Difference between revisions of "Prosody IM/how to/SSL"
Jump to navigation
Jump to search
(Created page with "In order to get Prosody to use an existing SSL certificate whose files belong to another user ("hypertwins"), I had to do the following: * edit (or create) the necessary confi...") |
|||
| (6 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| + | Prosody actually has a command for importing root-owned certificates, en masse. Works specifically with Let's Encrypt. To be documented. [[User:Woozle|Woozle]] ([[User talk:Woozle|talk]]) 15:10, 4 February 2021 (UTC) | ||
| + | ==Old== | ||
In order to get Prosody to use an existing SSL certificate whose files belong to another user ("hypertwins"), I had to do the following: | In order to get Prosody to use an existing SSL certificate whose files belong to another user ("hypertwins"), I had to do the following: | ||
| − | * edit (or create) the necessary config file under /etc/prosody/conf.avail and link to it from /etc/prosody/conf.d | + | * edit (or create) the necessary config file under <code>/etc/prosody/conf.avail</code> and link to it from <code>/etc/prosody/conf.d</code> |
** Do NOT activate the SSL section in /etc/prosody/prosody.cfg.lua | ** Do NOT activate the SSL section in /etc/prosody/prosody.cfg.lua | ||
* make sure there is a group for sharing SSL certs (on my system, there was already a "ssl-cert" group) | * make sure there is a group for sharing SSL certs (on my system, there was already a "ssl-cert" group) | ||
* add user "prosody" to this group | * add user "prosody" to this group | ||
| − | * for certificate files and /home/hypertwins: | + | * for certificate files and <code>/home/hypertwins:</code> |
** make sure the each one is are group-readable ([[chmod]] 750) | ** make sure the each one is are group-readable ([[chmod]] 750) | ||
** chown to hypertwins:ssl-cert (so the group is ssl-cert) | ** chown to hypertwins:ssl-cert (so the group is ssl-cert) | ||
| − | * | + | ** You may also need to add www-data to the ssl-cert group so that Apache will still be able to access the virtual domain whose user is "hypertwins". |
** There were permissions issues; I had to use chown -h on the links -- this may also have been unnecessary, even if you're using links | ** There were permissions issues; I had to use chown -h on the links -- this may also have been unnecessary, even if you're using links | ||
| − | * restart prosody | + | * {{l/same|restart}} prosody |
| + | ** note that "reload" is apparently insufficient | ||
* If IM client gives SSL errors | * If IM client gives SSL errors | ||
| − | ** check /var/log/prosody.err | + | ** check <code>/var/log/prosody.err</code> |
** check file access directly: | ** check file access directly: | ||
| − | *** change user prosody's shell from /bin/false to /bin/bash | + | *** change user prosody's shell from <code>/bin/false</code> to <code>/bin/bash</code> |
*** su prosody (as root) | *** su prosody (as root) | ||
*** attempt to access the files. If you can see the contents, then prosody can also. | *** attempt to access the files. If you can see the contents, then prosody can also. | ||
| + | ==2017-09-30== | ||
| + | SSL stopped working again. Apparently the SSL files were renewed three days earlier (9/26) but not given the modified permissions, and it took 2-3 days for Prosody to notice. All I had to do was fix the ownership ("chown :ssl-cert ssl.*"), "service prosody restart", and then tell Pidgin to reconnect. | ||
| + | |||
| + | I should probably set up a script to do this automatically after the cert renewal. | ||
| + | |||
| + | ==2018-12-06== | ||
| + | Script written awhile ago, now finally working right (this time): [[/prosody-cert-fix.php]] | ||
Latest revision as of 15:10, 4 February 2021
Prosody actually has a command for importing root-owned certificates, en masse. Works specifically with Let's Encrypt. To be documented. Woozle (talk) 15:10, 4 February 2021 (UTC)
Old
In order to get Prosody to use an existing SSL certificate whose files belong to another user ("hypertwins"), I had to do the following:
- edit (or create) the necessary config file under
/etc/prosody/conf.availand link to it from/etc/prosody/conf.d- Do NOT activate the SSL section in /etc/prosody/prosody.cfg.lua
- make sure there is a group for sharing SSL certs (on my system, there was already a "ssl-cert" group)
- add user "prosody" to this group
- for certificate files and
/home/hypertwins:- make sure the each one is are group-readable (chmod 750)
- chown to hypertwins:ssl-cert (so the group is ssl-cert)
- You may also need to add www-data to the ssl-cert group so that Apache will still be able to access the virtual domain whose user is "hypertwins".
- There were permissions issues; I had to use chown -h on the links -- this may also have been unnecessary, even if you're using links
- restart prosody
- note that "reload" is apparently insufficient
- If IM client gives SSL errors
- check
/var/log/prosody.err - check file access directly:
- change user prosody's shell from
/bin/falseto/bin/bash - su prosody (as root)
- attempt to access the files. If you can see the contents, then prosody can also.
- change user prosody's shell from
- check
2017-09-30
SSL stopped working again. Apparently the SSL files were renewed three days earlier (9/26) but not given the modified permissions, and it took 2-3 days for Prosody to notice. All I had to do was fix the ownership ("chown :ssl-cert ssl.*"), "service prosody restart", and then tell Pidgin to reconnect.
I should probably set up a script to do this automatically after the cert renewal.
2018-12-06
Script written awhile ago, now finally working right (this time): /prosody-cert-fix.php