You are not logged in.

#1 2025-08-16 22:15:06

nomorewindows
Member
Registered: 2010-04-03
Posts: 3,460

Mumble not taking letsencrypt certificate

Point configuration to /etc/letsencrypt/live/<site>/*pem wih sslKey,sslCA, and sslCert like it says in the wiki, but error message in journalctl -xe

MetaParams: failed to read: /etc/letsencrypt/live/.....

Doesn't seem to take it anywhere else I try to point to/place files.

But I run mumble-server manually

mumble-server -ini /etc/mumble/mumble-server.ini

it works fine.

Looks like lots of extra options in mumble-server systemd unit file that didn't use to be there.  May explain some of the problems.  Maybe protect home prevents me from reading the certs, but is root when starting and then drops priviledges.

Last edited by nomorewindows (2025-08-16 22:38:17)


I may have to CONSOLE you about your usage of ridiculously easy graphical interfaces...
Look ma, no mouse.

Offline

#2 2025-08-17 05:59:54

256
Member
Registered: 2023-12-17
Posts: 47

Re: Mumble not taking letsencrypt certificate

I don't know anything about Mumble, but I've dealt with certs before and this looks to me like a permissions issue (although you said it starts as root, so I'm not sure). Does it still not work when the relevant files in /etc/letsencrypt/live/ have different permissions?

What user does mumble-server run as, when you're not running it manually?


"Don't comment bad code - rewrite it." - The Elements of Programming Style (1978), Brian W. Kernighan & P. J. Plauger, p. 144.

Online

#3 2025-08-19 03:18:50

nomorewindows
Member
Registered: 2010-04-03
Posts: 3,460

Re: Mumble not taking letsencrypt certificate

256 wrote:

I don't know anything about Mumble, but I've dealt with certs before and this looks to me like a permissions issue (although you said it starts as root, so I'm not sure). Does it still not work when the relevant files in /etc/letsencrypt/live/ have different permissions?

What user does mumble-server run as, when you're not running it manually?

Well it has the default user the package makes which is _mumble-server.  Just like it used to use murmur for what used to be murmur instead of mumble-server. 

Letsencrypt likes to keep the permissions tight so that practically root is the only one that can get it.

I removed the server from my favorites and readded it.  Which brings up the certificate warning box.  Now it seems like it wants to maybe work.  But something is still funky about the websockify (for mumble-web).

Last edited by nomorewindows (2025-08-19 05:15:44)


I may have to CONSOLE you about your usage of ridiculously easy graphical interfaces...
Look ma, no mouse.

Offline

#4 2025-08-19 07:02:11

cryptearth
Member
Registered: 2024-02-03
Posts: 1,722

Re: Mumble not taking letsencrypt certificate

this sounds like a permission issue
when the target service has setup and uses its own user the key file has to be owned by that user (and/or group), has to have permission of 600 (or 640) and be in a directory the user/group has access to
sounds like that /etc/letsencrypt/ is either owned by a special LE user/group or by root and has only 700 to lockout everybody else
so check the service file for user/group directive and make sure that the key can be read by it - as for the certs: these can usually have 644 or even 664

Offline

#5 2025-08-19 18:10:08

nomorewindows
Member
Registered: 2010-04-03
Posts: 3,460

Re: Mumble not taking letsencrypt certificate

cryptearth wrote:

this sounds like a permission issue
when the target service has setup and uses its own user the key file has to be owned by that user (and/or group), has to have permission of 600 (or 640) and be in a directory the user/group has access to
sounds like that /etc/letsencrypt/ is either owned by a special LE user/group or by root and has only 700 to lockout everybody else
so check the service file for user/group directive and make sure that the key can be read by it - as for the certs: these can usually have 644 or even 664

In /etc/letsencrypt is it 0700.  Even though the certificate files themselves are 0644.  But the murmur/mumble-server usually reads the certificate files as root before dropping privileges.

It looks like the certificate held by the client might've been the problem, but something still remains with websockify.


I may have to CONSOLE you about your usage of ridiculously easy graphical interfaces...
Look ma, no mouse.

Offline

#6 2025-08-20 06:42:31

cryptearth
Member
Registered: 2024-02-03
Posts: 1,722

Re: Mumble not taking letsencrypt certificate

nomorewindows wrote:

In /etc/letsencrypt is it 0700.

that's quite unusual for a config in /etc - as usually configs have 644 and folders 755 (because execute is required to cd into a directory although 644 is sufficient for simple read IF you know the exact full path) - restricting to 700 sounds wrong, or at least odd as there's no reason for it
the certificates contain only public information anyway and it's only the key files that should be protected with 600
have you tried what happens when you open up the permissions to 755 of /etc/letsencrypt so that the certs can be read even after privilege drop?
what package is /etc/letsencrypt owned by? maybe a bug report could be issued about the permissions - or is it a folder you created yourself?

Offline

#7 2025-08-20 14:48:38

tekstryder
Member
Registered: 2013-02-14
Posts: 450

Re: Mumble not taking letsencrypt certificate

cryptearth wrote:
nomorewindows wrote:

In /etc/letsencrypt is it 0700.

that's quite unusual for a config in /etc - as usually configs have 644 and folders 755

Hmmm, looks pretty usual to me, particulary given the subject app...

# find /etc/ -type d -perm 0700
/etc/pacman.d/gnupg/crls.d
/etc/pacman.d/gnupg/private-keys-v1.d
/etc/pacman.d/gnupg/openpgp-revocs.d
/etc/libvirt/secrets
/etc/NetworkManager/system-connections
/etc/credstore.encrypted
/etc/credstore
/etc/cryptsetup-keys.d
/etc/cups/ss

Offline

#8 2025-08-20 18:42:28

256
Member
Registered: 2023-12-17
Posts: 47

Re: Mumble not taking letsencrypt certificate

tekstryder wrote:

Hmmm, looks pretty usual to me, particulary given the subject app...

On my system the 0700 folders in /etc/ are heavily out-numbered by the 0755 ones, including ones for cryptography software.

nomorewindows wrote:

the certificate files themselves are 0644.

Then, as cryptearth said, try making sure the directory it's in is readable by mumble-server.


"Don't comment bad code - rewrite it." - The Elements of Programming Style (1978), Brian W. Kernighan & P. J. Plauger, p. 144.

Online

#9 2025-08-21 19:07:34

nomorewindows
Member
Registered: 2010-04-03
Posts: 3,460

Re: Mumble not taking letsencrypt certificate

tekstryder wrote:
cryptearth wrote:
nomorewindows wrote:

In /etc/letsencrypt is it 0700.

that's quite unusual for a config in /etc - as usually configs have 644 and folders 755

Hmmm, looks pretty usual to me, particulary given the subject app...

# find /etc/ -type d -perm 0700
/etc/pacman.d/gnupg/crls.d
/etc/pacman.d/gnupg/private-keys-v1.d
/etc/pacman.d/gnupg/openpgp-revocs.d
/etc/libvirt/secrets
/etc/NetworkManager/system-connections
/etc/credstore.encrypted
/etc/credstore
/etc/cryptsetup-keys.d
/etc/cups/ss

Ok for letsencrypt, it's most of the directories under letsencrypt that are 0700.


I may have to CONSOLE you about your usage of ridiculously easy graphical interfaces...
Look ma, no mouse.

Offline

#10 2025-08-21 19:08:51

nomorewindows
Member
Registered: 2010-04-03
Posts: 3,460

Re: Mumble not taking letsencrypt certificate

256 wrote:
tekstryder wrote:

Hmmm, looks pretty usual to me, particulary given the subject app...

On my system the 0700 folders in /etc/ are heavily out-numbered by the 0755 ones, including ones for cryptography software.

nomorewindows wrote:

the certificate files themselves are 0644.

Then, as cryptearth said, try making sure the directory it's in is readable by mumble-server.

Mumble-server should read the letsencypt before dropping privileges.


I may have to CONSOLE you about your usage of ridiculously easy graphical interfaces...
Look ma, no mouse.

Offline

Board footer

Powered by FluxBB