Bug 1009272 - prosody certificate files owned by root not prosody, and not owned by the RPM package
Summary: prosody certificate files owned by root not prosody, and not owned by the RPM...
Alias: None
Product: Fedora
Classification: Fedora
Component: prosody
Version: rawhide
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Matěj Cepl
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2013-09-18 06:10 UTC by Adam Williamson
Modified: 2018-04-11 12:05 UTC (History)
5 users (show)

Fixed In Version: prosody-0.8.2-10.fc19
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2013-10-02 06:52:25 UTC
Type: Bug

Attachments (Terms of Use)

Description Adam Williamson 2013-09-18 06:10:43 UTC
I installed prosody today. Mostly works fine, but I noticed tls wasn't working, and found an error in journalctl:

Sep 17 22:26:34 ircproxy.localdomain prosody[4799]: SSL/TLS: Failed to load /etc/pki/tls/private/prosody.key: Check that the permissions allow Prosody to read this file.
Sep 17 22:26:34 ircproxy.localdomain prosody[4799]: SSL/TLS: Failed to load /etc/pki/tls/private/prosody.key: Previous error (see logs), or other system error.

I looked, and found that prosody.key and prosody.crt are both owned by root with 0600 permissions, so the prosody service - running as user prosody - can't read them. Seems odd that no-one else has noticed this, but there you go.

It looks like the spec tries to change prosody.key to root.prosody and 0640, and prosody.crt to 0644, but that doesn't seem to have worked when it was installed on my system, though I don't recall seeing any errors when the package was installed. I just did a simple 'yum install prosody'.

Also, the files are not owned by the RPM package; not sure if that's intentional.

(Oh, and the key is only 1024 bit; I thought current best practice was at least 2048).

Comment 1 Matěj Cepl 2013-09-18 12:07:03 UTC
a) This is certainly bug and I will take a look at it.
b) We in the XMPP world are in a little bit different league than your normal website owners. We don't use self-signed certificates that much (because most server-to-server XMPP communication has been encrypted for years), so we  usually use real certificates from real established CAs. And if the money is an issue, then for example StartSSL (https://www.startssl.com/) provides XMPP certificate for one server and year for free. That could the explanation why nobody noticed this bug so far.

Comment 2 Robert Scheck 2013-09-18 12:27:35 UTC
I already reported the issue from comment #1 some time ago and it definately got fixed: http://pkgs.fedoraproject.org/cgit/prosody.git/commit/?id=7083ae937f7278adffac732392556b1fa0bef38c

Comment 3 Adam Williamson 2013-09-18 15:59:29 UTC
mcepl: I figured I'd use a self-signed cert just to start with for testing, I thought that'd be fairly common at least. It takes, like, at least two minutes for me to log in to startssl and create a new cert :P

Comment 4 Adam Williamson 2013-09-18 16:01:14 UTC
robert: aha. It looks like that never got pushed anywhere older than F20, though: F19 is still on 0.8.2-8. So, mcepl, looks like you just need to push out 0.8.2-9 as an update for stable releases.

Comment 5 Adam Williamson 2013-09-18 16:01:57 UTC
Looks like it was submitted/pushed stable for el5, but nothing else :)

Comment 6 Johan Cwiklinski 2013-09-18 16:12:55 UTC
Sounds like I've made changes in the git, but forgot to build; sorry :/ Just building for F-18 and F-19 branches should be enough.

@Matěj will you take care of that or should I?

Comment 7 Johan Cwiklinski 2013-09-18 20:54:51 UTC
Finally, it is ok for F-18; I just forgot F-19...

I'm building the package, update will come soon.

Comment 8 Fedora Update System 2013-09-18 21:32:16 UTC
prosody-0.8.2-10.fc19 has been submitted as an update for Fedora 19.

Comment 9 Adam Williamson 2013-09-18 23:42:47 UTC
ah yeah, looks OK for f18 indeed.

Comment 10 Fedora Update System 2013-09-20 16:28:59 UTC
Package prosody-0.8.2-10.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing prosody-0.8.2-10.fc19'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).

Comment 11 Fedora Update System 2013-10-02 06:52:25 UTC
prosody-0.8.2-10.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.