This is an edge error case when you try to renew your SSL certificates. I published this to help the people who might encounter this issue.

It happens when you try to renew your SSL certificates (without using the default Mox setup – since the Mox automates the SSL certificates renew process with Let’s Encrypt. I mentioned Mox bc this is what I installed on my server and Mox also needs the SSL certificates). When you use your own SSL certificates and renew them on your own, this could happen, especially as you tried earlier with ./acme.sh --install-cert xxx command.

error message

First, about the error message:

[Tue Apr 22 12:09:50 PM CEST 2025] Your cert is in: /home/xxx/.acme.sh/xxx_ecc/xxx.cer
[Tue Apr 22 12:09:50 PM CEST 2025] Your cert key is in: /home/xxx/.acme.sh/xxx_ecc/xxx.key
[Tue Apr 22 12:09:50 PM CEST 2025] The intermediate CA cert is in: /home/xxx/.acme.sh/xxx_ecc/ca.cer
[Tue Apr 22 12:09:50 PM CEST 2025] And the full chain certs is there: /home/xxx/.acme.sh/xxx_ecc/fullchain.cer
[Tue Apr 22 12:09:50 PM CEST 2025] Installing key to: /home/mox/config/certs/xxx-key.pem
touch: cannot touch '/home/mox/config/certs/xxx-key.pem': Permission denied

This happens when I tried to renew the certificates for my domain xxx and its domain wildcard.

# renew command
./acme.sh --force --renew --dns dns_netcup -d "xxx" -d "*.xxx" --server letsencrypt

You can see it had the issues trying to write the certificates into the mox folder, but I never set up anything for acme.sh with the Mox server. How does it come that it tries to automatically also renew the certificates for my Mox server?

Or did I?

failure cause

The direct cause is ./acme.sh does not have the root permission as Mox folder is all in root’s charge. But why did ./acme.sh also try to update my Mox folder? Where is the setup?

At first I thought it was something related to some hook mechanism, which will be triggered after the renew process. Nope, there is no hook setup for it.

Then I thought it was the Mox auto-configuration, which changes some default configs in ./acme.sh. Jein – german word for yes and no. Truth is that, some configs are changed for ./acme.sh, but it’s not from Mox auto-configuration, it’s from me.

If you have acme.sh installed, then you will have the user_home_path/.acme.sh folder. There you have all the settings and certificates. The changed file is in your acme.sh folder’s ecc config folder, if your domain name is april.de, then the file should look like
path/to/.acme.sh/april.de_ecc/april.de.conf

There, the Le_RealKeyPath and Le_RealFullChainPath parameters are changed to mox related path, and since mox is using root to be created, the whole folder of mox is not in charge of other users. So, this explains the Permission denied error message.

It turns out, whenever you use the ./acme.sh to install the certificates, like ./acme.sh --install-cert xxx, it overwrites those two parameters to the installing address. Because I tried to install the certificates to my mox folder, using the install-cert command before, although it failed, but still those two parameters are changed to the mox folder related paths.

solution

Find out the file related to your acme.sh config, then delete the two lines with the parameter Le_RealKeyPath and Le_RealFullChainPath.

This prevents the renew process to update the certificates also in the target address.

Le_RealKeyPath='/home/mox/config/certs/xxxx-key.pem' # delete
Le_ReloadCmd=''
Le_RealFullChainPath='/home/mox/config/certs/xxx-fullchain.pem' # delete