My certificates are in /etc/letsencrypt/live/example.com/, and when I trying to start coturn I receiving: “0: : WARNING: cannot find certificate file…” I’m interested, what is the best way to solve this problem?

  • hendrik@palaver.p3x.de
    link
    fedilink
    English
    arrow-up
    2
    ·
    4 months ago

    Maybe sth like usermod -a -G letsencrypt coturn which puts the coturn user in the letsencrypt group. Allowing that user access to files owned by the group. I haven’t checked the names. Maybe the group is called differently, certbot or something. Obviously that grants that coturn user access to all the certificates. You might want to set some directory permissions instead, if you have multiple certificates and don’t want coturn be able to read or mess with certificates of other domains.

      • hendrik@palaver.p3x.de
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        4 months ago

        So who owns the certificate files then? It’s got to be some user and group?! Usually certbot is set up in some way to fetch and renew the certificates periodically. You might want to take the other advice and check the file permissions first and find out who owns them.

          • Oisteink@feddit.nl
            link
            fedilink
            English
            arrow-up
            3
            ·
            edit-2
            4 months ago

            either create a cert group and give that group permission to the certs, or add a handler to distribute the cert+key on renew to your service’s folder, and change owner/group to whats relevant to the service

            Note: the “live” folder only contains links to the archive folder

            • someoneFromInternetOP
              link
              fedilink
              English
              arrow-up
              2
              ·
              edit-2
              4 months ago
              -rw-rwxr-- 1 root certgroup 2864 Jul 14 01:07 fullchain1.pem
              -rw-rwxr-- 1 root certgroup  241 Jul 14 01:07 privkey1.pem
              

              What if I have such permissions, but coturn still can’t access to files?

              • hendrik@palaver.p3x.de
                link
                fedilink
                English
                arrow-up
                2
                ·
                edit-2
                4 months ago

                First of all you’d need to make sure that coturn is in the “certgroup” group. Or it won’t help.

                Secondly, those are just the two files. “certgroup” might still be unable to open them if the directory permissions don’t allow opening the directory in the first place. And we can’t tell from just the two lines. Make sure all the parent directories also allow traversing to that location. “rX” are required to read and open a directory.

                However text files shouldn’t have execute permissions. And you’ve set “rwx” for the group. That doesn’t break anything, but “rw-” would be the 100% correct choice there. And other accounts shouldn’t have read permissions on the private key. That should be “rw-rw----”

                (I’m not sure why you have to do all of that stuff manually… Lot’s of frameworks or operating systems come with letsencrypt/certbot and some sane default settings. If your way of doing things doesn’t work out, you might want to read a tutorial for your operating system or consider a more standard approach.)

                • someoneFromInternetOP
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  4 months ago

                  What if I created new directory and copy one of certificate there(manually, using nano), then I gave all permissions to folder and this certificate, but coturn still can’t access this cert?