Error message Failed to load 'CA locations' - Can't find why
274 views
Skip to first unread message
Autopot France
Apr 28, 2018, 4:29:00 PM4/28/18
to Prosody IM Users
Hello,
# prosodyctl check
Shows me this message
certmanager error SSL/TLS: Failed to load 'CA locations': Check that the permissions allow Prosody to read this file. (for client_https port 0)
...
certmanager error SSL/TLS: Failed to load 'CA locations': Check that the permissions allow Prosody to read this file. (for mydomain.org)
I'm pretty sure my permissions are correct.
r-------- prosody prosody for the .key and .crt
r-x------ for the cert directory
Files are specified in the ssl stanza for the virtual host
The certificate is signed by let's encrypt
Do you know where should I investigate ?
Thank you
# prosodyctl check
Shows me this message
certmanager error SSL/TLS: Failed to load 'CA locations': Check that the permissions allow Prosody to read this file. (for client_https port 0)
...
certmanager error SSL/TLS: Failed to load 'CA locations': Check that the permissions allow Prosody to read this file. (for mydomain.org)
I'm pretty sure my permissions are correct.
r-------- prosody prosody for the .key and .crt
r-x------ for the cert directory
Files are specified in the ssl stanza for the virtual host
The certificate is signed by let's encrypt
Do you know where should I investigate ?
Thank you
Kim Alvefur
Apr 29, 2018, 10:14:04 AM4/29/18
to prosod...@googlegroups.com
Hi,
On Sat, Apr 28, 2018 at 12:05:44PM -0700, Autopot France wrote:
> # prosodyctl check
>
> Shows me this message
> certmanager error SSL/TLS: Failed to load 'CA locations':
> Check that the permissions allow Prosody to read this file. (for
> client_https port 0)
This is actually for the HTTP *client* in Prosody, nothing to do with
your certificates.
Not sure what exactly it means by 'CA locations' but it likely refers to
certificate authority root certificates, which are needed to verify
HTTPS requests. By default, Prosody looks for these in `/etc/ssl/certs`.
On Debian & friends, you would need to install the ca-certificates
package to get them.
If your distro has them elsewhere then you should report to the packager
that Prosody may need this path patched.
If you know where the root certificates are stored then you can specify
like this:
-- global section
ssl = {
-- for a directory full of certs and symlinks
capath = "/etc/ssl/certs";
-- OR if you have a single ca bundle:
cafile = "/etc/ssl/ca-bundle.crt";
}
--
Zash
On Sat, Apr 28, 2018 at 12:05:44PM -0700, Autopot France wrote:
> # prosodyctl check
>
> Shows me this message
> certmanager error SSL/TLS: Failed to load 'CA locations':
> Check that the permissions allow Prosody to read this file. (for
> client_https port 0)
your certificates.
Not sure what exactly it means by 'CA locations' but it likely refers to
certificate authority root certificates, which are needed to verify
HTTPS requests. By default, Prosody looks for these in `/etc/ssl/certs`.
On Debian & friends, you would need to install the ca-certificates
package to get them.
If your distro has them elsewhere then you should report to the packager
that Prosody may need this path patched.
If you know where the root certificates are stored then you can specify
like this:
-- global section
ssl = {
-- for a directory full of certs and symlinks
capath = "/etc/ssl/certs";
-- OR if you have a single ca bundle:
cafile = "/etc/ssl/ca-bundle.crt";
}
--
Zash
Autopot France
Aug 9, 2018, 5:55:41 PM8/9/18
to Prosody IM Users
Hello,
I finally got it working.
Permission on the path was not allowing group other and prosody couldn't read the CA certificate.
It took me 5 minutes to find the problem today but spent 2 or 3 hours in april.Grrr
I finally got it working.
Permission on the path was not allowing group other and prosody couldn't read the CA certificate.
It took me 5 minutes to find the problem today but spent 2 or 3 hours in april.Grrr
Reply all
Reply to author
Forward
0 new messages