Prosody IM/how to/SSL

from HTYP, the free directory anyone can edit if they can prove to me that they're not a spambot
< Prosody IM
Revision as of 21:18, 31 August 2017 by Woozle (talk | contribs) (Created page with "In order to get Prosody to use an existing SSL certificate whose files belong to another user ("hypertwins"), I had to do the following: * edit (or create) the necessary confi...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

In order to get Prosody to use an existing SSL certificate whose files belong to another user ("hypertwins"), I had to do the following:

  • edit (or create) the necessary config file under /etc/prosody/conf.avail and link to it from /etc/prosody/conf.d
    • Do NOT activate the SSL section in /etc/prosody/prosody.cfg.lua
  • make sure there is a group for sharing SSL certs (on my system, there was already a "ssl-cert" group)
  • add user "prosody" to this group
  • for certificate files and /home/hypertwins:
    • make sure the each one is are group-readable (chmod 750)
    • chown to hypertwins:ssl-cert (so the group is ssl-cert)
  • I also created links to the files and put the links in /etc/prosody/certs, but ultimately that may have been unnecessary
    • There were permissions issues; I had to use chown -h on the links -- this may also have been unnecessary, even if you're using links
  • restart prosody ("service prosody restart")
  • If IM client gives SSL errors
    • check /var/log/prosody.err
    • check file access directly:
      • change user prosody's shell from /bin/false to /bin/bash
      • su prosody (as root)
      • attempt to access the files. If you can see the contents, then prosody can also.
Retrieved from "https://htyp.org/mw/index.php?title=Prosody_IM/how_to/SSL&oldid=23064"