What steps will reproduce the problem? 1. sudo prosodyctl --root cert generate 2. follow the instructions 3. sudo prosodyctl check certs What is the expected output? All is fine What do you see instead? certmanager error SSL/TLS: Failed to load '/etc/prosody/certs/example.com.key': Check that the permissions allow Prosody to read this file. (for example.com) Error: error loading private key (Permission denied) What version of the product are you using? On what operating system? prosody-0.10 1nightly428-1~trusty Please provide any additional information below. directory listing of /etc/prosody/certs: -rw-r----- 1 root root 692 Sep 24 12:15 example.com.cnf -rw-r----- 1 root root 1245 Sep 24 12:15 example.com.crt -r-------- 1 root root 1675 Sep 24 12:15 example.com.key

Is there any reason to run 'cert generate' with --root? I know we added the flag, but I imagine lots of things could go wrong if you used it for just anything. For example --root adduser would have similar problems most likely (with internal storage).

Nice if you can put certificates directly in /etc/prosody/certs #530 Although running cert import right after would spare you from running OpenSSL code as root.

What permissions and ownership should *actually* be applied to the virtualhosts' keys and certificates?

This does something sensible: sudo prosodyctl cert generate ... sudo prosodyctl --root cert import ~prosody And given the wide adoption of Let's Encrypt it does not seem as important to spend time on tooling for self-signed certs.

• tags Milestone-0.10 Status-WontFix