Permission denied error with letsencrypt even the permission is set to 600

Traefik Traefik v2
,
1

Version: Traefik:v2.1

I'm getting permission denied error for acme.json file even when the permission is set to 600.

level=error msg="The ACME resolver \"myresolver\" is skipped from the resolvers list because: unable to get ACME account: open /acme.json: permission denied"

Snippet of docker file

    command:
      - --certificatesresolvers.myresolver.acme.storage=etc/traefik/acme/acme.json
    volumes:
      - ./proxy-config.toml:/etc/traefik/proxy-config.toml:ro
      - ./letsencrypt/:/etc/traefik/acme/

file permission on machine is:

ls -lh letsencrypt/acme.json
-rw------- 1 prayag prayag 0 Feb 20 12:45 letsencrypt/acme.json

file permisison and user inside traefik container

/ # ls -lh acme.json
-rw-------    1 nobody   nobody         0 Feb 20 12:45 acme.json

file permission for proxy-config.yaml
on machine

ls -lh proxy-config.toml
-rw-rw-r-- 1 prayag prayag 1.2K Feb 20 18:22 proxy-config.toml

Inside container

/ # ls -lh /etc/traefik/proxy-config.toml
-rw-rw-r--    1 nobody   nobody      1.1K Feb 20 18:22 /etc/traefik/proxy-config.toml

what I' not able to understand is that the proxy-config.yaml has same uid:gid as of acme.json file but acme.json giving permisison error while proxy-xonfig.yaml is workign fine.

2

solved it. Using named volumes instead of bind mounts fixed this issue.

1 Like
3

Hello, could you please provide with a snippet for how the volume must look like to resolve this issue? thanks a lot!

My volumes section in values.yaml looks like this:

persistence:
  enabled: true
  name: ssl-certs
  existingClaim: nfs-volume-claim
  path: /ssl-certs

But it still gives me the exact same error as yours.
I have a PersistentVolumeClaim called nfs-volume-claim already created.