PermissionError: [Errno 13] Permission denied when accessing to aws ec2

Question

I have ubuntu 16.04 running on virtual box(on mac), and on aws ec2 ubuntu 18.04 running. I am trying to run Jupiter notebook on aws.ec2 and trying to access it remotely thru my web browser on my local Ubuntu. I am able to access remote ubuntu(aws.ec2) terminal. After I followed the steps on this link

I got the following error on the step 9.

I reinstalled everything from scratch 3 times(including local ubuntu and aws ec2 instance), but no progress so far.

Last login: Thu Nov  1 06:34:07 2018 from 134.1****
ubuntu@ip-172-***:~$ export XDG_RUNTIME_DIR=""
ubuntu@ip-172-***:~$ jupyter notebook
[I 06:40:19.525 NotebookApp] Serving notebooks from local directory: /home/ubuntu
[I 06:40:19.528 NotebookApp] The Jupyter Notebook is running at:
[I 06:40:19.528 NotebookApp] https:// **** :8888/?token=727fbb120d19f55a435c1*****
[I 06:40:19.528 NotebookApp] Use Control-C to stop this server and shut down all kernels (twice to skip confirmation).
[C 06:40:19.529 NotebookApp]

    Copy/paste this URL into your browser when you connect for the first time,
    to login with a token:
        https://(ip-172-31-***** .0.1):8888/?token=727fbb120d19f55a435c14*********
ERROR:asyncio:Exception in callback BaseAsyncIOLoop._handle_events(4, 1)
handle: <Handle BaseAsyncIOLoop._handle_events(4, 1)>
Traceback (most recent call last):
  File "/usr/lib/python3.6/asyncio/events.py", line 145, in _run
    self._callback(*self._args)
  File "/home/ubuntu/.local/lib/python3.6/site-packages/tornado/platform/asyncio.py", line 122, in _handle_events
    handler_func(fileobj, events)
  File "/home/ubuntu/.local/lib/python3.6/site-packages/tornado/stack_context.py", line 300, in null_wrapper
    return fn(*args, **kwargs)
  File "/home/ubuntu/.local/lib/python3.6/site-packages/tornado/netutil.py", line 262, in accept_handler
    callback(connection, address)
  File "/home/ubuntu/.local/lib/python3.6/site-packages/tornado/tcpserver.py", line 263, in _handle_connection
    do_handshake_on_connect=False)
  File "/home/ubuntu/.local/lib/python3.6/site-packages/tornado/netutil.py", line 565, in ssl_wrap_socket
    context = ssl_options_to_context(ssl_options)
  File "/home/ubuntu/.local/lib/python3.6/site-packages/tornado/netutil.py", line 540, in ssl_options_to_context
    context.load_cert_chain(ssl_options['certfile'], ssl_options.get('keyfile', None))
PermissionError: [Errno 13] Permission denied
ERROR:asyncio:Exception in callback BaseAsyncIOLoop._handle_events(4, 1)
handle: <Handle BaseAsyncIOLoop._handle_events(4, 1)>
Traceback (most recent call last):
  File "/usr/lib/python3.6/asyncio/events.py", line 145, in _run
    self._callback(*self._args)
  File "/home/ubuntu/.local/lib/python3.6/site-packages/tornado/platform/asyncio.py", line 122, in _handle_events
    handler_func(fileobj, events)
  File "/home/ubuntu/.local/lib/python3.6/site-packages/tornado/stack_context.py", line 300, in null_wrapper
    return fn(*args, **kwargs)
  File "/home/ubuntu/.local/lib/python3.6/site-packages/tornado/netutil.py", line 262, in accept_handler
    callback(connection, address)
  File "/home/ubuntu/.local/lib/python3.6/site-packages/tornado/tcpserver.py", line 263, in _handle_connection
    do_handshake_on_connect=False)
  File "/home/ubuntu/.local/lib/python3.6/site-packages/tornado/netutil.py", line 565, in ssl_wrap_socket
    context = ssl_options_to_context(ssl_options)
  File "/home/ubuntu/.local/lib/python3.6/site-packages/tornado/netutil.py", line 540, in ssl_options_to_context
    context.load_cert_chain(ssl_options['certfile'], ssl_options.get('keyfile', None))
PermissionError: [Errno 13] Permission denied

Note1: on ec2 instance, Ubuntu has 18.04 version and it came with python 3.6.3 then I have to install anaconda on the top of it and then the python version now is 3.5.2 once I typed $python3.

Note2: Despite after the anaconda has been installed into the EC2 then the python version degraded to 3.5.2

once I have checked the following directory /usr/local/lib/ there only python3.6 folder is existing, then I typed $sudo chmod 777 dist-packages/

then $jupyter notebook, then copy the token link and combine with dns, but still didn't worked.

Answer 1

What worked for me is to:

1. Change ownership as in the answer above with sudo chown -R $USER ~/.local/share/jupyter/
2. Open the EC2 ingress port for the Jupyter port chosen.
3. Alongside creating the certificate file to also create the key as in the example here. I only added the certificate before and it triggered SSL errors.

Answer 2

I had the same problem, and now I just solved it by trying a couple things. Try these solutions to see if it helps:

1. Changed the ownership of the /home folder and ~/.local/share/jupyter/ folder to current user running this command:

   sudo chown -R $USER /home/

   sudo chown -R $USER ~/.local/share/jupyter/

2. If you encounter ssl error problem, check out this link.

3. Make sure you type https://<jupyter-server-ip> in your browser instead of http://.

4. If you have Your connection is not private problem in your chrome and can not proceed, try safari or other browsers. This happens in chrome with version 70 or newer.
5. Try Leon Huang's solution to turn on the port 8888 for your instance.

Answer 3

I have been facing this issue exactly as stated and I found the resolution for this issue.

you need to check your certificate file, and check if it is owned by the root.

you just need to change the ownership to the jupyter user whose credentials are being used and the notebook will work fine

changing from

(base) santoshshds@dsserver:~/certs$ ls -lrth
total 4.0K
-rw------- 1 root root 2.0K May  5 10:02 mycert.pem

to

(base) santoshshds@dsserver:~/certs$ ls -lrth
total 4.0K
-rw------- 1 santoshshds root 2.0K May  5 10:02 mycert.pem

and the jupyter runs fine now

####################################################################
[I 06:58:40.180 NotebookApp] https://(dsserver or 127.0.0.1):8888/

[I 06:58:40.180 NotebookApp] Use Control-C to stop this server and shut down all kernels (twice to skip confirmation).

[W 06:58:45.487 NotebookApp] error on read: [SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:2488)

[W 06:58:45.499 NotebookApp] error on read: [SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:2488)

[W 06:58:45.750 NotebookApp] error on read: [SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:2488)

[I 06:58:54.468 NotebookApp] 302 GET / (x.x.x.x) 0.63ms

[I 06:58:54.785 NotebookApp] 302 GET /tree? (x.x.x.x) 0.81ms

[W 07:14:58.719 NotebookApp] Not allowing login redirect to '/tree?'

[I 07:14:58.720 NotebookApp] 302 POST /login?next=%2Ftree%3F (x.x.x.x) 1.62ms

[I 07:14:59.047 NotebookApp] 302 GET / (x.x.x.x) 0.65ms

where (x.x.x.x) is the browser ip

Answer 4

The port 8888 you set must be included in security groups inbound. It has been solved by benai in this forum: https://forums.fast.ai/t/can-t-connect-to-jupyter-notebook-tried-3-different-machines-err-connection-timed-out/3779

Here's a step by step instruction: "

1. Click on “Instances” (under “Instances”) in the left side panel.

2. Select your instance (the box to the left of “Name” and “Instance ID” should turn blue, and a set of information will be displayed in the lower part of the page. This information will include tags saying “Description”, “Status Checks”, “Monitoring” and “Tags”)

3. If you click on “Description” you should see information displayed. Next to “Security Groups” I see the following displayed in blue: “launch-wizard-10. view inbound rules”

4. Click on “view inbound rules” and I see a small window pop up that gives: Ports Protocol Source Launch-wizard-10 22 tcp 0.0.0.0/0 This indicates that only Port 22 is open to Inbound information.

5. Next click on “Security Groups” (under “Network & Security”) in the left hand panel I identified which of the Security Groups in the list was appropriate to my running instance by looking under the “Description” to see the one with today’s date (e.g. “launch-wizard-10 created 2017-06-29”).

6. I selected that one in the check box on the far left (the box turned blue). Information appeared on the lower part of the page, including the tags saying “Description”, “Inbound”, “Outbound” and “Tags”. Click on the “Inbound” tag.

7. In my case I only saw: “SSH TCP 22 0.0.0.0/0” Click on “Edit”. Click on “Add Rule” and a new row should appear. Enter “8888” under “Port Range” and under “Source” select “Anywhere” which should change the value to “0.0.0.0/0, ::/0”. Click on “Save”.

8. You should now see the following displayed in the lower part of the page: Custom TCP Rule TCP 8888 0.0.0.0/0

"