On 2021-12-06, Radek <rdk@int.pl> wrote:
> If I change perm /etc/ssl/private/redmine.MY.DOMAIN.COM.key to 555 website loads on FF correctly (no errors on puma) but I still got an error on curl:
> $ curl https://redmine.MY.DOMAIN.COM
> curl: (35) error:1404B418:SSL routines:ST_CONNECT:tlsv1 alert unknown ca
>
> puma also shows error on curl request:
> 2021-12-06 05:04:06 +0100 SSL error, peer: A.B.C.D, peer cert: : #<Puma::MiniSSL::SSLError: OpenSSL error: error:1403F418:SSL routines:ACCEPT_SR_FINISHED:tlsv1 alert unknown ca - 1048>
This suggests you are using just the server certificate, when you also need to
include the intermediate certificate. For acme-client, use the "full chain" file.
> If I have ssl key permission set to 555 I also got an error from acme client:
> $ acme-client -v redmine.MY.DOMAIN.COM
> acme-client: /etc/ssl/private/redmine.MY.DOMAIN.COM.key: group read/writable or world read/writable
>
> Did I miss any obvious thing?
There are various ways to fix this using some of the following tools
(you might not need all of them): chown, chmod, cp
> I'm not sure if running the app as root to solve the ssl key permission problem is a goor idea...
Just think about what the software is doing and arrange things so that it
reads a file which it has permission to read.
--
Please keep replies on the mailing list.
No comments:
Post a Comment