-
YHL
Hello, I am trying to get my own server up and running but have encountered an issue with certificates in #Prosody. I am a newbie, so I’m not sure anyone wants to take the time to help, but can’t hurt to ask.
-
smooth_op
YHL: what sort of issue?
-
YHL
Let me get a screenshot
-
YHL
Here are the errors: certmanager: SSL/TLS: Failed to load '/etc/letsencrypt/live/my.site/privkey.pem': Check that the file exists and the pe> my.site:tls: Error creating context for c2s: error loading private key ((null)) certmanager: SSL/TLS: Failed to load '/etc/letsencrypt/live/my.site/privkey.pem': Previous error (see logs), or other s> my.site:tls: Error creating contexts for s2sout: error loading private key (system lib) certmanager: SSL/TLS: Failed to load '/etc/letsencrypt/live/my.site/privkey.pem': Previous error (see logs), or other s> my.site:tls: Error creating contexts for s2sin: error loading private key (system lib)
-
YHL
FYI, I have this command and replay: prosodyctl --root cert import /etc/letsencrypt/live/my.site No certificate for host localhost found : Imported certificate and key for hosts my.site
-
smooth_op
YHL: try the prosodyctl without "/my.site"
-
smooth_op
based on https://prosody.im/doc/letsencrypt#certbot
-
Menel
YHL: there is a prosody room for prosody question xmpp:prosody@conference.prosody.im?join Seeing your first posted error, I assume you declare the certificate path in the config somewhere. You should delete that line. You already successfully imported your certs with the importer command.
-
Menel
> Imported certificate and key for hosts my.site With that, there is no need for anything in your prosody config. It will just work. So no `ssl =` line. No `certificate=` line or anything.
-
smooth_op
ah right, prosody config shouldn't be trying to look in /etc/letsencrypt
-
smooth_op
because only root has access to /etc/letsencrypt and prosody runs as an unprivileged user
-
smooth_op
the prosodyctl import command will use root access to copy the certs from /etc/letsencrypt into /etc/prosody/certs, where it will be accessible to the prosody daemon
-
Menel
Sadly many people copy some random prosody config from some random website, over the sensible defaults of the shipped config. Often with very outdated config options...
-
smooth_op
sure, that's a possibility
-
smooth_op
i can also imagine initially pointing the prosody config to /etc/letsencrypt since that's where the certs are, observing permissions issue, then discovering prosodyctl cert import, but forgetting that cert path had been updated
-
smooth_op
in any event, hope this has fixed the issue for you YHL!
-
Menel
I had it like that for a long time too... Add all services to a "cert" group and have the certs and the path to the certs readable by the cert group... Works too of course.
-
Menel
YHL: if you have any more problems or questions, don't hesitate to ask in the Prosody room xmpp://prosody@conference.prosody.im?join There should be someone around to help with the setup. Even better in the European morning...
-
Link Mauve
YHL, no double shash in XMPP URIs, you meant xmpp:prosody@conference.prosody.im?join fyi. :)
-
Licaon_Kter
Works in Conversations. Not in specs?
-
Link Mauve
Licaon_Kter, the double slash can be interpreted as “please authenticate as user prosody on server conference.prosody.im”, which makes exactly no sense.
-
Link Mauve
If a client interprets that otherwise, it should probably get fixed.
-
Licaon_Kter
Link Mauve: link to spec?
-
Licaon_Kter
I never heard of that before, interesting
-
MattJ
Licaon_Kter [08:35]: > Link Mauve: link to spec? I advise against entering this rabbit hole if you value your weekend 🙂
-
Link Mauve
Licaon_Kter, RFC 3986 paragraph 3.✎ -
Link Mauve
Licaon_Kter, RFC 3986 section 3. ✏
-
Licaon_Kter
Thanks MattJ: not that I would dig more :s✎ -
Licaon_Kter
Thanks MattJ: not that I would dig more :) ✏
-
Menel
Heh, must've been mussle memory. But now that I think of it, It should be ok that it works. Because, no, a client not interpret it as > register user prosody on server conference.prosody.im”, Because it is xmpp:// not https:// So why would a client think that?✎ -
Menel
Heh, must've been mussle memory. But now that I think of it, It should be ok that it works. Because, no, a client should not interpret it as > register user prosody on server conference.prosody.im”, Because it is xmpp:// not https:// So why would a client think that? ✏
-
MattJ
It means the same thing, just a different protocol
-
Licaon_Kter
Menel: see RFC 3986 section 3
-
Licaon_Kter
If it's https or ftp or xmpp they have to behave the same "generic URI whatever"
-
Menel
Ok, I must admit, I don't get what > Authority Means in this content, I see it as something to do with // But I'm after a night shift, so maybe I can understand it in thr evening
-
drsn
Are there any public xmpp server out there that provide post http service (e. g. sending xmpp messages via curl)? I want to know this because I want to provide 2fa for nextcloud authentication via xmpp. That would be the easiest way to implement.
-
MattJ
Hmm, there was a service but it seems to be offline
- MattJ tries to remember who was building that
-
jonas’
grep for the url in your jdev logs
-
jonas’
the person announced it there I think
-
nuegia.net
> Are there any public xmpp server out there that provide post http service (e. g. sending xmpp messages via curl)? > I want to know this because I want to provide 2fa for nextcloud authentication via xmpp. That would be the easiest way to implement. look at slix sdk and bosh