<?xml version="1.0"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en">
	<id>https://htyp.org/mw/index.php?action=history&amp;feed=atom&amp;title=Prosody_IM%2Fhow_to%2FSSL%2Fprosody-cert-fix.php</id>
	<title>Prosody IM/how to/SSL/prosody-cert-fix.php - Revision history</title>
	<link rel="self" type="application/atom+xml" href="https://htyp.org/mw/index.php?action=history&amp;feed=atom&amp;title=Prosody_IM%2Fhow_to%2FSSL%2Fprosody-cert-fix.php"/>
	<link rel="alternate" type="text/html" href="https://htyp.org/mw/index.php?title=Prosody_IM/how_to/SSL/prosody-cert-fix.php&amp;action=history"/>
	<updated>2026-07-01T09:16:07Z</updated>
	<subtitle>Revision history for this page on the wiki</subtitle>
	<generator>MediaWiki 1.45.3</generator>
	<entry>
		<id>https://htyp.org/mw/index.php?title=Prosody_IM/how_to/SSL/prosody-cert-fix.php&amp;diff=24233&amp;oldid=prev</id>
		<title>Woozle: Created page with &quot;==Notes== * It may be necessary to have this script execute &lt;code&gt;service prosody restart&lt;/code&gt; whenever changes are made. To be tested. * If the SSL certificate used is from...&quot;</title>
		<link rel="alternate" type="text/html" href="https://htyp.org/mw/index.php?title=Prosody_IM/how_to/SSL/prosody-cert-fix.php&amp;diff=24233&amp;oldid=prev"/>
		<updated>2018-12-06T12:33:38Z</updated>

		<summary type="html">&lt;p&gt;Created page with &amp;quot;==Notes== * It may be necessary to have this script execute &amp;lt;code&amp;gt;service prosody restart&amp;lt;/code&amp;gt; whenever changes are made. To be tested. * If the SSL certificate used is from...&amp;quot;&lt;/p&gt;
&lt;p&gt;&lt;b&gt;New page&lt;/b&gt;&lt;/p&gt;&lt;div&gt;==Notes==&lt;br /&gt;
* It may be necessary to have this script execute &amp;lt;code&amp;gt;service prosody restart&amp;lt;/code&amp;gt; whenever changes are made. To be tested.&lt;br /&gt;
* If the SSL certificate used is from [[Let&amp;#039;s Encrypt]], clients such as [[Pidgin]] may still not recognize it as valid (but the error message will indicate that the signing authority is not valid, rather than some other issue like expiration date).&lt;br /&gt;
==Code==&lt;br /&gt;
&amp;lt;syntaxhighlight lang=php&amp;gt;&lt;br /&gt;
&amp;lt;?php&lt;br /&gt;
/*&lt;br /&gt;
  PURPOSE: cron script for updating cert access when certs are renewed&lt;br /&gt;
    Cert renewal resets the cert access mode to user-only, no access for anyone else.&lt;br /&gt;
    We need to share some certs across multiple applications with different users, however.&lt;br /&gt;
  ACTION:&lt;br /&gt;
    * Checks the current group-owner and chmod for each cert in a list&lt;br /&gt;
    * If needed, resets the mode to give access to the group designated for SSL cert access.&lt;br /&gt;
  USAGE: run this script after running certbot, or regularly at some time-of-day not long&lt;br /&gt;
    after certbot runs.&lt;br /&gt;
  HISTORY:&lt;br /&gt;
    2018-06-24 started&lt;br /&gt;
*/&lt;br /&gt;
&lt;br /&gt;
// ++ DEBUGGING ++ //&lt;br /&gt;
&lt;br /&gt;
$fErrLevel = 0&lt;br /&gt;
    | E_ALL&lt;br /&gt;
    | E_STRICT&lt;br /&gt;
    ;&lt;br /&gt;
error_reporting($fErrLevel);&lt;br /&gt;
if (!ini_get(&amp;#039;display_errors&amp;#039;)) {&lt;br /&gt;
    ini_set(&amp;#039;display_errors&amp;#039;, 1);&lt;br /&gt;
}&lt;br /&gt;
&lt;br /&gt;
// ++ SETTINGS ++ //&lt;br /&gt;
&lt;br /&gt;
$sGroupDo = &amp;#039;ssl-cert&amp;#039;;	// group we&amp;#039;re using for general cert access&lt;br /&gt;
$arCertFiles = array(		// list of cert files to check&lt;br /&gt;
  &amp;#039;/home/hypertwins/ssl.cert&amp;#039;,&lt;br /&gt;
  &amp;#039;/home/hypertwins/ssl.key&amp;#039;&lt;br /&gt;
  );&lt;br /&gt;
$fsLog = __DIR__.&amp;#039;/shared-certs.log&amp;#039;;&lt;br /&gt;
echo &amp;quot;Logging to [$fsLog]...\n&amp;quot;;&lt;br /&gt;
&lt;br /&gt;
// Why aren&amp;#039;t there already constants for these?&lt;br /&gt;
define(&amp;#039;KI_FMODE_OWNER_READ&amp;#039;,0400);&lt;br /&gt;
define(&amp;#039;KI_FMODE_OWNER_WRITE&amp;#039;,0200);&lt;br /&gt;
define(&amp;#039;KI_FMODE_OWNER_EXEC&amp;#039;,0100);&lt;br /&gt;
define(&amp;#039;KI_FMODE_GROUP_READ&amp;#039;,0040);&lt;br /&gt;
define(&amp;#039;KI_FMODE_GROUP_WRITE&amp;#039;,0020);&lt;br /&gt;
define(&amp;#039;KI_FMODE_GROUP_EXEC&amp;#039;,0010);&lt;br /&gt;
define(&amp;#039;KI_FMODE_GLOBAL_READ&amp;#039;,0004);&lt;br /&gt;
define(&amp;#039;KI_FMODE_GLOBAL_WRITE&amp;#039;,0002);&lt;br /&gt;
define(&amp;#039;KI_FMODE_GLOBAL_EXEC&amp;#039;,0001);&lt;br /&gt;
&lt;br /&gt;
// -- SETTINGS -- //&lt;br /&gt;
// ++ CALCULATIONS ++ //&lt;br /&gt;
&lt;br /&gt;
$arGroupDo = posix_getgrnam($sGroupDo);&lt;br /&gt;
$idGroupDo = $arGroupDo[&amp;#039;gid&amp;#039;];&lt;br /&gt;
&lt;br /&gt;
// -- CALCULATIONS -- //&lt;br /&gt;
// ++ LOGGER CLASS ++ //&lt;br /&gt;
&lt;br /&gt;
class cLogger {&lt;br /&gt;
    private $fs,$rf;&lt;br /&gt;
&lt;br /&gt;
    public function __construct($fs) {&lt;br /&gt;
	$this-&amp;gt;fs = $fs;&lt;br /&gt;
    }&lt;br /&gt;
    protected function OpenFile() {&lt;br /&gt;
	$this-&amp;gt;rf = fopen($this-&amp;gt;fs,&amp;#039;a&amp;#039;);	// open log file for appending&lt;br /&gt;
    }&lt;br /&gt;
    protected function ShutFile() {&lt;br /&gt;
	fclose($this-&amp;gt;rf);&lt;br /&gt;
    }&lt;br /&gt;
    protected function getTimeStamp() {&lt;br /&gt;
	return date(&amp;#039;Y.m.d H:i:s&amp;#039;);&lt;br /&gt;
    }&lt;br /&gt;
    public function WriteLine($s) {&lt;br /&gt;
	$this-&amp;gt;OpenFile();&lt;br /&gt;
	$s = $this-&amp;gt;getTimeStamp() . &amp;quot;\t&amp;quot; . $s . &amp;quot;\n&amp;quot;;&lt;br /&gt;
	fwrite($this-&amp;gt;rf,$s);&lt;br /&gt;
	echo &amp;quot;LOGGING: $s\n&amp;quot;;&lt;br /&gt;
	$this-&amp;gt;ShutFile();&lt;br /&gt;
    }&lt;br /&gt;
}&lt;br /&gt;
&lt;br /&gt;
// -- LOGGER CLASS -- //&lt;br /&gt;
// ++ MAIN ++ //&lt;br /&gt;
&lt;br /&gt;
$oLog = new cLogger($fsLog);&lt;br /&gt;
&lt;br /&gt;
foreach ($arCertFiles as $fs) {&lt;br /&gt;
    $arStatIs = stat($fs);	// get information about file&lt;br /&gt;
    &lt;br /&gt;
    // check mode&lt;br /&gt;
    $nModeIs = $arStatIs[&amp;#039;mode&amp;#039;];	// get file&amp;#039;s permissions&lt;br /&gt;
    $sStatus = sprintf(&amp;#039;[%s] is mode %o&amp;#039;,$fs,$nModeIs);&lt;br /&gt;
    if (($nModeIs &amp;amp; KI_FMODE_GROUP_READ) == 0) {&lt;br /&gt;
	$nModeDo = $nModeIs | KI_FMODE_GROUP_READ;&lt;br /&gt;
	$sLine = $sStatus.sprintf(&amp;#039;, changing to mode %o&amp;#039;,$nModeDo);&lt;br /&gt;
	$oLog-&amp;gt;WriteLine($sLine);&lt;br /&gt;
	chmod($fs,$nModeDo);&lt;br /&gt;
    } else {&lt;br /&gt;
	$sStatus .= &amp;#039;, no change needed.&amp;#039;;&lt;br /&gt;
	echo $sStatus.&amp;quot;\n&amp;quot;;&lt;br /&gt;
    }&lt;br /&gt;
    &lt;br /&gt;
    // check owner-group&lt;br /&gt;
    $idGroupIs = $arStatIs[&amp;#039;gid&amp;#039;];	// get file&amp;#039;s group ID&lt;br /&gt;
    $arGroupIs = posix_getgrgid($idGroupIs);&lt;br /&gt;
    $sGroupIs = $arGroupIs[&amp;#039;name&amp;#039;];&lt;br /&gt;
    $sStatus = &amp;quot;[$fs] is group #$idGroupIs ($sGroupIs)&amp;quot;;&lt;br /&gt;
    if ($idGroupIs == $idGroupDo) {&lt;br /&gt;
	$sLine = $sStatus.&amp;#039;, no change needed.&amp;#039;;&lt;br /&gt;
	echo $sStatus.&amp;quot;\n&amp;quot;;&lt;br /&gt;
    } else {&lt;br /&gt;
	$sLine = $sStatus.&amp;quot;, changing to #$idGroupDo ($sGroupDo)&amp;quot;;&lt;br /&gt;
	$oLog-&amp;gt;WriteLine($sLine);&lt;br /&gt;
	chgrp($fs,$idGroupDo);&lt;br /&gt;
    }&lt;br /&gt;
}&lt;br /&gt;
&lt;br /&gt;
// -- MAIN -- //&lt;br /&gt;
&amp;lt;/syntaxhighlight&amp;gt;&lt;/div&gt;</summary>
		<author><name>Woozle</name></author>
	</entry>
</feed>