this post was submitted on 13 Jul 2024
-1 points (46.2% liked)

Selfhosted

40183 readers
508 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

My certificates are in /etc/letsencrypt/live/example.com/, and when I trying to start coturn I receiving: "0: : WARNING: cannot find certificate file..." I'm interested, what is the best way to solve this problem?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 1 points 4 months ago (10 children)

Maybe sth like usermod -a -G letsencrypt coturn which puts the coturn user in the letsencrypt group. Allowing that user access to files owned by the group. I haven't checked the names. Maybe the group is called differently, certbot or something. Obviously that grants that coturn user access to all the certificates. You might want to set some directory permissions instead, if you have multiple certificates and don't want coturn be able to read or mess with certificates of other domains.

[–] [email protected] 2 points 4 months ago (9 children)

seems like I have not letsencrypt or certbot group

[–] [email protected] 2 points 4 months ago* (last edited 4 months ago) (8 children)

So who owns the certificate files then? It's got to be some user and group?! Usually certbot is set up in some way to fetch and renew the certificates periodically. You might want to take the other advice and check the file permissions first and find out who owns them.

[–] [email protected] 2 points 4 months ago (1 children)
[–] [email protected] 3 points 4 months ago* (last edited 4 months ago) (1 children)

either create a cert group and give that group permission to the certs, or add a handler to distribute the cert+key on renew to your service’s folder, and change owner/group to whats relevant to the service

Note: the “live” folder only contains links to the archive folder

[–] [email protected] 2 points 4 months ago* (last edited 4 months ago) (1 children)
-rw-rwxr-- 1 root certgroup 2864 Jul 14 01:07 fullchain1.pem
-rw-rwxr-- 1 root certgroup  241 Jul 14 01:07 privkey1.pem

What if I have such permissions, but coturn still can't access to files?

[–] [email protected] 2 points 4 months ago* (last edited 4 months ago) (1 children)

First of all you'd need to make sure that coturn is in the "certgroup" group. Or it won't help.

Secondly, those are just the two files. "certgroup" might still be unable to open them if the directory permissions don't allow opening the directory in the first place. And we can't tell from just the two lines. Make sure all the parent directories also allow traversing to that location. "rX" are required to read and open a directory.

However text files shouldn't have execute permissions. And you've set "rwx" for the group. That doesn't break anything, but "rw-" would be the 100% correct choice there. And other accounts shouldn't have read permissions on the private key. That should be "rw-rw----"

(I'm not sure why you have to do all of that stuff manually... Lot's of frameworks or operating systems come with letsencrypt/certbot and some sane default settings. If your way of doing things doesn't work out, you might want to read a tutorial for your operating system or consider a more standard approach.)

[–] [email protected] 1 points 4 months ago (1 children)

What if I created new directory and copy one of certificate there(manually, using nano), then I gave all permissions to folder and this certificate, but coturn still can't access this cert?

[–] [email protected] 2 points 4 months ago* (last edited 4 months ago) (1 children)

(Same things would apply as I lined out earlier. You'd also need to pay attention to the parent directory of that directory (and maybe parents of those). And check if coturn is actually running as that user and/or group.

You might just (for testing) grant all permissions on the files. Put them into a directory that you're 100% sure coturn can access. Like one of Coturn's own directories. And then chmod 666 both files and give them the same user and group as coturn's own config file has. If that doesn't work, it's not the permissions.)

And read the actual error message again. Make sure it says "permission denied". Make sure the filename in the error message is the exact filename and location of your certificate file. To rule out other errors or a typo.

And now that I'm reading your initial post again, it says it can't find them. So maybe it's really not the permissions, but the coturn config doesn't point to the correct location of the certificate files. Usually permissions is a good first guess. But if the error message says sth else, it could very well be what the error message says. Does it go on and tell you where it looked for the certificates?

[–] [email protected] 2 points 4 months ago (1 children)

ok, I just needed to change owner to turnserver for certs and directories. That's all

[–] [email protected] 2 points 3 months ago

Glad you could figure it out. Keep an eye on the certificate updates. As far as I know letsencypt certs are valid for 90 days or so. In case you have a periodic job that renews them, that one might now fail to update the files when it runs the next time in 2 months or so. But that depends on the permissions and user of that renew job. However that's set up. But for the next few months, everything should be fine now.

load more comments (6 replies)
load more comments (6 replies)
load more comments (6 replies)