#999 prosodyctl --root cert generate produces files that the prosody user lacks permission to read
What steps will reproduce the problem?
1. sudo prosodyctl --root cert generate
2. follow the instructions
3. sudo prosodyctl check certs
What is the expected output?
All is fine
What do you see instead?
certmanager error SSL/TLS: Failed to load '/etc/prosody/certs/example.com.key': Check that the permissions allow Prosody to read this file. (for example.com)
Error: error loading private key (Permission denied)
What version of the product are you using? On what operating system?
Please provide any additional information below.
directory listing of /etc/prosody/certs:
-rw-r----- 1 root root 692 Sep 24 12:15 example.com.cnf
-rw-r----- 1 root root 1245 Sep 24 12:15 example.com.crt
-r-------- 1 root root 1675 Sep 24 12:15 example.com.key
Is there any reason to run 'cert generate' with --root?
I know we added the flag, but I imagine lots of things could go wrong if you used it for just anything. For example --root adduser would have similar problems most likely (with internal storage).
Nice if you can put certificates directly in /etc/prosody/certs #530
Although running cert import right after would spare you from running OpenSSL code as root.
What permissions and ownership should *actually* be applied to the virtualhosts' keys and certificates?
This does something sensible:
sudo prosodyctl cert generate ...
sudo prosodyctl --root cert import ~prosody
And given the wide adoption of Let's Encrypt it does not seem as important to spend time on tooling for self-signed certs.