On 2021-12-06, Radek <[email protected]> wrote: > If I change perm /etc/ssl/private/redmine.MY.DOMAIN.COM.key to 555 website > loads on FF correctly (no errors on puma) but I still got an error on curl: > $ curl https://redmine.MY.DOMAIN.COM > curl: (35) error:1404B418:SSL routines:ST_CONNECT:tlsv1 alert unknown ca > > puma also shows error on curl request: > 2021-12-06 05:04:06 +0100 SSL error, peer: A.B.C.D, peer cert: : > #<Puma::MiniSSL::SSLError: OpenSSL error: error:1403F418:SSL > routines:ACCEPT_SR_FINISHED:tlsv1 alert unknown ca - 1048>
This suggests you are using just the server certificate, when you also need to include the intermediate certificate. For acme-client, use the "full chain" file. > If I have ssl key permission set to 555 I also got an error from acme client: > $ acme-client -v redmine.MY.DOMAIN.COM > acme-client: /etc/ssl/private/redmine.MY.DOMAIN.COM.key: group read/writable > or world read/writable > > Did I miss any obvious thing? There are various ways to fix this using some of the following tools (you might not need all of them): chown, chmod, cp > I'm not sure if running the app as root to solve the ssl key permission > problem is a goor idea... Just think about what the software is doing and arrange things so that it reads a file which it has permission to read. -- Please keep replies on the mailing list.
