Difference between revisions of "Prosody IM/how to/SSL"

Revision as of 21:44, 31 August 2017

In order to get Prosody to use an existing SSL certificate whose files belong to another user ("hypertwins"), I had to do the following:

edit (or create) the necessary config file under /etc/prosody/conf.avail and link to it from /etc/prosody/conf.d
- Do NOT activate the SSL section in /etc/prosody/prosody.cfg.lua
make sure there is a group for sharing SSL certs (on my system, there was already a "ssl-cert" group)
add user "prosody" to this group
for certificate files and /home/hypertwins:
- make sure the each one is are group-readable (chmod 750)
- chown to hypertwins:ssl-cert (so the group is ssl-cert)
- You may also need to add www-data to the ssl-cert group so that Apache will still be able to access the virtual domain whose user is "hypertwins".
I also created links to the files and put the links in /etc/prosody/certs, but ultimately that may have been unnecessary
- There were permissions issues; I had to use chown -h on the links -- this may also have been unnecessary, even if you're using links
restart prosody ("service prosody restart")
If IM client gives SSL errors
- check /var/log/prosody.err
- check file access directly:
  - change user prosody's shell from /bin/false to /bin/bash
  - su prosody (as root)
  - attempt to access the files. If you can see the contents, then prosody can also.

@@ Line 7: / Line 7: @@
 ** make sure the each one is are group-readable ([[chmod]] 750)
 ** chown to hypertwins:ssl-cert (so the group is ssl-cert)
+** You may also need to add www-data to the ssl-cert group so that Apache will still be able to access the virtual domain whose user is "hypertwins".
 * I also created links to the files and put the links in /etc/prosody/certs, but ultimately that may have been unnecessary
 ** There were permissions issues; I had to use chown -h on the links -- this may also have been unnecessary, even if you're using links