Show Navigation
Conversation
Notices
-
Seems odd that the #Prosody #XMPP server is the only software I've seen that requires me to change perms on #LetsEncrypt #certs before it can read them. #LEcrypt
-
Yeah, I think it has to do with when it tries to read the cert in the startup. nginx, postfix, etc. seem to read the files before switching users, but prosody seems to switch user first. I think I set up an acl or group memberships or something to allow prosody's account to read the files. I'll check when I get home and let you know.
-
@lnxw48a1 On an Ubuntu box I had to manage, prosody user is member of the ssl-certs group and it seems to work as is. I should investigate on how to mimic such behavior on my Debian systems.
-
@nds Yes it's user related. http://prosody.im/doc/certificates
-
this is for centos7, but should work anywhere. I make a group called tls-cert, and added the prosody user to it. I then did this for the letsencrypt folder containing the certs:
chown :tls-cert -R /etc/letsencrypt/
chmod -R g+s /etc/letsencrypt/
Then the prosody user can read the certs, but not everyone.