ACME automation to upload certificates via SFTP fails on setting file permission

[Nikotine]

I have an automation to upload the certificates from ACME to my NUC running Proxmox.
The first file arrives on the NUC (ca.pem) but then the automation fails when trying to set permissions:

Code Select Expand

2022-04-22T14:27:41 Error opnsense /usr/local/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php: Command execution failed, exit code 2. Last input was: {"host":"10.25.9.7","host-key":"10.25.9.7 ssh-rsa AAAAB...<redacted>","port":"22","identity-type":"rsa","user":"root","remote-path":"/etc/pve/nodes/nuc","chgrp":"","chmod":"","chmod-key":"","cert-name":"ACME/cert.pem","key-name":"pveproxy-ssl.key","ca-name":"ACME/ca.pem","fullchain-name":"pveproxy-ssl.pem","certificates":"60e233ae8317f2.49433155","automation-id":"6261bfbeab2f64.84589426"}
2022-04-22T14:27:41 Error opnsense /usr/local/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php: Failed on {"source":"/tmp/sftp-upload-prMeUP","target":"ACME/ca.pem","mode":"0440","group":false,"delete_source":true}
2022-04-22T14:27:41 Error opnsense /usr/local/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php: Failed uploading file (with adjusted permissions) '/tmp/sftp-upload-prMeUP' to 'ACME/ca.pem' ; Cause: {"permission_denied":true,"error":"remote fsetstat: Permission denied"}
2022-04-22T14:27:41 Error opnsense /usr/local/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php: Failed changing permission to '0600' for 'ACME/ca.pem'.  ; Cause: {"permission_denied":true,"error":"remote setstat \"/etc/pve/nodes/nuc/ACME/ca.pem\": Permission denied"}
2022-04-22T14:27:36 Notice opnsense AcmeClient: running automation (configd): NUC

I have the same type of automation distributing these certificates to two other devices without a problem.
I would like to post the problem on a Proxmox forum as well, but the problem is I don't know which command it is failing on exactly. Is it chmod, umask,...? Google doesn't seem to know setstat of fsetstat.
Any idea what might be going wrong here?

[abulafia]

I think fsetstat etc. are functions of the SFTP server, not independent Linux commands. So you need to look at Proxmox' SFTP implementation I think.

See e.g. https://community.atlassian.com/t5/Bitbucket-questions/Couldn-t-fsetstat-permission-denied-errors-with-sftp-deploy/qaq-p/1108832 or https://stackoverflow.com/questions/8675373/using-perl-sftp-i-keep-getting-an-fsetstat-error-when-i-put-a-file https://serverfault.com/questions/821760/denying-timestamp-modification-on-sftp-server (for modifying a linux SFTP server) or ...

Alternatively, the OPNsense / ACME SFTP script might need to be modified, see e.g. https://stackoverflow.com/questions/62170626/workaround-for-unsupported-setstat-request-on-sftp-server-with-sshj

BTW, I came across similar issues with uploading the certificates to my ESXi server -- connection works but copying the files over fails unfortunately :-(

And you should work on your google-foo :-)