I’m not sure if this will help the problem I’m trying to solve but something I should probably do anyhow. I run a ejabberd server primarily to chat with one person. He upgraded his Mac and has been unable to connect since. Logs show he connects to the server but nothing past that. No fail reason given. So basically he isn’t authenticating. Not sure the self signed cert is the problem but it doesn’t seem to be a bad idea to use Let’s Encrypt regardless.
What is the proper way of allowing a program to read /etc/letsencrypt/live/xxx ?
As a temp I have chowned root:ejabbard and chmoded 640. Seems like an ugly hack. I’m sure servers like Apache and others don’t run as root.
He upgraded his Mac and has been unable to connect since.
I know nothing about ejabberd and you may have already sorted this out. Since he can connect to your server this is probably not helpful. I’ve had macs for years and they are notorious for jacking with security settings with upgrades. Most of the time if I have had issues connecting after an upgrade it’s a key messed up or changed somehow in the known_hosts file.
I finally had time to run some debugging. They changed his proxy settings for one thing. At this point I’ve notified him but haven’t heard back yet.
More on point is I did find an ssl-cert group but only root and postgress are listed. No apache or other servers. I don’t know if this group is valid for Let’s Encrypt certs or not.