Red Hat Bugzilla – Bug 1009272
prosody certificate files owned by root not prosody, and not owned by the RPM package
Last modified: 2018-04-11 08:05:10 EDT
I installed prosody today. Mostly works fine, but I noticed tls wasn't working, and found an error in journalctl:
Sep 17 22:26:34 ircproxy.localdomain prosody: SSL/TLS: Failed to load /etc/pki/tls/private/prosody.key: Check that the permissions allow Prosody to read this file.
Sep 17 22:26:34 ircproxy.localdomain prosody: SSL/TLS: Failed to load /etc/pki/tls/private/prosody.key: Previous error (see logs), or other system error.
I looked, and found that prosody.key and prosody.crt are both owned by root with 0600 permissions, so the prosody service - running as user prosody - can't read them. Seems odd that no-one else has noticed this, but there you go.
It looks like the spec tries to change prosody.key to root.prosody and 0640, and prosody.crt to 0644, but that doesn't seem to have worked when it was installed on my system, though I don't recall seeing any errors when the package was installed. I just did a simple 'yum install prosody'.
Also, the files are not owned by the RPM package; not sure if that's intentional.
(Oh, and the key is only 1024 bit; I thought current best practice was at least 2048).
a) This is certainly bug and I will take a look at it.
b) We in the XMPP world are in a little bit different league than your normal website owners. We don't use self-signed certificates that much (because most server-to-server XMPP communication has been encrypted for years), so we usually use real certificates from real established CAs. And if the money is an issue, then for example StartSSL (https://www.startssl.com/) provides XMPP certificate for one server and year for free. That could the explanation why nobody noticed this bug so far.
I already reported the issue from comment #1 some time ago and it definately got fixed: http://pkgs.fedoraproject.org/cgit/prosody.git/commit/?id=7083ae937f7278adffac732392556b1fa0bef38c
mcepl: I figured I'd use a self-signed cert just to start with for testing, I thought that'd be fairly common at least. It takes, like, at least two minutes for me to log in to startssl and create a new cert :P
robert: aha. It looks like that never got pushed anywhere older than F20, though: F19 is still on 0.8.2-8. So, mcepl, looks like you just need to push out 0.8.2-9 as an update for stable releases.
Looks like it was submitted/pushed stable for el5, but nothing else :)
Sounds like I've made changes in the git, but forgot to build; sorry :/ Just building for F-18 and F-19 branches should be enough.
@Matěj will you take care of that or should I?
Finally, it is ok for F-18; I just forgot F-19...
I'm building the package, update will come soon.
prosody-0.8.2-10.fc19 has been submitted as an update for Fedora 19.
ah yeah, looks OK for f18 indeed.
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing prosody-0.8.2-10.fc19'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
prosody-0.8.2-10.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.