Using version 0.9.7-2+deb8u3 on a Debian Jessie 8 stable. I have Let's Encrypt certificates which are generate to the directory /etc/letsencrypt/live/<domain>/
If I now symlink the fullchain.pem and privkey.pem to the directory /etc/prosody/certs/ and change the prosody config accordingly I get the following error:
certmanager error SSL/TLS: Failed to load '/etc/prosody/certs/<domain>/privkey.pem': Check that the permissions allow Prosody to read this file. (for <domain>)
<domain>:tls error Unable to initialize TLS: error loading private key (Permission denied)
certmanager error SSL/TLS: Failed to load '/etc/prosody/certs/<domain>/privkey.pem': Previous error (see logs), or other system error. (for <domain>)
<domain>:tls error Unable to initialize TLS: error loading private key (system lib)
However if I copy the certificates to the directory it works - without configuration changes - fine.
Zash
on
If you create a symlink into /etc/letsencrypt/live/ you must ensure that Prosody has read permissions to the files there, and also access to the path leading up to them.
It is probably simpler to just copy the files and make them owned by prosody.
Using version 0.9.7-2+deb8u3 on a Debian Jessie 8 stable. I have Let's Encrypt certificates which are generate to the directory /etc/letsencrypt/live/<domain>/ If I now symlink the fullchain.pem and privkey.pem to the directory /etc/prosody/certs/ and change the prosody config accordingly I get the following error: certmanager error SSL/TLS: Failed to load '/etc/prosody/certs/<domain>/privkey.pem': Check that the permissions allow Prosody to read this file. (for <domain>) <domain>:tls error Unable to initialize TLS: error loading private key (Permission denied) certmanager error SSL/TLS: Failed to load '/etc/prosody/certs/<domain>/privkey.pem': Previous error (see logs), or other system error. (for <domain>) <domain>:tls error Unable to initialize TLS: error loading private key (system lib) However if I copy the certificates to the directory it works - without configuration changes - fine.
If you create a symlink into /etc/letsencrypt/live/ you must ensure that Prosody has read permissions to the files there, and also access to the path leading up to them. It is probably simpler to just copy the files and make them owned by prosody.
This is really an issue with certbot or whichever LE client is used. See eg https://community.letsencrypt.org/t/how-to-use-certs-in-non-root-services/2690/7
Changes