Fixing issues with permissions on BTCPay Server Monero daemons

fix_ssl_cert_perms.md

You can view these steps and others at my BTCPay guide now: https://sethforprivacy.com/guides/accepting-monero-via-btcpay-server/#troubleshooting

Fixing issues with permissions on BTCPay Server Monero daemons

A recent change to monerod makes it write SSL certs to disk in its data directory, something that can fail if the permissions on the data directory are incorrect. You can follow the steps here to correct those issues and get monerod back up and running.

From the monerod container

Exec into monerod container

docker exec -ti btcpayserver_monerod bash
cd ~

List permissions on cert files

monero@64bc4693c90c:~$ ls -alF .bitmonero/
total 17652
drwxr-xr-x 3 monero monero     4096 Jul 21 12:20 ./
drwxr-xr-x 3 monero monero     4096 Jul 21 06:28 ../
-rw-r--r-- 1 monero monero 17872897 Aug 15 20:33 bitmonero.log
drwxr-xr-x 2 monero monero     4096 Jul 12 06:11 lmdb/
-rw-r--r-- 1 monero monero   174456 Aug 15 20:30 p2pstate.bin
-r--r--r-- 1 root   root     1606 Jul 21 12:20 rpc_ssl.crt
-r-------- 1 root   root     3268 Jul 21 12:20 rpc_ssl.key

Set proper permissions

chmod 444 .bitmonero/rpc_ssl.crt
chown monero:monero .bitmonero/rpc_ssl.crt
chmod 400 .bitmonero/rpc_ssl.key
chown monero:monero .bitmonero/rpc_ssl.key

Verify proper permissions

monero@64bc4693c90c:~$ ls -alF .bitmonero/
total 17652
drwxr-xr-x 3 monero monero     4096 Jul 21 12:20 ./
drwxr-xr-x 3 monero monero     4096 Jul 21 06:28 ../
-rw-r--r-- 1 monero monero 17872897 Aug 15 20:33 bitmonero.log
drwxr-xr-x 2 monero monero     4096 Jul 12 06:11 lmdb/
-rw-r--r-- 1 monero monero   174456 Aug 15 20:30 p2pstate.bin
-r--r--r-- 1 monero monero     1606 Jul 21 12:20 rpc_ssl.crt
-r-------- 1 monero monero     3268 Jul 21 12:20 rpc_ssl.key

If there are no cert files present

If there are no cert files present already, you will need to fix permissions on the directory itself so monerod can create the new files:

chown monero:monero .bitmonero

From the host OS

List permissions on cert files

sudo ls -lan /var/lib/docker/volumes/generated_xmr_data/_data
total 17660
drwxr-xr-x 3 101 101     4096 Jul 21 12:20 .
drwx-----x 3   0   0     4096 May 25 15:21 ..
-rw-r--r-- 1 101 101 17877166 Aug 16 17:29 bitmonero.log
drwxr-xr-x 2 101 101     4096 Jul 12 06:11 lmdb
-rw-r--r-- 1 101 101   177101 Aug 16 17:31 p2pstate.bin
-r--r--r-- 1 0   0     1606 Jul 21 12:20 rpc_ssl.crt
-r-------- 1 0   0     3268 Jul 21 12:20 rpc_ssl.key

Set proper permissions

sudo chmod 444 /var/lib/docker/volumes/generated_xmr_data/_data/rpc_ssl.crt
sudo chown monero:monero /var/lib/docker/volumes/generated_xmr_data/_data/rpc_ssl.crt
sudo chmod 400 /var/lib/docker/volumes/generated_xmr_data/_data/rpc_ssl.key
sudo chown monero:monero /var/lib/docker/volumes/generated_xmr_data/_data/rpc_ssl.key

Verify proper permissions

sudo ls -lan /var/lib/docker/volumes/generated_xmr_data/_data
total 17660
drwxr-xr-x 3 101 101     4096 Jul 21 12:20 .
drwx-----x 3   0   0     4096 May 25 15:21 ..
-rw-r--r-- 1 101 101 17877166 Aug 16 17:29 bitmonero.log
drwxr-xr-x 2 101 101     4096 Jul 12 06:11 lmdb
-rw-r--r-- 1 101 101   177101 Aug 16 17:31 p2pstate.bin
-r--r--r-- 1 101 101     1606 Jul 21 12:20 rpc_ssl.crt
-r-------- 1 101 101     3268 Jul 21 12:20 rpc_ssl.key

If there are no cert files present

If there are no cert files present already, you will need to fix permissions on the directory itself so monerod can create the new files:

sudo chown 101:101 /var/lib/docker/volumes/generated_xmr_data/_data

Other notes

• If you can't exec into the container because it's crashing, you can do the same on the local filesystem by finding the bind mounted folder, likely /var/lib/docker/volumes/generated_xmr_data/_data and performing the steps above on it from the host OS
• If you get a permission error trying to set permissions above, make sure to run the chmod and chown commands as sudo