Prosody IM/how to/SSL
Jump to navigation
Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
In order to get Prosody to use an existing SSL certificate whose files belong to another user ("hypertwins"), I had to do the following:
- edit (or create) the necessary config file under
/etc/prosody/conf.availand link to it from/etc/prosody/conf.d- Do NOT activate the SSL section in /etc/prosody/prosody.cfg.lua
- make sure there is a group for sharing SSL certs (on my system, there was already a "ssl-cert" group)
- add user "prosody" to this group
- for certificate files and
/home/hypertwins:- make sure the each one is are group-readable (chmod 750)
- chown to hypertwins:ssl-cert (so the group is ssl-cert)
- You may also need to add www-data to the ssl-cert group so that Apache will still be able to access the virtual domain whose user is "hypertwins".
- There were permissions issues; I had to use chown -h on the links -- this may also have been unnecessary, even if you're using links
- restart prosody ("service prosody restart") ]
- note that "reload" is apparently insufficient
- If IM client gives SSL errors
- check
/var/log/prosody.err - check file access directly:
- change user prosody's shell from
/bin/falseto/bin/bash - su prosody (as root)
- attempt to access the files. If you can see the contents, then prosody can also.
- change user prosody's shell from
- check
2017-09-30
SSL stopped working again. Apparently the SSL files were renewed three days earlier (9/26) but not given the modified permissions, and it took 2-3 days for Prosody to notice. All I had to do was fix the ownershop ("chown :ssl-cert ssl.*"), "service prosody restart", and then tell Pidgin to reconnect.
I should probably set up a script to do this automatically after the cert renewal.
2018-12-06
Script written awhile ago, now finally working right (this time): /prosody-cert-fix.php