Problems linking to Lets Encrypt certificates

[Салют-7]

Hello together,

at first: thanks for this fantastic XMPP server software!

Im using Let's encrypt certificates and wanted to point to the pem files:

ssl = {
key = "/etc/letsencrypt/live/myserver.ddns.net/privkey.pem";
certificate =
"/etc/letsencrypt/live/myserver.ddns.net/fullchain.pem";
}

I've created a group "le-certs", did "chown -R root:le-certs
/etc/letsencrypt/" and did "chmod 440" for fullchain1.pem and
privkey1.pem in "/etc/letsencrypt/archive/myserver.ddns.net".

Unfortunately I always get service status errors this way:

Oct 16 02:22:43 myserver prosody[2691]: Starting Prosody XMPP Server:
prosody.
Oct 16 02:22:43 myserver systemd[1]: Started LSB: Prosody XMPP Server.
Oct 16 02:22:43 myserver prosody[2701]: certmanager: SSL/TLS: Failed to
load '/etc/letsencrypt/live/myserver.ddns.net/privkey.pem': Pre...dns.net)
Oct 16 02:22:43 myserver prosody[2701]:
conference.myserver.ddns.net:tls: Unable to initialize TLS: error
loading private key (system lib)
Oct 16 02:22:43 myserver prosody[2701]: certmanager: SSL/TLS: Failed to
load '/etc/letsencrypt/live/myserver.ddns.net/privkey.pem': Pre...dns.net)
Oct 16 02:22:43 myserver prosody[2701]:
conference.myserver.ddns.net:tls: Unable to initialize TLS: error
loading private key (system lib)
Oct 16 02:22:43 myserver prosody[2701]: certmanager: SSL/TLS: Failed to
load '/etc/letsencrypt/live/myserver.ddns.net/privkey.pem': Che...dns.net)
Oct 16 02:22:43 myserver prosody[2701]: myserver.ddns.net:tls: Unable to
initialize TLS: error loading private key (Permission denied)
Oct 16 02:22:43 myserver prosody[2701]: certmanager: SSL/TLS: Failed to
load '/etc/letsencrypt/live/myserver.ddns.net/privkey.pem': Pre...dns.net)
Oct 16 02:22:43 myserver prosody[2701]: myserver.ddns.net:tls: Unable to
initialize TLS: error loading private key (system lib)

If I copy the Lets Encrypt scripts to /etc/prosody/certs/ everything
works fine.

Does
https://groups.google.com/forum/?hl=en#!topic/prosody-users/TmMW2Er9U7Q
mean that I have to update the certificates manually every three months?

Thanks alot
sj7

[Stanislav N. aka pztrn]

24 октября 2016 г., 18:00, "Салют-7" <sal...@posteo.net> написал:

> I've created a group "le-certs", did "chown -R root:le-certs
> /etc/letsencrypt/" and did "chmod 440" for fullchain1.pem and
> privkey1.pem in "/etc/letsencrypt/archive/myserver.ddns.net".

It's all about chmod. With chown and chmod commands you provided you blocked Prosody's access to these certificates (assuming prosody is run as prosody:prosody). So check your installation and determine which user prosody using, and add prosody's user to le-certs group.

--
With best regards,
Stanislav N. aka pztrn
Key ID: 083FD824
Jabber: pz...@pztrn.name
E-Mail: pz...@pztrn.name
Blog: http://pztrn.name && http://en.pztrn.name
Telegram: @pztrn

[Салют-7]

Hi pztrn

thanks alot for your answer. Sorry, I forgot to say that I added
prosody system user to my group "le-certs", of course!

# getent group le-certs
le-certs:x:1006:prosody

Anyway I get the error:

Oct 16 02:22:43 myserver prosody[2701]: certmanager: SSL/TLS: Failed to
load '/etc/letsencrypt/live/myserver.ddns.net/privkey.pem': Che...dns.net)
Oct 16 02:22:43 myserver prosody[2701]: myserver.ddns.net:tls: Unable to
initialize TLS: error loading private key (Permission denied)
Oct 16 02:22:43 myserver prosody[2701]: certmanager: SSL/TLS: Failed to
load '/etc/letsencrypt/live/myserver.ddns.net/privkey.pem': Pre...dns.net)
Oct 16 02:22:43 myserver prosody[2701]: myserver.ddns.net:tls: Unable to
initialize TLS: error loading private key (system lib)

Any other ideas?
sj7

[Салют-7]

I noticed that Let's encrypt creates the private key with following
chmod rights:

-rw-r--r-- 1 root root 1704 Dec 17 12:00 privkey2.pem

So it makes no sense to create another group which user "prosody"
belongs to to prevent accessing the private key by others.

I "chowned" back to "root:root" for the whole directory
"etc/letsencrypt" and got Prosody with Let's encrypt running but only
if I "chmod 755" to these diretories:

/etc/letsencrypt/archive/example.com/privkey1.pem
/etc/letsencrypt/archive/example.com/fullchain1.pem
/etc/letsencrypt/live/example.com/

Maybe this is totally okay and not a security problem but I always
thought that read rights for "others" for SSL keys are never a good idea?

[Kim Alvefur]

It is not a good idea.

root-only permissions work for servers that start as root and drop
permissions after, like most web servers do to be able to bind low ports
like 80 and 443.

Prosody however doesn't need those low ports or anything else running as
root gives, so it drops root before even starting[^1],

Currently the recommendation is to set up a script that copies the
certificate and key to a different location where prosody-friendly
permissions can be given.

[^1]: it's actually prosodyctl or the init script that drops root

--
Zash

[Салют-7]

Thank your for this detailed explanation. But this doesn't explain why
Let's encrypt creates the private key this way automatically:

-rw-r--r-- 1 root root 1704 Dec 17 12:00 privkey2.pem

Anyone here using Let's encrypt who would tell me the original access
rightst listed under "/etc/letsencrypt/archive/example.com"? I just
want to confirm if this maybe is my fault.

[Салют-7]

Found the problem:
https://github.com/certbot/certbot/issues/1473#issuecomment-271118876

-> keys are world readable but not the main directory. This may be
confusing.

Better solution would be if the LE keys would be automatically owned by
a group where you can add user "prosody" ("ssl-cert" for example:
https://github.com/certbot/certbot/issues/1473#issuecomment-172543522 ).

So I have to chmod everything to the original state and try
https://github.com/lunarthegrey/letsencrypt-to-prosody .