Difference between revisions of "Prosody IM/how to/SSL"

Revision as of 12:34, 6 December 2018

In order to get Prosody to use an existing SSL certificate whose files belong to another user ("hypertwins"), I had to do the following:

edit (or create) the necessary config file under /etc/prosody/conf.avail and link to it from /etc/prosody/conf.d
- Do NOT activate the SSL section in /etc/prosody/prosody.cfg.lua
make sure there is a group for sharing SSL certs (on my system, there was already a "ssl-cert" group)
add user "prosody" to this group
for certificate files and /home/hypertwins:
- make sure the each one is are group-readable (chmod 750)
- chown to hypertwins:ssl-cert (so the group is ssl-cert)
- You may also need to add www-data to the ssl-cert group so that Apache will still be able to access the virtual domain whose user is "hypertwins".
- There were permissions issues; I had to use chown -h on the links -- this may also have been unnecessary, even if you're using links
restart prosody ("service prosody restart") ]
- note that "reload" is apparently insufficient
If IM client gives SSL errors
- check /var/log/prosody.err
- check file access directly:
  - change user prosody's shell from /bin/false to /bin/bash
  - su prosody (as root)
  - attempt to access the files. If you can see the contents, then prosody can also.

2017-09-30

SSL stopped working again. Apparently the SSL files were renewed three days earlier (9/26) but not given the modified permissions, and it took 2-3 days for Prosody to notice. All I had to do was fix the ownershop ("chown :ssl-cert ssl.*"), "service prosody restart", and then tell Pidgin to reconnect.

I should probably set up a script to do this automatically after the cert renewal.

2018-12-06

Script written awhile ago, now finally working right (this time): /prosody-cert-fix.php

@@ Line 1: / Line 1: @@
 In order to get Prosody to use an existing SSL certificate whose files belong to another user ("hypertwins"), I had to do the following:
-* edit (or create) the necessary config file under /etc/prosody/conf.avail and link to it from /etc/prosody/conf.d
+* edit (or create) the necessary config file under <code>/etc/prosody/conf.avail</code> and link to it from <code>/etc/prosody/conf.d</code>
 ** Do NOT activate the SSL section in /etc/prosody/prosody.cfg.lua
 * make sure there is a group for sharing SSL certs (on my system, there was already a "ssl-cert" group)
 * add user "prosody" to this group
-* for certificate files and /home/hypertwins:
+* for certificate files and <code>/home/hypertwins:</code>
 ** make sure the each one is are group-readable ([[chmod]] 750)
 ** chown to hypertwins:ssl-cert (so the group is ssl-cert)
@@ Line 12: / Line 12: @@
 ** note that "reload" is apparently insufficient
 * If IM client gives SSL errors
-** check /var/log/prosody.err
+** check <code>/var/log/prosody.err</code>
 ** check file access directly:
-*** change user prosody's shell from /bin/false to /bin/bash
+*** change user prosody's shell from <code>/bin/false</code> to <code>/bin/bash</code>
 *** su prosody (as root)
 *** attempt to access the files. If you can see the contents, then prosody can also.
@@ Line 21: / Line 21: @@
 I should probably set up a script to do this automatically after the cert renewal.
+==2018-12-06==
+Script written awhile ago, now finally working right (this time): [[/prosody-cert-fix.php]]

Difference between revisions of "Prosody IM/how to/SSL"

Revision as of 12:34, 6 December 2018

2017-09-30

2018-12-06

Navigation menu

Search