starred/acme-dns

Fork 0

mirror of https://github.com/acme-dns/acme-dns.git synced 2026-04-27 04:45:48 +03:00

[GH-ISSUE #88] acme-dns needs directory permissions in systemd (documentation) #35

New issue

Open

opened 2026-03-13 15:27:29 +03:00 by kerem · 6 comments

kerem commented

2026-03-13 15:27:29 +03:00

Owner

Originally created by @jvanasco on GitHub (May 31, 2018).
Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/88

I updated my install to control acme-dns via systemd, with an acme-dns user.

I changed the ownership of items in /etc/acme-dns to acme-dns.

If the /etc/acme-dns directory is owned by root, there are errors in accessing the existing database /etc/acme-dns/acme-dns.db. If the directory is owned by acme-dns, the db is read fine.

Stated differently,

# this results in db errors
chown acme-dns:acme-dns /etc/acme-dns/* 

# this works
chown -R acme-dns:acme-dns /etc/acme-dns

I'm not sure how/why this is happing, but I think it is due to sqlite not being able to make lock files.

Originally created by @jvanasco on GitHub (May 31, 2018). Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/88 I updated my install to control acme-dns via systemd, with an acme-dns user. I changed the ownership of items *in* `/etc/acme-dns` to `acme-dns`. If the `/etc/acme-dns` directory is owned by `root`, there are errors in accessing the existing database `/etc/acme-dns/acme-dns.db`. If the directory is owned by `acme-dns`, the db is read fine. Stated differently, # this results in db errors chown acme-dns:acme-dns /etc/acme-dns/* # this works chown -R acme-dns:acme-dns /etc/acme-dns I'm not sure how/why this is happing, but I *think* it is due to sqlite not being able to make lock files.

kerem added the

Documentation

label

2026-03-13 15:27:29 +03:00

kerem commented

2026-03-13 15:27:40 +03:00

Author

Owner

@joohoi commented on GitHub (May 31, 2018):

Thanks for bringing this up! I'll investigate a bit, but it looks like we should make slight modifications to the documentation. Pinging @gabe565 as they contributed the systemd service file and docs.

@joohoi commented on GitHub (May 31, 2018): Thanks for bringing this up! I'll investigate a bit, but it looks like we should make slight modifications to the documentation. Pinging @gabe565 as they contributed the systemd service file and docs.

kerem commented

2026-03-13 15:27:45 +03:00

Author

Owner

@gabe565 commented on GitHub (May 31, 2018):

I honestly forgot that this is configurable. In my setup, I have the /etc/acme-dns directory as owned by root, then have the database in /var/lib/acme-dns and have it owned by acme-dns with 600 permissions. I will PR another step with that setup.

@gabe565 commented on GitHub (May 31, 2018): I honestly forgot that this is configurable. In my setup, I have the `/etc/acme-dns` directory as owned by root, then have the database in `/var/lib/acme-dns` and have it owned by `acme-dns` with 600 permissions. I will PR another step with that setup.

kerem commented

2026-03-13 15:27:50 +03:00

Author

Owner

@jvanasco commented on GitHub (May 31, 2018):

after some testing * checking the sqlite docs regarding locks, the issue is definitely due to the acme-dns user needing write permissions for the directory which the database file is in.

@jvanasco commented on GitHub (May 31, 2018): after some testing * checking the sqlite docs regarding locks, the issue is definitely due to the acme-dns user needing write permissions for the directory which the database file is in.

kerem commented

2026-03-13 15:27:55 +03:00

Author

Owner

@gabe565 commented on GitHub (Jun 1, 2018):

Yes that's what it looks like, which is why I would rather keep the database in /var/lib/acme-dns since the acme-dns user is guaranteed to own that directory (It's the acme-dns home directory), then a directory in /etc does not have to be writable. Does that seem right?

@gabe565 commented on GitHub (Jun 1, 2018): Yes that's what it looks like, which is why I would rather keep the database in `/var/lib/acme-dns` since the acme-dns user is guaranteed to own that directory (It's the acme-dns home directory), then a directory in `/etc` does not have to be writable. Does that seem right?

kerem commented

2026-03-13 15:28:01 +03:00

Author

Owner

@jvanasco commented on GitHub (Jun 1, 2018):

yeah that seems like the right approach.

if you wanted to overcomplicate things, have you considered playing the config file in there? then a user could just be added to the acme-dns group for edit privileges.

@jvanasco commented on GitHub (Jun 1, 2018): yeah that seems like the right approach. if you wanted to overcomplicate things, have you considered playing the config file in there? then a user could just be added to the acme-dns group for edit privileges.

kerem commented

2026-03-13 15:28:06 +03:00

Author

Owner

@Ajedi32 commented on GitHub (Jun 1, 2018):

Yeah, you don't want to put databases in /etc anyway. /etc on Linux is for config files. /var is more appropriate for databases. See http://www.pathname.com/fhs/pub/fhs-2.3.html

@Ajedi32 commented on GitHub (Jun 1, 2018): Yeah, you don't want to put databases in `/etc` anyway. `/etc` on Linux is for config files. `/var` is more appropriate for databases. See http://www.pathname.com/fhs/pub/fhs-2.3.html

kerem referenced this issue

2026-03-13 16:13:52 +03:00

[PR #36] [MERGED] Make autocert use HTTP-01 challenge instead of TLS-SNI #254