prosody and letsencrypt certificates on a raspberry pi 3 with raspbian
453 views
Skip to first unread message
lucas
Nov 27, 2017, 7:22:43 AM11/27/17
to Prosody IM Users
Hello,
I am a new user of prosody and english isnt my main language so my appologies by advance if i'm telling newbie or not understandable things…
With a self-signed key and certificate prosody and xmpp works fine on my gnu/linux debian9 laptop and on android with xabber.
But I am willing to use letsencrypt to avoid the risk of being blocked or difficulties (ie on IOS file transfert wont work due to ssl issue when its working perfectly well with xabber on android…).
I am running prosody on a raspberry pi 3 with raspbian strech (i am familiar with debian)
Prosody's version is 9.12-2
#apt-cache policy prosody
prosody:
Installé : 0.9.12-2
I installed and launched the certbot script on my server ( #certbot --apache ) and it worked fine, my certificate is ok with firefox.
I change the key in my config file /etc/prosody/prosody.cfg.lua
and wrote the next two lines everywhere it is about ssl:
/etc/letsencrypt/live/mywebsite/privkey.pem
/etc/letsencrypt/live/mywebsite/cert.pem
when i reboot prosody I have an error my log
Nov 27 11:16:45 localhost:tls error Unable to initialize TLS: error loading private key (Permission denied)
Nov 27 11:16:45 certmanager error SSL/TLS: Failed to load '/etc/letsencrypt/live/etboum.fr/privkey.pem': Check that the permissions allow Prosody to read this file. (for localhost)
I understand that prosody is not allowed to read the private key due to the fact that prosody is running as a no-root user and therefore hasn't the permission to use the key.
I saw on a forum that the solution would be to include prosody in a group that owns the keys, this way prosody would still be non root but could use the key.
(https://community.letsencrypt.org/t/how-to-use-certs-in-non-root-services/2690)
My problem is that I don't know how to do that in practice, and the official tuto commands are not working on my server (https://prosody.im/doc/certificates)
in the § permission:
pi@raspberrypi:~ $ sudo chmod 600 /etc/letsencrypt/live/etboum.fr/privkey.pem
pi@raspberrypi:~ $ sudo chown prosody:prosody /etc/letsencrypt/live/etboum.fr/privkey.pem
pi@raspberrypi:~ $ sudo -u prosody cat /etc/letsencrypt/live/etboum.fr/privkey.pem
cat: /etc/letsencrypt/live/etboum.fr/privkey.pem: Permission non accordée
I think that my problem is not a complicated one, but I spent a lot of time to try and I failed to fix it.
I really tried to do what those forum said but I'm affraid my technical skyll are too low to fix it.
I need the precise and exact commands to succeed……
So if someone here knows how to do that, do not hesitate to answer.
Have a nice day,
Lucas
PS: en français aussi c'est bien :)
I am a new user of prosody and english isnt my main language so my appologies by advance if i'm telling newbie or not understandable things…
With a self-signed key and certificate prosody and xmpp works fine on my gnu/linux debian9 laptop and on android with xabber.
But I am willing to use letsencrypt to avoid the risk of being blocked or difficulties (ie on IOS file transfert wont work due to ssl issue when its working perfectly well with xabber on android…).
I am running prosody on a raspberry pi 3 with raspbian strech (i am familiar with debian)
Prosody's version is 9.12-2
#apt-cache policy prosody
prosody:
Installé : 0.9.12-2
I installed and launched the certbot script on my server ( #certbot --apache ) and it worked fine, my certificate is ok with firefox.
I change the key in my config file /etc/prosody/prosody.cfg.lua
and wrote the next two lines everywhere it is about ssl:
/etc/letsencrypt/live/mywebsite/privkey.pem
/etc/letsencrypt/live/mywebsite/cert.pem
when i reboot prosody I have an error my log
Nov 27 11:16:45 localhost:tls error Unable to initialize TLS: error loading private key (Permission denied)
Nov 27 11:16:45 certmanager error SSL/TLS: Failed to load '/etc/letsencrypt/live/etboum.fr/privkey.pem': Check that the permissions allow Prosody to read this file. (for localhost)
I understand that prosody is not allowed to read the private key due to the fact that prosody is running as a no-root user and therefore hasn't the permission to use the key.
I saw on a forum that the solution would be to include prosody in a group that owns the keys, this way prosody would still be non root but could use the key.
(https://community.letsencrypt.org/t/how-to-use-certs-in-non-root-services/2690)
My problem is that I don't know how to do that in practice, and the official tuto commands are not working on my server (https://prosody.im/doc/certificates)
in the § permission:
pi@raspberrypi:~ $ sudo chmod 600 /etc/letsencrypt/live/etboum.fr/privkey.pem
pi@raspberrypi:~ $ sudo chown prosody:prosody /etc/letsencrypt/live/etboum.fr/privkey.pem
pi@raspberrypi:~ $ sudo -u prosody cat /etc/letsencrypt/live/etboum.fr/privkey.pem
cat: /etc/letsencrypt/live/etboum.fr/privkey.pem: Permission non accordée
I think that my problem is not a complicated one, but I spent a lot of time to try and I failed to fix it.
I really tried to do what those forum said but I'm affraid my technical skyll are too low to fix it.
I need the precise and exact commands to succeed……
So if someone here knows how to do that, do not hesitate to answer.
Have a nice day,
Lucas
PS: en français aussi c'est bien :)
Салют-7
Nov 27, 2017, 7:48:29 AM11/27/17
to prosod...@googlegroups.com
Hi Lucas,
based on https://github.com/lunarthegrey/letsencrypt-to-prosody you can
add a script for this. When I used Prosody (but switched to
Matrix/Riot.im meanwhile) I did it this way:
```
mkdir -p /root/scripts/
cd /root/scripts/
wget
https://github.com/lunarthegrey/letsencrypt-to-prosody/archive/master.zip
unzip master.zip
mv letsencrypt-to-prosody-master letsencrypt-to-prosody
mv master.zip letsencrypt-to-prosody
```
In `/root/scripts/letsencrypt-to-prosody/letsencrypt-to-prosody.sh` set:
```
letsencrypt="/etc/letsencrypt/live/example.com/"
certs="/etc/prosody/certs/"
prosody="/etc/prosody/"
```
to:
```
letsencrypt="/etc/letsencrypt/live/example.com/"
certs="/etc/prosody/certs/"
prosody="/etc/prosody/"
```
Make script executeable and add it as a daily cron job:
```
chmod +x /root/scripts/letsencrypt-to-prosody/letsencrypt-to-prosody.sh
cp /root/scripts/letsencrypt-to-prosody/letsencrypt-to-prosody.sh
/etc/cron.daily
service cron restart
```
Test the script manually:
```
/etc/cron.daily/letsencrypt-to-prosody.sh
```
`/etc/prosody/certs` should list:
```
drwx------ 2 prosody prosody 4096 Feb 12 16:36 .
drwxr-xr-x 5 prosody prosody 4096 Feb 12 16:06 ..
-rwx------ 1 prosody prosody 1793 Feb 12 16:36 cert.pem
-rwx------ 1 prosody prosody 1647 Feb 12 16:36 chain.pem
-rwx------ 1 prosody prosody 3440 Feb 12 16:36 fullchain.pem
-rwx------ 1 prosody prosody 1298 Jan 13 03:51 localhost.crt
-rwx------ 1 prosody prosody 1704 Jan 13 03:51 localhost.key
-rwx------ 1 prosody prosody 1704 Feb 12 16:36 privkey.pem
```
(These are the certificate files of `/etc/letsencrypt/live/example.com/`.)
Restart with `service prosody restart`.
Best regards
sj7
> --
> You received this message because you are subscribed to the Google
> Groups "Prosody IM Users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to prosody-user...@googlegroups.com
> <mailto:prosody-user...@googlegroups.com>.
> To post to this group, send email to prosod...@googlegroups.com
> <mailto:prosod...@googlegroups.com>.
> Visit this group at https://groups.google.com/group/prosody-users.
> For more options, visit https://groups.google.com/d/optout.
based on https://github.com/lunarthegrey/letsencrypt-to-prosody you can
add a script for this. When I used Prosody (but switched to
Matrix/Riot.im meanwhile) I did it this way:
```
mkdir -p /root/scripts/
cd /root/scripts/
wget
https://github.com/lunarthegrey/letsencrypt-to-prosody/archive/master.zip
unzip master.zip
mv letsencrypt-to-prosody-master letsencrypt-to-prosody
mv master.zip letsencrypt-to-prosody
```
In `/root/scripts/letsencrypt-to-prosody/letsencrypt-to-prosody.sh` set:
```
letsencrypt="/etc/letsencrypt/live/example.com/"
certs="/etc/prosody/certs/"
prosody="/etc/prosody/"
```
to:
```
letsencrypt="/etc/letsencrypt/live/example.com/"
certs="/etc/prosody/certs/"
prosody="/etc/prosody/"
```
Make script executeable and add it as a daily cron job:
```
chmod +x /root/scripts/letsencrypt-to-prosody/letsencrypt-to-prosody.sh
cp /root/scripts/letsencrypt-to-prosody/letsencrypt-to-prosody.sh
/etc/cron.daily
service cron restart
```
Test the script manually:
```
/etc/cron.daily/letsencrypt-to-prosody.sh
```
`/etc/prosody/certs` should list:
```
drwx------ 2 prosody prosody 4096 Feb 12 16:36 .
drwxr-xr-x 5 prosody prosody 4096 Feb 12 16:06 ..
-rwx------ 1 prosody prosody 1793 Feb 12 16:36 cert.pem
-rwx------ 1 prosody prosody 1647 Feb 12 16:36 chain.pem
-rwx------ 1 prosody prosody 3440 Feb 12 16:36 fullchain.pem
-rwx------ 1 prosody prosody 1298 Jan 13 03:51 localhost.crt
-rwx------ 1 prosody prosody 1704 Jan 13 03:51 localhost.key
-rwx------ 1 prosody prosody 1704 Feb 12 16:36 privkey.pem
```
(These are the certificate files of `/etc/letsencrypt/live/example.com/`.)
Restart with `service prosody restart`.
Best regards
sj7
> You received this message because you are subscribed to the Google
> Groups "Prosody IM Users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to prosody-user...@googlegroups.com
> <mailto:prosody-user...@googlegroups.com>.
> To post to this group, send email to prosod...@googlegroups.com
> <mailto:prosod...@googlegroups.com>.
> Visit this group at https://groups.google.com/group/prosody-users.
> For more options, visit https://groups.google.com/d/optout.
lucas
Nov 27, 2017, 9:49:38 AM11/27/17
to Prosody IM Users
Ok, with a few adjustments, it seems to be all good!!
Thanks you very much!
Best Regard,
Cheers,
Lucas
PS: I don't know how to mark this forum issue «solved», so if an handy admin sees that message…
Thanks you very much!
Best Regard,
Cheers,
Lucas
PS: I don't know how to mark this forum issue «solved», so if an handy admin sees that message…
> <mailto:prosody-users+unsub...@googlegroups.com>.
lucas
Nov 27, 2017, 9:49:38 AM11/27/17
to Prosody IM Users
Thanks for the quick answer, I'm trying your solution asap.
Thanks again!
Thanks again!
Le lundi 27 novembre 2017 13:48:29 UTC+1, Салют-7 a écrit :
> <mailto:prosody-users+unsub...@googlegroups.com>.
vladislav kurz
Nov 28, 2017, 5:38:26 AM11/28/17
to prosod...@googlegroups.com
Just a few hints. Group readable file has permissions 640. Also you have to check permissions on the letsencrypt directory.
> <mailto:prosody-users+unsubscri...@googlegroups.com>.
> To post to this group, send email to prosod...@googlegroups.com
> <mailto:prosod...@googlegroups.com>.
> Visit this group at https://groups.google.com/group/prosody-users.
> For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Prosody IM Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to prosody-users+unsubscribe@googlegroups.com.
To post to this group, send email to prosod...@googlegroups.com.
Салют-7
Dec 1, 2017, 7:30:46 PM12/1/17
to prosod...@googlegroups.com
Really? Just checked and I have a working results following the tutorial
in same way I provided it to you. Without any chmods.
On 11/27/2017 07:48 PM, vladislav kurz wrote:
> Just a few hints. Group readable file has permissions 640. Also you have
> to check permissions on the letsencrypt directory.
>
> On Nov 27, 2017 15:49, "lucas" <lucas....@gmail.com
> <http://example.com/>"
> <http://etboum.fr/privkey.pem>': Check that the
> <http://etboum.fr/privkey.pem>
> <http://etboum.fr/privkey.pem>
> > cat: /etc/letsencrypt/live/etboum.fr/privkey.pem
> <http://etboum.fr/privkey.pem>: Permission non accordée
in same way I provided it to you. Without any chmods.
On 11/27/2017 07:48 PM, vladislav kurz wrote:
> Just a few hints. Group readable file has permissions 640. Also you have
> to check permissions on the letsencrypt directory.
>
> On Nov 27, 2017 15:49, "lucas" <lucas....@gmail.com
> certs="/etc/prosody/certs/"
> prosody="/etc/prosody/"
> ```
>
> to:
>
> ```
> letsencrypt="/etc/letsencrypt/live/example.com/
> <http://example.com/>"
> prosody="/etc/prosody/"
> ```
>
> to:
>
> ```
> letsencrypt="/etc/letsencrypt/live/example.com/
> certs="/etc/prosody/certs/"
> prosody="/etc/prosody/"
> ```
>
> Make script executeable and add it as a daily cron job:
>
> ```
> chmod +x
> /root/scripts/letsencrypt-to-prosody/letsencrypt-to-prosody.sh
> cp /root/scripts/letsencrypt-to-prosody/letsencrypt-to-prosody.sh
> /etc/cron.daily
> service cron restart
> ```
>
> Test the script manually:
>
> ```
> /etc/cron.daily/letsencrypt-to-prosody.sh
> ```
>
> `/etc/prosody/certs` should list:
>
> ```
> drwx------ 2 prosody prosody 4096 Feb 12 16:36 .
> drwxr-xr-x 5 prosody prosody 4096 Feb 12 16:06 ..
> -rwx------ 1 prosody prosody 1793 Feb 12 16:36 cert.pem
> -rwx------ 1 prosody prosody 1647 Feb 12 16:36 chain.pem
> -rwx------ 1 prosody prosody 3440 Feb 12 16:36 fullchain.pem
> -rwx------ 1 prosody prosody 1298 Jan 13 03:51 localhost.crt
> -rwx------ 1 prosody prosody 1704 Jan 13 03:51 localhost.key
> -rwx------ 1 prosody prosody 1704 Feb 12 16:36 privkey.pem
> ```
>
> (These are the certificate files of
> `/etc/letsencrypt/live/example.com/` <http://example.com/>.)
> prosody="/etc/prosody/"
> ```
>
> Make script executeable and add it as a daily cron job:
>
> ```
> chmod +x
> /root/scripts/letsencrypt-to-prosody/letsencrypt-to-prosody.sh
> cp /root/scripts/letsencrypt-to-prosody/letsencrypt-to-prosody.sh
> /etc/cron.daily
> service cron restart
> ```
>
> Test the script manually:
>
> ```
> /etc/cron.daily/letsencrypt-to-prosody.sh
> ```
>
> `/etc/prosody/certs` should list:
>
> ```
> drwx------ 2 prosody prosody 4096 Feb 12 16:36 .
> drwxr-xr-x 5 prosody prosody 4096 Feb 12 16:06 ..
> -rwx------ 1 prosody prosody 1793 Feb 12 16:36 cert.pem
> -rwx------ 1 prosody prosody 1647 Feb 12 16:36 chain.pem
> -rwx------ 1 prosody prosody 3440 Feb 12 16:36 fullchain.pem
> -rwx------ 1 prosody prosody 1298 Jan 13 03:51 localhost.crt
> -rwx------ 1 prosody prosody 1704 Jan 13 03:51 localhost.key
> -rwx------ 1 prosody prosody 1704 Feb 12 16:36 privkey.pem
> ```
>
> (These are the certificate files of
> > permissions allow Prosody to read this file. (for localhost)
> >
> > I understand that prosody is not allowed to read the private
> key due to
> > the fact that prosody is running as a no-root user and
> therefore hasn't
> > the permission to use the key.
> >
> > I saw on a forum that the solution would be to include prosody
> in a
> > group that owns the keys, this way prosody would still be non
> root but
> > could use the key.
> >
> (https://community.letsencrypt.org/t/how-to-use-certs-in-non-root-services/2690
> <https://community.letsencrypt.org/t/how-to-use-certs-in-non-root-services/2690>)
> >
> > I understand that prosody is not allowed to read the private
> key due to
> > the fact that prosody is running as a no-root user and
> therefore hasn't
> > the permission to use the key.
> >
> > I saw on a forum that the solution would be to include prosody
> in a
> > group that owns the keys, this way prosody would still be non
> root but
> > could use the key.
> >
> (https://community.letsencrypt.org/t/how-to-use-certs-in-non-root-services/2690
>
> >
> > My problem is that I don't know how to do that in practice,
> and the
> > official tuto commands are not working on my server
> > (https://prosody.im/doc/certificates
> <https://prosody.im/doc/certificates>)
> >
> > My problem is that I don't know how to do that in practice,
> and the
> > official tuto commands are not working on my server
> > (https://prosody.im/doc/certificates
> > in the § permission:
> > pi@raspberrypi:~ $ sudo chmod 600
> > /etc/letsencrypt/live/etboum.fr/privkey.pem
> <http://etboum.fr/privkey.pem>
> > pi@raspberrypi:~ $ sudo chmod 600
> > /etc/letsencrypt/live/etboum.fr/privkey.pem
> <http://etboum.fr/privkey.pem>
> <http://etboum.fr/privkey.pem>
> > cat: /etc/letsencrypt/live/etboum.fr/privkey.pem
> <http://etboum.fr/privkey.pem>: Permission non accordée
> >
> > I think that my problem is not a complicated one, but I spent
> a lot of
> > time to try and I failed to fix it.
> > I really tried to do what those forum said but I'm affraid my
> technical
> > skyll are too low to fix it.
> > I need the precise and exact commands to succeed……
> >
> > So if someone here knows how to do that, do not hesitate to
> answer.
> >
> > Have a nice day,
> > Lucas
> >
> > PS: en français aussi c'est bien :)
> >
> > --
> > You received this message because you are subscribed to the
> Google
> > Groups "Prosody IM Users" group.
> > To unsubscribe from this group and stop receiving emails from
> it, send
> > an email to prosody-user...@googlegroups.com
> > <mailto:prosody-user...@googlegroups.com>.
> > I think that my problem is not a complicated one, but I spent
> a lot of
> > time to try and I failed to fix it.
> > I really tried to do what those forum said but I'm affraid my
> technical
> > skyll are too low to fix it.
> > I need the precise and exact commands to succeed……
> >
> > So if someone here knows how to do that, do not hesitate to
> answer.
> >
> > Have a nice day,
> > Lucas
> >
> > PS: en français aussi c'est bien :)
> >
> > --
> > You received this message because you are subscribed to the
> > Groups "Prosody IM Users" group.
> > To unsubscribe from this group and stop receiving emails from
> it, send
> > an email to prosody-user...@googlegroups.com
> > To post to this group, send email to prosod...@googlegroups.com
> > <mailto:prosod...@googlegroups.com>.
> > Visit this group at
> https://groups.google.com/group/prosody-users
> <https://groups.google.com/group/prosody-users>.
> > <mailto:prosod...@googlegroups.com>.
> > Visit this group at
> https://groups.google.com/group/prosody-users
> > For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "Prosody IM Users" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to prosody-user...@googlegroups.com
> <mailto:prosody-user...@googlegroups.com>.
> --
> You received this message because you are subscribed to the Google
> Groups "Prosody IM Users" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to prosody-user...@googlegroups.com
> To post to this group, send email to prosod...@googlegroups.com
> <mailto:prosod...@googlegroups.com>.
> Visit this group at https://groups.google.com/group/prosody-users
> <https://groups.google.com/group/prosody-users>.
> <mailto:prosod...@googlegroups.com>.
> Visit this group at https://groups.google.com/group/prosody-users
> For more options, visit https://groups.google.com/d/optout
> <https://groups.google.com/d/optout>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "Prosody IM Users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to prosody-user...@googlegroups.com
> <mailto:prosody-user...@googlegroups.com>.
> --
> You received this message because you are subscribed to the Google
> Groups "Prosody IM Users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to prosody-user...@googlegroups.com
Reply all
Reply to author
Forward
0 new messages