Forum OpenACS Q&A: nsssl Permission denied
Notice: OpenSSL OpenSSL 1.1.0g 2 Nov 2017 initialized
Error: nsssl: certificate load error from cert /home/letsencrypt/certs/a21.highlandpiping.com/server.pem: error:0200100D:system library:fopen:Permission denied
Error: modload: /usr/local/ns/bin/nsssl.so: Ns_ModuleInit returned: -1
Fatal: modload: failed to load module '/usr/local/ns/bin/nsssl.so'
used the information here to installed:
First time, I forgot the build command. Deleted /usr/local/ns and /var/www/oacs-5-9-1
2nd time used the build command. No errors reported.
I do have a OpenACS 5-9 running currently successfully using Ubuntu 16.x with ssl
I have looked at all the permissions between the two systems and cannot find the problem.
Directories I compared:
Any suggestions where or what to look for would be greatly appreciated.
The error message is from OpenSSL and is a "permission denied".
% openssl errstr 200100D error:0200100D:system library:fopen:Permission denied
You have in your NaviServer configuration the certificate on a place which is the default of certbot. Since NaviServer is running per default with group
nsadmin and user
nsadmin it has no permissions to read the certificate from there. Check the certbot documentation on  and search for "permissions". You might wish to provide a deploy-hook-script to copy the certificate to a place where NaviServer can read it. The NaviServer plugin  places the certificates under "[ns_info home]/modules/nsssl" (openacs.org uses e.g. ). Don't forget to update the path specified by
certificate in the NaviServer config file.
all the best
After I get that, I'll have another command to run. You're running this on linux or other unix-alike?
Here is the correct command:
sudo /usr/local/ns/bin/nsd -t /usr/local/ns/config-5-9.tcl -u nsadmin -g nsadmin -b xxx.yyy.a.ccc:80,xxx.yyy.a.ccc:443
Notice no space between the port 80 and the command.
I had a space between the port and the comma that was causing the problem.
not proper: ;80 ,xxx
You may like to read about systemctl.
Furthermore, there's good information at: http://project-open.com/en/install-debian-stretch
There, you can easily automate NaviServer startup.
Create a new file /lib/systemd/system/oacs.service with the following content:
Description=NaviServer Web Server as user OACS
ExecStartPre=rm -f /var/www/oacs/log/nsd.pid
ExecStart=/usr/local/ns/bin/nsd -t /var/www/oacs/etc/config.tcl -u nsadmin -g nsadmin
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s 9 $MAINPID
Please execute the following commands in order to activate the configuration:
systemctl enable oacs.service
systemctl start oacs.service
You can check that NaviServer is running by monitoring it's error file (debugging is switched on by default):
tail -f /var/www/oacs/log/error.log