FATAL: could not access private key file “/etc/ssl/private/ssl-cert-snakeoil.key”: Permission denied

Question

I believe I ended up mixing up permissions at /etc/ssl directories tree as the last modification was made on 18th November and a day after I could not get my PostgreSQL to work.

When I type in

sudo service postgresql start

I get

FATAL: could not access private key file “/etc/ssl/private/ssl-cert-snakeoil.key”: Permission denied

Checking permissions

~$ sudo -i
~$ ls -la /etc/ssl/private
drw-r----- 2 root ssl-cert 4096 Nov 18 21:10 .
-rwxrwxrwx 1 postgres postgres 1704 Set 4 11:26 ssl-cert-snakeoil.key

Checking group composition

~$ id postgres
uid=114(postgres) gid=127(postgres) groups=127(postgres),114(ssl-cert)

Also I noticed that my ssl-cert-snakeoil.pem file at /etc/ssl/certs/ doesn't have a symlink. I don't know if this makes any difference...

Please, help me sort this out.

Thanks.

Edit: Should it be posted on serverfault instead?

Answer 1

Try adding postgres user to the group ssl-cert

Run the below code to fix your issue:

# > It happened to me and it turned out that I removed erroneously the postgres user from "ssl-cert" group, set it back with
sudo gpasswd -a postgres ssl-cert

# Fixed ownership and mode
sudo chown root:ssl-cert  /etc/ssl/private/ssl-cert-snakeoil.key
sudo chmod 740 /etc/ssl/private/ssl-cert-snakeoil.key

# now postgresql starts! (and install command doesn't fail anymore)
sudo /etc/init.d/postgresql start

courtsey to GabLeRoux

Answer 2

Check the output of

$ sudo -u postgres
$ cd /etc/ssl/private
$ ls

If the response is "Permission denied" do

$ chown postgres:ssl-cert /etc/ssl/private/
$ chown postgres:postgres /etc/ssl/private/ssl-cert-snakeoil.key

Answer 3

Only thing that will work if you have changed permissions for /etc/ssl/private

mkdir /etc/ssl/private-copy; mv /etc/ssl/private/* /etc/ssl/private-copy/; rm -r /etc/ssl/private; mv /etc/ssl/private-copy /etc/ssl/private; chmod -R 0700 /etc/ssl/private; chown -R postgres /etc/ssl/private

Copy this whole command (It's a one line code).

If this doesn't work for you, ckeck your postgres user groups by groups postgres and make sure your postgres user have ssl-cert root postgres (Order doesn't matter).

Now lets check your file permissions on ssl/private :

$ ls -la /etc/ssl/
> drwx------   2 postgres root private

If this is not the output change your permissions with sudo chmod -R 700 /etc/ssl/private and for owners chown -R postgres:root /etc/ssl/private

//Now check permissions on ssl-cert-snakeoil.key, 
//which will be inside your **private** directory.
$ ls -la /etc/ssl/private/ssl-cert-snakeoil.key
> -rwx------ 1 postgres root /etc/ssl/private/ssl-cert-snakeoil.key

Answer 4

I was suffering from this issue when attempting to start Postgresql on a remote docker instance. I eventually tracked down the crazy solution here. Basically you have to recreate the directories, chown on it's own doesn't work:

mkdir /etc/ssl/private-copy; mv /etc/ssl/private/* /etc/ssl/private-copy/; rm -r /etc/ssl/private; mv /etc/ssl/private-copy /etc/ssl/private; chmod -R 0700 /etc/ssl/private; chown -R postgres /etc/ssl/private

Answer 5

This error was preventing my PostgreSQL server from running locally.

The following worked for me:

sudo chown postgres:postgres /etc/ssl/private/ssl-cert-snakeoil.key 
sudo chmod 600               /etc/ssl/private/ssl-cert-snakeoil.key 

Also make sure that /etc/ssl/private has enough permissions.

---

Some programs can be incredibly pedantic and cost you valuable hours. By running journalctl after sudo systemctl start postgresql I'd see various errors like:

FATAL:  could not load private key file "/etc/ssl/private/ssl-cert-snakeoil.key": Permission denied

FATAL:  private key file "/etc/ssl/private/ssl-cert-snakeoil.key" must be owned by the database user or root

FATAL:  private key file "/etc/ssl/private/ssl-cert-snakeoil.key" has group or world access
DETAIL:  File must have permissions u=rw (0600) or less if owned by the database user, or permissions u=rw,g=r (0640) or less if owned by root.

I couldn't make it with work sudo chmod root:root, so I had to settle for sudo chmod postgres:postgres.

---

EDIT

I haven't tried it, but running deleting and regenerating the snakeoil certificate might work as well:

make-ssl-cert generate-default-snakeoil --force-overwrite

(You may have to run it with sudo, don't know.)