With CAs such as LetsEncrypt beginning to support automated certificate issuance, it would be very helpful if Prosody provided a simple way to import a set of certificates in an automatic fashion.
Best security practice dictates that certificates and keys have minimal permissions, and on many systems this means that they are readable only by root. In particular many LetsEncrypt clients for example will make certificates and keys readable by root only.
This is a problem for Prosody, as also due to security considerations, we never run as root.
A typical solution to this issue is to copy the certificates/keys somewhere that Prosody can access, and ensure they are readable by (only) Prosody.
Although this solution is not too hard to script, it would be much simpler for users if we provided a command out of the box for importing certificates from some location (e.g. /etc/letsencrypt/live) and putting them somewhere (e.g. /etc/prosody/certs) in a secure way, and such that Prosody will automatically pick them up with no configuration changes required.
As a bonus, the command should reload Prosody and Prosody should re-read the certificates.
Finally, we need to document this command as the now recommended way to feed certificates to Prosody, and drop the old 'ssl' option from the default configuration file.
With CAs such as LetsEncrypt beginning to support automated certificate issuance, it would be very helpful if Prosody provided a simple way to import a set of certificates in an automatic fashion. Best security practice dictates that certificates and keys have minimal permissions, and on many systems this means that they are readable only by root. In particular many LetsEncrypt clients for example will make certificates and keys readable by root only. This is a problem for Prosody, as also due to security considerations, we never run as root. A typical solution to this issue is to copy the certificates/keys somewhere that Prosody can access, and ensure they are readable by (only) Prosody. Although this solution is not too hard to script, it would be much simpler for users if we provided a command out of the box for importing certificates from some location (e.g. /etc/letsencrypt/live) and putting them somewhere (e.g. /etc/prosody/certs) in a secure way, and such that Prosody will automatically pick them up with no configuration changes required. As a bonus, the command should reload Prosody and Prosody should re-read the certificates. Finally, we need to document this command as the now recommended way to feed certificates to Prosody, and drop the old 'ssl' option from the default configuration file.
Done in https://hg.prosody.im/0.10/rev/3cbb311f8468 May need some additional polish but it should do the job.
ChangesAnd the docs need to say `prosodyctl --root cert import example.com /etc/letsencrypt/live` somewhere.