

Any idea how to proceed?

jspdown · November 30, 2023, 3:04pm

Hello @RufusJWB,

Have you tried adjusting your shared access policy?

Also, could you share your deployment configuration as well as your ACI/FileShare config?

RufusJWB · December 1, 2023, 12:01pm

I added a shared access policy but it didn't help:

rufus_buschart [ ~ ]$ az storage share policy create --permissions cdlrw --share-name letsencrypt --connection-string "DefaultEndpointsProtocol=https;AccountName=mystorageaccount4297;AccountKey=+++++==;EndpointSuffix=core.windows.net" --name rwpolicy
{
  "date": "2023-12-01T10:58:17+00:00",
  "etag": "\"0x8DBF25C6D4F77D0\"",
  "lastModified": "2023-12-01T10:58:18+00:00",
  "request_id": "472f672f-b01a-004b-2945-244354000000",
  "version": "2022-11-02"
}
rufus_buschart [ ~ ]$ az storage share policy list --share-name letsencrypt --connection-string "DefaultEndpointsProtocol=https;AccountName=mystorageaccount4297;AccountKey=+++++==;EndpointSuffix=core.windows.net"
{
  "rwpolicy": {
    "expiry": null,
    "permission": "rcwdl",
    "start": null
  }
}
rufus_buschart [ ~ ]$

These are the relevant parts of the ARM template we are using:

{
                        "name": "traefik",
                        "properties": {
                            "image": "traefik:latest",
                            "command": [
                                "sh",
                                "-c",
                                "chmod -Rv 600 /letsencrypt/*;/usr/local/bin/traefik"
                            ],
                            "ports": [
                                {
                                    "protocol": "TCP",
                                    "port": 8080
                                },
                                {
                                    "protocol": "TCP",
                                    "port": 80
                                },
                                {
                                    "protocol": "TCP",
                                    "port": 443
                                }
                            ],
                            "environmentVariables": [],
                            "resources": {
                                "requests": {
                                    "memoryInGB": 1.5,
                                    "cpu": 1
                                }
                            },
                            "volumeMounts": [
                                {
                                    "name": "traefik-data",
                                    "mountPath": "/letsencrypt/"
                                },
                                {
                                    "name": "traefik-conf",
                                    "mountPath": "/etc/traefik/"
                                }
                            ]
                        }
                    },


                "volumes": [
                    {
                        "name": "traefik-data",
                        "azureFile": {
                            "shareName": "letsencrypt",
                            "storageAccountName": "mystorageaccount4297"
                        }
                    },

rubenlangius · June 8, 2024, 11:44am

I'm running into the exact same issue, did you find any solution?

bluepuma77 · June 9, 2024, 6:11am

Not sure if that works, but you could try to build your own image. Something like

FROM traefik:v2.11
RUN chmod …

I would assume that ENTRYPOINT and CMD are automatically used from the original DOCKERFILE, so it should start Traefik as usual.

Topic		Replies	Views
Acme storage volume on Windows Traefik v2 docker , letsencrypt-acme	5	2239	April 23, 2021
Permission issue on acme.json Traefik v3 (latest) docker	3	772	May 22, 2024
Certificate resolver storage convenience Traefik v2 letsencrypt-acme	5	666	October 19, 2021
Permission denied error with letsencrypt even the permission is set to 600 Traefik v2 file , letsencrypt-acme	2	3058	October 12, 2022
Getting permission denied error with lets encrypt if acme.json permission is set to 600 Traefik v2 letsencrypt-acme	0	3718	February 19, 2020

File permission for acme.json can't be changed on Azure Container Instance (ACI)

Related topics