Greetings!
I have duckduckgo'ed and I have not found an answer, but what should be the permissions for the private key since the stunnel is giving me a warning/error regarding that: ... [ ] Loading private key from file: /etc/ssl/private.key [:] Insecure file permissions on /etc/ssl/private.key [ ] Private key loaded from file: /etc/ssl/private.key ...
this is that I have set: jic@web:~$ ls -l /etc/ssl/private.key -rw-r--r-- 1 root www-data 1702 Oct 13 02:54 /etc/ssl/private.key
the www-data is the user that runs the website. All is running well, apparently, but, I would like to set the correct permission on the private.key file. Thanks for your support.
josé
Hola Jose,
Private key should be readable just for the user running stunnel. Try
chmod 600 /etc/ssl/private.key
regards,
On 29/11/2021, at 9:13 AM, jose isaias cabrera [email protected] wrote:
Greetings!
I have duckduckgo'ed and I have not found an answer, but what should be the permissions for the private key since the stunnel is giving me a warning/error regarding that: ... [ ] Loading private key from file: /etc/ssl/private.key [:] Insecure file permissions on /etc/ssl/private.key [ ] Private key loaded from file: /etc/ssl/private.key ...
this is that I have set: jic@web:~$ ls -l /etc/ssl/private.key -rw-r--r-- 1 root www-data 1702 Oct 13 02:54 /etc/ssl/private.key
the www-data is the user that runs the website. All is running well, apparently, but, I would like to set the correct permission on the private.key file. Thanks for your support.
josé
--
What if eternity is real? Where will you spend it? Hmmmm... _______________________________________________ stunnel-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
On Mon, Nov 29, 2021 at 9:34 AM Josealf.rm [email protected] wrote:
Hola Jose,
Private key should be readable just for the user running stunnel. Try
chmod 600 /etc/ssl/private.key
regards,
Gracias, José. The problem now is this: [ ] Loading private key from file: /etc/ssl/private.key [!] error queue: ../ssl/ssl_rsa.c:540: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib [!] error queue: ../crypto/bio/bss_file.c:290: error:20074002:BIO routines:file_ctrl:system lib [!] SSL_CTX_use_PrivateKey_file: ../crypto/bio/bss_file.c:288: error:0200100D:system library:fopen:Permission denied [!] Service [https]: Failed to initialize TLS context
So, I don't think that is right. I will set it back to 644.
On 29/11/2021, at 9:13 AM, jose isaias cabrera [email protected] wrote:
Greetings!
I have duckduckgo'ed and I have not found an answer, but what should be
the permissions for the private key since the stunnel is giving me a warning/error regarding that:
... [ ] Loading private key from file: /etc/ssl/private.key [:] Insecure file permissions on /etc/ssl/private.key [ ] Private key loaded from file: /etc/ssl/private.key ...
this is that I have set: jic@web:~$ ls -l /etc/ssl/private.key -rw-r--r-- 1 root www-data 1702 Oct 13 02:54 /etc/ssl/private.key
the www-data is the user that runs the website. All is running well,
apparently, but, I would like to set the correct permission on the private.key file. Thanks for your support.
josé
--
What if eternity is real? Where will you spend it? Hmmmm... _______________________________________________ stunnel-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
Hi Jose,
You’re right. Sorry. I did not realize the current owner of the private key is the root user. You can change the file owner to the user running stunnel with chown command or follow Mike‘s advice in his answer to your post. In any case, the file should not be workd readable.
regards Jose
On 29/11/2021, at 9:52 AM, jose isaias cabrera [email protected] wrote:
On Mon, Nov 29, 2021 at 9:34 AM Josealf.rm [email protected] wrote: Hola Jose,
Private key should be readable just for the user running stunnel. Try
chmod 600 /etc/ssl/private.key
regards,
Gracias, José. The problem now is this: [ ] Loading private key from file: /etc/ssl/private.key [!] error queue: ../ssl/ssl_rsa.c:540: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib [!] error queue: ../crypto/bio/bss_file.c:290: error:20074002:BIO routines:file_ctrl:system lib [!] SSL_CTX_use_PrivateKey_file: ../crypto/bio/bss_file.c:288: error:0200100D:system library:fopen:Permission denied [!] Service [https]: Failed to initialize TLS context
So, I don't think that is right. I will set it back to 644.
On 29/11/2021, at 9:13 AM, jose isaias cabrera [email protected] wrote:
Greetings!
I have duckduckgo'ed and I have not found an answer, but what should be the permissions for the private key since the stunnel is giving me a warning/error regarding that: ... [ ] Loading private key from file: /etc/ssl/private.key [:] Insecure file permissions on /etc/ssl/private.key [ ] Private key loaded from file: /etc/ssl/private.key ...
this is that I have set: jic@web:~$ ls -l /etc/ssl/private.key -rw-r--r-- 1 root www-data 1702 Oct 13 02:54 /etc/ssl/private.key
the www-data is the user that runs the website. All is running well, apparently, but, I would like to set the correct permission on the private.key file. Thanks for your support.
josé
--
What if eternity is real? Where will you spend it? Hmmmm... _______________________________________________ stunnel-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
--
What if eternity is real? Where will you spend it? Hmmmm...
All,
On 11/29/21 09:34, Josealf.rm via stunnel-users wrote:
Hola Jose,
Private key should be readable just for the user running stunnel. Try
chmod 600 /etc/ssl/private.key
I would also:
$ chown root:root /etc/ssl/private.key
There's no reason for the "www-data" group to own that file.
-chris
On 29/11/2021, at 9:13 AM, jose isaias cabrera [email protected] wrote:
Greetings!
I have duckduckgo'ed and I have not found an answer, but what should be the permissions for the private key since the stunnel is giving me a warning/error regarding that: ... [ ] Loading private key from file: /etc/ssl/private.key [:] Insecure file permissions on /etc/ssl/private.key [ ] Private key loaded from file: /etc/ssl/private.key ...
this is that I have set: jic@web:~$ ls -l /etc/ssl/private.key -rw-r--r-- 1 root www-data 1702 Oct 13 02:54 /etc/ssl/private.key
the www-data is the user that runs the website. All is running well, apparently, but, I would like to set the correct permission on the private.key file. Thanks for your support.
josé
--
What if eternity is real? Where will you spend it? Hmmmm... _______________________________________________ stunnel-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
stunnel-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
On Mon, Nov 29, 2021 at 1:01 PM Christopher Schultz < [email protected]> wrote:
All,
On 11/29/21 09:34, Josealf.rm via stunnel-users wrote:
Hola Jose,
Private key should be readable just for the user running stunnel. Try
chmod 600 /etc/ssl/private.key
I would also:
$ chown root:root /etc/ssl/private.key
There's no reason for the "www-data" group to own that file.
-chris
Thanks, Chris.
On 29/11/2021, at 9:13 AM, jose isaias cabrera [email protected]
wrote:
Greetings!
I have duckduckgo'ed and I have not found an answer, but what should be
the permissions for the private key since the stunnel is giving me a warning/error regarding that:
... [ ] Loading private key from file: /etc/ssl/private.key [:] Insecure file permissions on /etc/ssl/private.key [ ] Private key loaded from file: /etc/ssl/private.key ...
this is that I have set: jic@web:~$ ls -l /etc/ssl/private.key -rw-r--r-- 1 root www-data 1702 Oct 13 02:54 /etc/ssl/private.key
the www-data is the user that runs the website. All is running well,
apparently, but, I would like to set the correct permission on the private.key file. Thanks for your support.
josé
--
What if eternity is real? Where will you spend it? Hmmmm... _______________________________________________ stunnel-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
stunnel-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
stunnel-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
josé,
The private-key file you have there is world-readable, which it most certainly should NOT be.
Also, "www-data" is a group, not a user, so you MUST be very careful to make sure that ONLY the web-server software can run as a member of that group and that no other user or process can do so. IF you can guarantee those, then permissions (spaces added here for clarity) of
- r w - r - - - - -
should be safe. Putting it another way:
chmod 0640 /etc/ssl/private.key
-- Mike