Using $host variable in ssl_certificate path

Grzegorz Kulewski gk at
Wed Oct 20 20:13:21 UTC 2021

W dniu 20.10.2021 o 19:27, dimitre pisze:
> I'm now using Nginx 1.21.
> I've noticed Nginx actually runs with variable in ssl certificate path, but
> the certificate itself doesn't run.
> ssl_certificate /etc/letsencrypt/live/$host/fullchain.pem; # managed by
> Certbot
> ssl_certificate_key /etc/letsencrypt/live/$host/privkey.pem; # managed by
> Certbot
> I double checked the $host variable using a special header and curl, to know
> if $host variable is the exact value of my folder there, and it is correct.
> add_header  X-Host $host;
> Now checking Nginx error.log it indicates maybe it is because file
> permissions
> 2021/10/20 17:16:07 [error] 2408#2408: *412 cannot load certificate
> "/etc/letsencrypt/live/XXXXX/fullchain.pem": BIO_new_file() failed (SSL:
> error:0200100D:system library:fopen:Permission
> denied:fopen('/etc/letsencrypt/live/XXXX/fullchain.pem','r')
> error:2006D002:BIO routines:BIO_new_file:system lib) while SSL handshaking,
> client:, server:
> But strangely enough it runs OK if I don't use the $host variable. I would
> like to keep permissions so when Certbot updates I don't have any
> surprises.

It's not strange at all. When using static file names nginx opens these files at startup, before changing uid/gid from root to nginx. When using dynamic file names that, obviously, can't happen - nginx has to open these files at request time. So if you didn't configure Certbot to install certs with correct owner/perms then it can't and won't work.

Grzegorz Kulewski

More information about the nginx mailing list