#999 prosodyctl --root cert generate produces files that the prosody user lacks permission to read

Reporter Zash
Owner Nobody
Stars ★ (1)
  • Type-Defect
  • Status-WontFix
  • Priority-Medium
  1. Zash on

    What steps will reproduce the problem? 1. sudo prosodyctl --root cert generate 2. follow the instructions 3. sudo prosodyctl check certs What is the expected output? All is fine What do you see instead? certmanager error SSL/TLS: Failed to load '/etc/prosody/certs/example.com.key': Check that the permissions allow Prosody to read this file. (for example.com) Error: error loading private key (Permission denied) What version of the product are you using? On what operating system? prosody-0.10 1nightly428-1~trusty Please provide any additional information below. directory listing of /etc/prosody/certs: -rw-r----- 1 root root 692 Sep 24 12:15 example.com.cnf -rw-r----- 1 root root 1245 Sep 24 12:15 example.com.crt -r-------- 1 root root 1675 Sep 24 12:15 example.com.key

  2. MattJ on

    Is there any reason to run 'cert generate' with --root? I know we added the flag, but I imagine lots of things could go wrong if you used it for just anything. For example --root adduser would have similar problems most likely (with internal storage).

  3. Zash on

    Nice if you can put certificates directly in /etc/prosody/certs #530 Although running cert import right after would spare you from running OpenSSL code as root.

  4. Dave Nelson on

    What permissions and ownership should *actually* be applied to the virtualhosts' keys and certificates?

  5. Zash on

    This does something sensible: sudo prosodyctl cert generate ... sudo prosodyctl --root cert import ~prosody And given the wide adoption of Let's Encrypt it does not seem as important to spend time on tooling for self-signed certs.

    • tags Milestone-0.10 Status-WontFix

New comment

Not published. Used for spam prevention and optional update notifications.