File permission for acme.json can't be changed on Azure Container Instance (ACI)

RufusJWB · November 17, 2023, 3:08pm

I'm running Traefik2 inside an Azure Container Instance (ACI). Everything works fine, except for the persistent storage of the acme.json file. I've mounted an Azure Fileshare into the container and Traefik correctly writes the acme.json file onto that fileshare, but when I restart the container I get this error message:

"The ACME resolver "my-le-resolver" is skipped from the resolvers list because: unable to get ACME account: permissions 777 for /letsencrypt/acme.json are too open, please use 600"

I googled it and found plenty of workarounds, all at the end boiling down to changing the permission manually to 600. But in ACI this isn't possible due to restrictions in the way, how file shares are mounted:

/letsencrypt # ls -l
total 16
-rwxrwxrwx 1 root root 16048 Nov 14 10:32 acme.json
/letsencrypt # chmod -v 600 acme.json
mode of 'acme.json' changed to 0600 (rw-------)
/letsencrypt # ls -l
total 16
-rwxrwxrwx 1 root root 16048 Nov 14 10:32 acme.json
/letsencrypt #

Any idea how to proceed?

jspdown · November 30, 2023, 3:04pm

Hello @RufusJWB,

Have you tried adjusting your shared access policy?

Also, could you share your deployment configuration as well as your ACI/FileShare config?

RufusJWB · December 1, 2023, 12:01pm

I added a shared access policy but it didn't help:

rufus_buschart [ ~ ]$ az storage share policy create --permissions cdlrw --share-name letsencrypt --connection-string "DefaultEndpointsProtocol=https;AccountName=mystorageaccount4297;AccountKey=+++++==;EndpointSuffix=core.windows.net" --name rwpolicy
{
  "date": "2023-12-01T10:58:17+00:00",
  "etag": "\"0x8DBF25C6D4F77D0\"",
  "lastModified": "2023-12-01T10:58:18+00:00",
  "request_id": "472f672f-b01a-004b-2945-244354000000",
  "version": "2022-11-02"
}
rufus_buschart [ ~ ]$ az storage share policy list --share-name letsencrypt --connection-string "DefaultEndpointsProtocol=https;AccountName=mystorageaccount4297;AccountKey=+++++==;EndpointSuffix=core.windows.net"
{
  "rwpolicy": {
    "expiry": null,
    "permission": "rcwdl",
    "start": null
  }
}
rufus_buschart [ ~ ]$

These are the relevant parts of the ARM template we are using:

{
                        "name": "traefik",
                        "properties": {
                            "image": "traefik:latest",
                            "command": [
                                "sh",
                                "-c",
                                "chmod -Rv 600 /letsencrypt/*;/usr/local/bin/traefik"
                            ],
                            "ports": [
                                {
                                    "protocol": "TCP",
                                    "port": 8080
                                },
                                {
                                    "protocol": "TCP",
                                    "port": 80
                                },
                                {
                                    "protocol": "TCP",
                                    "port": 443
                                }
                            ],
                            "environmentVariables": [],
                            "resources": {
                                "requests": {
                                    "memoryInGB": 1.5,
                                    "cpu": 1
                                }
                            },
                            "volumeMounts": [
                                {
                                    "name": "traefik-data",
                                    "mountPath": "/letsencrypt/"
                                },
                                {
                                    "name": "traefik-conf",
                                    "mountPath": "/etc/traefik/"
                                }
                            ]
                        }
                    },


                "volumes": [
                    {
                        "name": "traefik-data",
                        "azureFile": {
                            "shareName": "letsencrypt",
                            "storageAccountName": "mystorageaccount4297"
                        }
                    },

Topic		Replies	Views
Acme storage volume on Windows Traefik v2 (latest) docker , letsencrypt-acme	5	1932	April 23, 2021
Certificate resolver storage convenience Traefik v2 (latest) letsencrypt-acme	5	541	October 19, 2021
Permission denied error with letsencrypt even the permission is set to 600 Traefik v2 (latest) file , letsencrypt-acme	2	2769	October 12, 2022
Getting permission denied error with lets encrypt if acme.json permission is set to 600 Traefik v2 (latest) letsencrypt-acme	0	3517	February 19, 2020
Traefik doesn't write in acme.json on version 2.3.4 Traefik v2 (latest) docker , docker-swarm , letsencrypt-acme	6	3406	December 17, 2020

File permission for acme.json can't be changed on Azure Container Instance (ACI)

Related Topics