Greetings!
I have duckduckgo'ed and I have not found an answer, but what should be the permissions for the private key since the stunnel is giving me a warning/error regarding that: ... [ ] Loading private key from file: /etc/ssl/private.key [:] Insecure file permissions on /etc/ssl/private.key [ ] Private key loaded from file: /etc/ssl/private.key ...
this is that I have set: jic@web:~$ ls -l /etc/ssl/private.key -rw-r--r-- 1 root www-data 1702 Oct 13 02:54 /etc/ssl/private.key
the www-data is the user that runs the website. All is running well, apparently, but, I would like to set the correct permission on the private.key file. Thanks for your support.
josé
Hola Jose,
Private key should be readable just for the user running stunnel. Try
chmod 600 /etc/ssl/private.key
regards,
On 29/11/2021, at 9:13 AM, jose isaias cabrera jicman@gmail.com wrote:
Greetings!
I have duckduckgo'ed and I have not found an answer, but what should be the permissions for the private key since the stunnel is giving me a warning/error regarding that: ... [ ] Loading private key from file: /etc/ssl/private.key [:] Insecure file permissions on /etc/ssl/private.key [ ] Private key loaded from file: /etc/ssl/private.key ...
this is that I have set: jic@web:~$ ls -l /etc/ssl/private.key -rw-r--r-- 1 root www-data 1702 Oct 13 02:54 /etc/ssl/private.key
the www-data is the user that runs the website. All is running well, apparently, but, I would like to set the correct permission on the private.key file. Thanks for your support.
josé
--
What if eternity is real? Where will you spend it? Hmmmm... _______________________________________________ stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-leave@stunnel.org
On Mon, Nov 29, 2021 at 9:34 AM Josealf.rm josealf@rocketmail.com wrote:
Hola Jose,
Private key should be readable just for the user running stunnel. Try
chmod 600 /etc/ssl/private.key
regards,
Gracias, José. The problem now is this: [ ] Loading private key from file: /etc/ssl/private.key [!] error queue: ../ssl/ssl_rsa.c:540: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib [!] error queue: ../crypto/bio/bss_file.c:290: error:20074002:BIO routines:file_ctrl:system lib [!] SSL_CTX_use_PrivateKey_file: ../crypto/bio/bss_file.c:288: error:0200100D:system library:fopen:Permission denied [!] Service [https]: Failed to initialize TLS context
So, I don't think that is right. I will set it back to 644.
On 29/11/2021, at 9:13 AM, jose isaias cabrera jicman@gmail.com wrote:
Greetings!
I have duckduckgo'ed and I have not found an answer, but what should be
the permissions for the private key since the stunnel is giving me a warning/error regarding that:
... [ ] Loading private key from file: /etc/ssl/private.key [:] Insecure file permissions on /etc/ssl/private.key [ ] Private key loaded from file: /etc/ssl/private.key ...
this is that I have set: jic@web:~$ ls -l /etc/ssl/private.key -rw-r--r-- 1 root www-data 1702 Oct 13 02:54 /etc/ssl/private.key
the www-data is the user that runs the website. All is running well,
apparently, but, I would like to set the correct permission on the private.key file. Thanks for your support.
josé
--
What if eternity is real? Where will you spend it? Hmmmm... _______________________________________________ stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-leave@stunnel.org
Hi Jose,
You’re right. Sorry. I did not realize the current owner of the private key is the root user. You can change the file owner to the user running stunnel with chown command or follow Mike‘s advice in his answer to your post. In any case, the file should not be workd readable.
regards Jose
On 29/11/2021, at 9:52 AM, jose isaias cabrera jicman@gmail.com wrote:
On Mon, Nov 29, 2021 at 9:34 AM Josealf.rm josealf@rocketmail.com wrote: Hola Jose,
Private key should be readable just for the user running stunnel. Try
chmod 600 /etc/ssl/private.key
regards,
Gracias, José. The problem now is this: [ ] Loading private key from file: /etc/ssl/private.key [!] error queue: ../ssl/ssl_rsa.c:540: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib [!] error queue: ../crypto/bio/bss_file.c:290: error:20074002:BIO routines:file_ctrl:system lib [!] SSL_CTX_use_PrivateKey_file: ../crypto/bio/bss_file.c:288: error:0200100D:system library:fopen:Permission denied [!] Service [https]: Failed to initialize TLS context
So, I don't think that is right. I will set it back to 644.
On 29/11/2021, at 9:13 AM, jose isaias cabrera jicman@gmail.com wrote:
Greetings!
I have duckduckgo'ed and I have not found an answer, but what should be the permissions for the private key since the stunnel is giving me a warning/error regarding that: ... [ ] Loading private key from file: /etc/ssl/private.key [:] Insecure file permissions on /etc/ssl/private.key [ ] Private key loaded from file: /etc/ssl/private.key ...
this is that I have set: jic@web:~$ ls -l /etc/ssl/private.key -rw-r--r-- 1 root www-data 1702 Oct 13 02:54 /etc/ssl/private.key
the www-data is the user that runs the website. All is running well, apparently, but, I would like to set the correct permission on the private.key file. Thanks for your support.
josé
--
What if eternity is real? Where will you spend it? Hmmmm... _______________________________________________ stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-leave@stunnel.org
--
What if eternity is real? Where will you spend it? Hmmmm...
All,
On 11/29/21 09:34, Josealf.rm via stunnel-users wrote:
Hola Jose,
Private key should be readable just for the user running stunnel. Try
chmod 600 /etc/ssl/private.key
I would also:
$ chown root:root /etc/ssl/private.key
There's no reason for the "www-data" group to own that file.
-chris
On 29/11/2021, at 9:13 AM, jose isaias cabrera jicman@gmail.com wrote:
Greetings!
I have duckduckgo'ed and I have not found an answer, but what should be the permissions for the private key since the stunnel is giving me a warning/error regarding that: ... [ ] Loading private key from file: /etc/ssl/private.key [:] Insecure file permissions on /etc/ssl/private.key [ ] Private key loaded from file: /etc/ssl/private.key ...
this is that I have set: jic@web:~$ ls -l /etc/ssl/private.key -rw-r--r-- 1 root www-data 1702 Oct 13 02:54 /etc/ssl/private.key
the www-data is the user that runs the website. All is running well, apparently, but, I would like to set the correct permission on the private.key file. Thanks for your support.
josé
--
What if eternity is real? Where will you spend it? Hmmmm... _______________________________________________ stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-leave@stunnel.org
stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-leave@stunnel.org
On Mon, Nov 29, 2021 at 1:01 PM Christopher Schultz < chris@christopherschultz.net> wrote:
All,
On 11/29/21 09:34, Josealf.rm via stunnel-users wrote:
Hola Jose,
Private key should be readable just for the user running stunnel. Try
chmod 600 /etc/ssl/private.key
I would also:
$ chown root:root /etc/ssl/private.key
There's no reason for the "www-data" group to own that file.
-chris
Thanks, Chris.
On 29/11/2021, at 9:13 AM, jose isaias cabrera jicman@gmail.com
wrote:
Greetings!
I have duckduckgo'ed and I have not found an answer, but what should be
the permissions for the private key since the stunnel is giving me a warning/error regarding that:
... [ ] Loading private key from file: /etc/ssl/private.key [:] Insecure file permissions on /etc/ssl/private.key [ ] Private key loaded from file: /etc/ssl/private.key ...
this is that I have set: jic@web:~$ ls -l /etc/ssl/private.key -rw-r--r-- 1 root www-data 1702 Oct 13 02:54 /etc/ssl/private.key
the www-data is the user that runs the website. All is running well,
apparently, but, I would like to set the correct permission on the private.key file. Thanks for your support.
josé
--
What if eternity is real? Where will you spend it? Hmmmm... _______________________________________________ stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-leave@stunnel.org
stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-leave@stunnel.org
stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-leave@stunnel.org
josé,
The private-key file you have there is world-readable, which it most certainly should NOT be.
Also, "www-data" is a group, not a user, so you MUST be very careful to make sure that ONLY the web-server software can run as a member of that group and that no other user or process can do so. IF you can guarantee those, then permissions (spaces added here for clarity) of
- r w - r - - - - -
should be safe. Putting it another way:
chmod 0640 /etc/ssl/private.key
-- Mike
-
Christopher Schultz -
jose isaias cabrera -
Josealf.rm -
Mike Spooner