FATAL: could not access private key file “/etc/ssl/private/ssl-cert-snakeoil.key”: Permission denied

Question

I believe I ended up mixing up permissions at /etc/ssl directories tree as the last modification was made on 18th November and a day after I could not get my PostgreSQL to work.

When I type in

sudo service postgresql start

I get

FATAL: could not access private key file “/etc/ssl/private/ssl-cert-snakeoil.key”: Permission denied

Checking permissions

~$ sudo -i
~$ ls -la /etc/ssl/private
drw-r----- 2 root ssl-cert 4096 Nov 18 21:10 .
-rwxrwxrwx 1 postgres postgres 1704 Set 4 11:26 ssl-cert-snakeoil.key

Checking group composition

~$ id postgres
uid=114(postgres) gid=127(postgres) groups=127(postgres),114(ssl-cert)

Also I noticed that my ssl-cert-snakeoil.pem file at /etc/ssl/certs/ doesn't have a symlink. I don't know if this makes any difference...

Please, help me sort this out.

Thanks.

Edit: Should it be posted on serverfault instead?

Answer 1

Try adding postgres user to the group ssl-cert

Run the below code to fix your issue:

It happened to me and it turned out that I removed the postgres user from ssl-cert group. In order to set it back run the command:

sudo gpasswd -a postgres ssl-cert

Then fix ownership and mode

sudo chown root:ssl-cert  /etc/ssl/private/ssl-cert-snakeoil.key
sudo chmod 740 /etc/ssl/private/ssl-cert-snakeoil.key

Now postgresql starts and install command doesn't fail anymore!

sudo /etc/init.d/postgresql start

courtsey to GabLeRoux

Answer 2

Only thing that will work if you have changed permissions for /etc/ssl/private

mkdir /etc/ssl/private-copy && mv /etc/ssl/private/* /etc/ssl/private-copy/ && rm -r /etc/ssl/private && mv /etc/ssl/private-copy /etc/ssl/private && chmod -R 0700 /etc/ssl/private && chown -R postgres /etc/ssl/private

Copy this whole command (It's a one line code).

If this doesn't work for you, ckeck your postgres user groups by groups postgres and make sure your postgres user have ssl-cert root postgres (Order doesn't matter).

Now lets check your file permissions on ssl/private :

ls -la /etc/ssl/
# Output: drwx------   2 postgres root private

If this is not the output change your permissions with sudo chmod -R 700 /etc/ssl/private and for owners chown -R postgres:root /etc/ssl/private

# Now check permissions on ssl-cert-snakeoil.key, 
# which will be inside your **private** directory.
ls -la /etc/ssl/private/ssl-cert-snakeoil.key
# Output:  -rwx------ 1 postgres root /etc/ssl/private/ssl-cert-snakeoil.key

Answer 3

This error was preventing my PostgreSQL server from running locally.

The following worked for me:

sudo chown postgres:postgres /etc/ssl/private/ssl-cert-snakeoil.key 
sudo chmod 600               /etc/ssl/private/ssl-cert-snakeoil.key 

Also make sure that /etc/ssl/private has enough permissions.

---

Some programs can be incredibly pedantic and cost you valuable hours. By running journalctl after sudo systemctl start postgresql I'd see various errors like:

FATAL:  could not load private key file "/etc/ssl/private/ssl-cert-snakeoil.key": Permission denied

FATAL:  private key file "/etc/ssl/private/ssl-cert-snakeoil.key" must be owned by the database user or root

FATAL:  private key file "/etc/ssl/private/ssl-cert-snakeoil.key" has group or world access
DETAIL:  File must have permissions u=rw (0600) or less if owned by the database user, or permissions u=rw,g=r (0640) or less if owned by root.

I couldn't make it with work sudo chmod root:root, so I had to settle for sudo chmod postgres:postgres.

---

EDIT

I haven't tried it, but running deleting and regenerating the snakeoil certificate might work as well:

make-ssl-cert generate-default-snakeoil --force-overwrite

(You may have to run it with sudo, don't know.)

Answer 4

I had other certificates under /etc/ssl/private and hence, changing permissions recursively was out of question.

I tried adding postgres user to ssl-cert group that didn't help either.

I modified the permission of /etc/ssl/private to 716, basically saying that anyone else other than root (user) and ssl-cert (group) can read and execute the directory.

sudo chmod 716 /etc/ssl/private

Then, I modified the ownership of ssl-cert-snakeoil.key

sudo chown postgres:postgres /etc/ssl/private/ssl-cert-snakeoil.key

This worked for me, basically a combination of the answers by @devops and @Noushad

Answer 5

I am running the postgres server in WSL, and I was facing the error with the ssl-cert file. I managed to make it work by changing the owner of the file to the postgres user I had created, adding the expected user and group IDs to the user as required of the application (111 and 116, respectively, as gleaned from helpful error messages), and voila, I have an active server from within WSL.

sudo useradd postgres
sudo usermod -u 111 -g 116 -a -G ssl-cert postgres
sudo chown postgres /etc/ssl/private/ssl-cert-snakeoil.key

After running the above, there were two more files the user running the server (postgres for me) needed permission to access, both residing in /var/postgresql. I used sudo chown -- twice more to give ownership to postgres. Running sudo service postgresql start will tell you which files you'll need to transfer ownership of through any error messages.

Answer 6

I was suffering from this issue when attempting to start Postgresql on a remote docker instance. I eventually tracked down the crazy solution here. Basically you have to recreate the directories, chown on it's own doesn't work:

mkdir /etc/ssl/private-copy; mv /etc/ssl/private/* /etc/ssl/private-copy/; rm -r /etc/ssl/private; mv /etc/ssl/private-copy /etc/ssl/private; chmod -R 0700 /etc/ssl/private; chown -R postgres /etc/ssl/private

Answer 7

Check the output of

$ sudo -u postgres
$ cd /etc/ssl/private
$ ls

If the response is "Permission denied" do

$ chown postgres:ssl-cert /etc/ssl/private/
$ chown postgres:postgres /etc/ssl/private/ssl-cert-snakeoil.key

Answer 8

Try setting permissions on the .key file to 600. Postgres doesn't like key files with group or world permissions set. You may also need to change the owner to postgres, though I'm not sure about that.