1. Forums
  2. CloudLinux and Control Panels
  3. CloudLinux and Plesk
  1. Mueller
  2. Wednesday, February 08, 2017
  3.  Subscribe via email

I'm working with CL 7.3 and Plesk Onyx 17.0.17. But the Let's Encrypt add-on is not working properly with CageFS:

Starting new HTTPS connection (1):
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /usr/local/psa/var/modules/letsencrypt/etc/keys/0001_key-certbot.pem
Creating CSR: /usr/local/psa/var/modules/letsencrypt/etc/csr/0001_csr-certbot.pem
Non-standard path(s), might not work with crontab installed by your operating system package manager
An unexpected error occurred:
OSError: [Errno 2] No such file or directory

This "problem"/misconfiguration is known and Plesk offers an answer to this:

So I added fs.protected_symlinks_allow_gid = id_of_group_linksafe to /etc/sysctl.conf and applied the changes by sysctl -p, but this leads to:

fs.protected_symlinks_create = 1
fs.protected_hardlinks_create = 1
fs.protected_symlinks_allow_gid = 986
fs.protected_hardlinks_allow_gid = 986
fs.proc_super_gid = 1000
sysctl: setting key "fs.protected_symlinks_allow_gid": Invalid argument
fs.protected_symlinks_allow_gid = id_of_group_linksafe
fs.proc_can_see_other_uid = 0

According to this it's still not possible to use Let's Encrypt. Any ideas how to get it running? And no, I won't disable the symlink protection, that was the only solution provided by google ;-)

Thanks in advance for your help!
Rate this post:
  1. 09.02.2017 06:02:27
  2. # 1
Bogdan Accepted Answer
Posts: 709
Joined: 26.06.2013

You should add real group ID to fs.protected_symlinks_allow_gid , get it with:

# getent group linksafe


You will get different ID, most probably 986. Then modify /etc/sysctl.conf :

fs.protected_symlinks_allow_gid = 984

And apply changes with sysctl -p .

Now, about the error 'No such file or directory' - first thing to check is if user from CageFS inside see that directory, check it with:

su -l username -s /bin/bash
ls -la /usr/local/psa/var/modules/letsencrypt/

Most probably it should be add into CageFS. I am not really sure if that will be enough, if errors continues please create support ticket with us.

I totally agree with you that disabling protection is a bad idea. Definitely there should be right way to make it working.
  1. 13.02.2017 17:02:23
  2. # 2
Bogdan Accepted Answer
Posts: 709
Joined: 26.06.2013
Just to update this thread, we were able to identify the problem. To fix it for sure please add psaadm user to linksafe group:

usermod -a -G linksafe psaadm

Bugreport has been created, this will be managed automatically with future cloudlinux-linksafe package updates.
  1. 22.03.2017 10:03:56
  2. # 3
Anton Accepted Answer
Posts: 0
Joined: 21.01.2018
I had the same problem, but adding to linksafe did not help:
fs.protected_hardlinks = 1
fs.protected_hardlinks_allow_gid = 987
fs.protected_hardlinks_create = 1
fs.protected_symlinks = 1
fs.protected_symlinks_allow_gid = 987
fs.protected_symlinks_create = 1

# getent group linksafe

It helped only to disable protected_symlinks & hardlinks

# uname -a
Linux <hostname> 3.10.0-427.10.1.lve1.4.7.el7.x86_64 #1 SMP Sat Apr 2 12:09:46 EDT 2016 x86_64 x86_64 x86_64 GNU/Linux
  1. 22.03.2017 11:03:41
  2. # 4
Bogdan Accepted Answer
Posts: 709
Joined: 26.06.2013
I have tested this solution personally and I am sure it works :)

We would like to review your setup, please create support ticket. Thanks.
  • Page :
  • 1

There are no replies made for this post yet.
Be one of the first to reply to this post!
Submit Your Response
Upload files or images for this discussion by clicking on the upload button below. Supports gif,jpg,png,zip,rar,pdf
• Remove Upload Files (Maximum File Size: 2 MB)
You may insert polls into your post. The poll would then appear in the post.
Vote Options
To protect the site from bots and unauthorized scripts, we require that you enter the captcha codes below before posting your question.