[FR/EN] Diaspora doesn't know where your certificate authorities are

Hello friends,

Here I am back after a few months of trouble. My server was blocked by my host (IONOS) because of a security breach on my vps. I did’nt manage to find the flaw so I decided to reinstall everything after of course taking care to make a backup of my bdd mariadb. Everything seems correct I recreated a Letsencrypt certificate but nevertheless I have an error message telling me :
“FATAL: Diaspora doesn’t know where your certificate authorities are. Please ensure they are set to a valid path in diaspora.yml” when i launch the line RAILS_ENV=production bundle exec rake db:create db:migrate

Best regards from Normandy ^^

-------------------------------- FR --------------------------------

Salut les ami(e)s,

Me voila de retour après quelques mois de galère. Mon serveur était bloqué par mon hébergeur (IONOS) à cause d’une brèche de sécurité sur mon vps.Me voila de retour après quelques mois de galère. Mon serveur était bloqué par mon hébergeur à cause d’une brèche de sécurité sur mon vps.
Je n’ai pas réussi à trouver la faille j’ai donc décidé de tout réinstaller après avoir bien entendu pris soin de faire un backup de ma bdd mariadb. Tout me semble correcte j’ai recréé un certificat Letsencrypt mais néanmoins j’ai un message d’erreur qui me dit :
Diaspora ne sait pas où se trouvent vos autorités de certification. Veuillez vous assurer qu’elles sont placées sur un chemin valide dans diaspora.yml” quand je lance la commande de migration de la bdd

Par avance merci de votre aide. Amitié de la Normandie ^^

Did you do that? https://github.com/diaspora/diaspora/blob/develop/config/diaspora.yml.example#L41-L47

The error has nothing to do with your own letsencrypt cert, it’s about how diaspora can verify if other certs are valid or not, so you need to configure where your OS has stored the CA.

1 Like

Hi Benjamin,

Thanks for your answer, indeed, I found what was wrong with your indications and my site is functional again !! Youhouuu !!

Many thanks Ben :slight_smile:

Hello,

I am also having this issue. The link above (Did you do that? …) is no longer valid. Is there a replacement link, or perhaps an example of the problem lines and the solution lines you could post?

Here is the complete error:

***** BEGIN TERMINAL OUTPUT *****

[diaspora@diaspora-pod001 diaspora]$ RAILS_ENV=production bundle exec rake db:create db:migrate
WARNING: Namespace production not found in /home/diaspora/diaspora/config/diaspora.yml
FATAL: Diaspora doesn’t know where your certificate authorities are. Please ensure they are set to a valid path in diaspora.yml
[diaspora@diaspora-pod001 diaspora]$

***** END TERMINAL OUTPUT *****

6 posts were split to a new topic: Ident authentication for user diaspora failed

Here is my diaspora.yml document:

***** BEGIN DOCUMENT COPY *****

## Some notes about this file:
## - All comments start with a double #
## - All settings are commented out with a single #
##   To change the default settings, you need both to uncomment the lines
##   AND, in most cases, to change the value that is given.
## - Take care to keep proper indentation, that is by simply deleting
##   the original #, with no additional space before the setting's name.
## - Take care to keep proper quoting. All ' must have a matching ' at
##   the end of the same line. The same goes for "
## - Lines containing "## Section" are section headings. Do not edit them!
## - Lists need the space after the -
## - The values true, false and numbers should have no quote marks.
##   Single words don't need quote marks, but it doesn't do any harm to have them.
##
## You can set and/or override all these settings through environment variables
## with the following conversion rules:
## - Strip the top level namespace (configuration, production, etc.)
## - Build the path to the setting, for example environment.s3.enable
## - Replace the dots with underscores: environment_s3_enable
## - Convert to upper case: ENVIRONMENT_S3_ENABLE
## - Specify lists/arrays as comma-separated values
##
## - For example, on Heroku:
##   heroku config:set SERVICES_TWITTER_KEY=yourkey SERVICES_TWITTER_SECRET=yoursecret

  configuration: ## Section

  ## You need to change or at least review the settings in this section
  ## in order for your pod to work.
  environment: ## Section

    ## Set the hostname of the machine you're running Diaspora on, as seen
    ## from the internet. This should be the URL you want to use to
    ## access the pod. So if you plan to use a reverse proxy, it should be
    ## the URL the proxy listens on. DO NOT CHANGE THIS AFTER INITIAL SETUP!
    ## However changing http to https is okay and has no consequences.
    ## If you do change the URL, you will have to start again as the URL
    ## will be hardcoded into the database.
    #url: "https://example.org/"
    url: "https://diaspora.[THIS URL HAS BEEN REDACTED]"
    ## Set the bundle of certificate authorities (CA) certificates.
    ## This is specific to your operating system.
    ## Examples (uncomment the relevant one or add your own):
    ## For Debian, Ubuntu, Archlinux, Gentoo (package ca-certificates):
    #certificate_authorities: '/etc/ssl/certs/ca-certificates.crt'
    ## For CentOS, Fedora:
    certificate_authorities: '/etc/pki/tls/certs/ca-bundle.crt'

    ## URL for a remote Redis (default=localhost).
    ## Don't forget to restrict IP access if you uncomment these!
    #redis: 'redis://example_host'
    #redis: 'redis://username:password@host:6379/0'
    #redis: 'unix:///tmp/redis.sock'

    ## Require SSL (default=true).
    ## When set, your pod will force the use of HTTPS in production mode.
    ## Since OAuth2 requires SSL, Diaspora's future API might not work if
    ## you're not using SSL. Also there is no guarantee that posting to
    ## services will be possible if SSL is disabled.
    ## Do not change this default unless you are sure!
    require_ssl: true

    ## Single-process mode (default=false).
    ## If set to true, Diaspora will work with just the appserver (Unicorn by
    ## default) running. However, this makes it quite slow as intensive jobs
    ## must be run all the time inside the request cycle. We strongly
    ## recommended you leave this disabled for production setups.
    ## Set to true to enable.
    #single_process_mode: false

    ## Sidekiq - background processing
    sidekiq: ## Section

      ## Number of parallel threads Sidekiq uses (default=5).
      ## If you touch this, please set the pool setting in your database.yml
      ## to a value that's at minimum close to this! You can safely increase
      ## it to 25 and more on a medium-sized pod. This applies per started
      ## Sidekiq worker, so if you set it to 25 and start two workers, you'll
      ## process up to 50 jobs in parallel.
      #concurrency: 5

      ## Number of times a job is retried (default=10).
      ## There's an exponential effect to this: if you set this too high you
      ## might get too many jobs building up in the queue.
      ## Set it to 0 to disable it completely.
      #retry: 10

      ## Lines of backtrace that are stored on failure (default=15).
      ## Set n to the required value. Set this to false to reduce Redis memory
      ## usage (and log size) if you're not interested in this data.
      #backtrace: 15

      ## Number of jobs to keep in the dead queue (default=5000).
      ## Jobs get into the dead queue after they failed and exhausted all retries.
      ## Increasing this setting will increase the memory usage of Redis.
      ## Once gone from the dead queue, a failed job is permanently lost and
      ## cannot be retried manually.
      # dead_jobs_limit: 1000

      ## Number of seconds a job remains in the dead queue (default=3628800 (six weeks)).
      ## Jobs get into the dead queue after they failed and exhausted all retries.
      ## Increasing this setting will increase the memory usage of Redis.
      ## Once gone from the dead queue, a failed job is permanently lost and
      ## cannot be retried manually.
      # dead_jobs_timeout: 15552000 # 6 months

      ## Log file for Sidekiq (default="log/sidekiq.log")
      #log: "log/sidekiq.log"

    ## Use Amazon S3 instead of your local filesystem
    ## to handle uploaded pictures (disabled by default).
    s3: ## Section

      #enable: true
      #key: 'change_me'
      #secret: 'change_me'
      #bucket: 'my_photos'
      #region: 'us-east-1'

      ## Use max-age header on Amazon S3 resources (default=true).
      ## When true, this allows locally cached images to be served for up to
      ## one year. This can improve load speed and save requests to the image
      ## host. Set to false to revert to browser defaults (usually less than
      ## one year).
      #cache : true

    ## Set redirect URL for an external image host (Amazon S3 or other).
    ## If hosting images for your pod on an external server (even your own),
    ## add its URL here. All requests made to images under /uploads/images
    ## will be redirected to https://yourhost.tld/uploads/images/
    #image_redirect_url: 'https://images.example.org'

    assets: ## Section

      ## Serve static assets via the appserver (default=false).
      ## This is highly discouraged for production use. Let your reverse
      ## proxy/webserver do it by serving the files under public/ directly.
      #serve: false

      ## Upload your assets to S3 (default=false).
      #upload: false

      ## Specify an asset host. Ensure it does not have a trailing slash (/).
      #host: http://cdn.example.org/diaspora

    ## Pubsub server (default='https://pubsubhubbub.appspot.com/').
    ## Diaspora is only tested against the default pubsub server.
    ## You probably don't want to uncomment or change this.
    #pubsub_server: 'https://pubsubhubbub.appspot.com/'

    ## Logger configuration
    logging: ## Section

      logrotate: ## Section

        ## Roll the application log on a daily basis (default=true).
        #enable: true

        ## The number of days to keep (default=7)
        #days: 7

      ## Debug logging
      debug: ## Section

        ## Enables the debug-logging for SQL (default=false)
        ## This logs every SQL-statement!
        #sql: true

        ## Enables the federation-debug-log (default=false)
        ## This logs all XMLs that are used for the federation
        #federation: true

  ## Settings affecting how ./script/server behaves.
  server: ## Section
    ## Where the appserver should listen to (default=unix:tmp/diaspora.sock)
    #listen: 'unix:tmp/diaspora.sock'
    #listen: 'unix:/run/diaspora/diaspora.sock'
    #listen: '127.0.0.1:3000'

    ## Set the path for the PID file of the unicorn master process (default=tmp/pids/web.pid)
    #pid: 'tmp/pids/web.pid'

    ## Rails environment (default='development').
    ## The environment in which the server should be started by default.
    ## Change this to 'production' if you wish to run a production environment.
    #rails_environment: 'development'
    rails_environment: 'production'

    ## Write unicorn stderr and stdout log.
    #stderr_log: 'log/unicorn-stderr.log'
    #stdout_log: 'log/unicorn-stdout.log'

    ## Number of Unicorn worker processes (default=2).
    ## Increase this if you have many users.
    #unicorn_worker: 2

    ## Number of seconds before a request is aborted (default=90).
    ## Increase if you get empty responses, or if large image uploads fail.
    ## Decrease if you're under heavy load and don't care if some
    ## requests fail.
    #unicorn_timeout: 90

    ## Embed a Sidekiq worker inside the unicorn process (default=false).
    ## Useful for minimal Heroku setups.
    #embed_sidekiq_worker: false

    ## Number of Sidekiq worker processes (default=1).
    ## In most cases it is better to
    ## increase environment.sidekiq.concurrency instead!
    #sidekiq_workers: 1

  ## Diaspora has an internal XMPP web-client. If you want to enable the chat
  ## functionality or want to use a custom XMPP server, then you should edit
  ## the following configuration.
  chat: ## Section

    ## Enable the chat service and all its components.
    ##
    ## Please make sure that you followed the Installation-Instructions first:
    ## https://wiki.diasporafoundation.org/Integration/Chat#Installation.2FUpdate
    #enabled: true

    ## Custom XMPP server configuration goes here.
    server: ## Section

      ## Use the configuration bridge to prosody (default=true).
      ## In case you want to run your own server or want to configure
      ## prosody on your own, you should disable it.
      #enabled: false

      ## Set the directory in which to look for virtual hosts TLS certificates.
      #certs: 'config/certs'

      ## XEP-0124 BOSH requests
      ## The easiest way of avoiding certificate and mixed-content issues
      ## is to use a proxy, e.g.:
      ##
      ## Apache: https://wiki.diasporafoundation.org/Integration/Chat#Apache2
      ## Nginx: https://wiki.diasporafoundation.org/Integration/Chat#Nginx
      ##
      ## If you configured your proxy correctly,
      ## you should set the proxy option to 'true'
      bosh: ## Section

        ## If you'd like to use a proxy, you should set the proxy
        ## option to true, otherwise jsxc always tries to
        ## connect directly to the port specified below.
        #proxy: true

        ## Configure the protocol used to access the BOSH endpoint
        #proto: http

        ## Configure the address that prosody should listen on.
        #address: '0.0.0.0'

        ## Configure the BOSH port.
        #port: 5280

        ## Configure the bind endpoint.
        #bind: '/http-bind'

      ## Specify log behaviour here.
      log: ## Section

        ## Log file location.
        #info: 'log/prosody.log'

        ## Error log file location.
        #error: 'log/prosody.err'

        ## The debug level logs all XML sent and received by the server.
        #debug: false

  ## Displays the location of a post in a map. Per default we are using the map
  ## tiles of the Heidelberg University (http://giscience.uni-hd.de).
  ## You also have the possibility to use the map tiles of https://www.mapbox.com
  ## which is probably more reliable. There you have to create an account to get
  ## an access token which is limited. If you want to get an unlimited account
  ## you can write an email to team@diasporafoundation.org.
  ## Please enable mapbox and fill out your access_token.
  map: ##Section

    mapbox:
      #enabled: false
      #access_token: "youraccesstoken"
      #style: "mapbox/streets-v9"

  ## Settings potentially affecting the privacy of your users.
  privacy: ## Section

    ## Include jQuery from jquery.com's CDN (default=false).
    ## Enabling this can reduce traffic and speed up load time since most
    ## clients already have this one cached. When set to false (the default),
    ## the jQuery library will be loaded from your pod's own resources.
    #jquery_cdn: false

    ## Google Analytics (disabled by default).
    ## Provide a key to enable tracking by Google Analytics.
    #google_analytics_key:

    ## Piwik Tracking (disabled by default).
    ## Provide a site ID and the host piwik is running on to enable
    ## tracking through Piwik.
    piwik: ## Section

      #enable: true
      #host: 'stats.example.org'
      #site_id: 1

    ## Statistics
    ## Your pod will report its name, software version and whether
    ## or not registrations are open via /statistics and NodeInfo.
    ## Uncomment the options below to enable more statistics.
    statistics: ## Section

      ## Local user total and 6 month active counts.
      #user_counts: true

      ## Local post total count.
      #post_counts: true
      #comment_counts: true

    ## Use Camo to proxy embedded remote images.
    ## Do not enable this setting unless you have a working Camo setup. Using
    ## camo to proxy embedded images will improve the privacy and security of
    ## your pod's frontend, but it will increase the traffic on your server.
    ## Check out https://wiki.diasporafoundation.org/Installation/Camo for
    ## more details and installation instructions.
    camo: ## Section

      ## Proxy images embedded via markdown (default=false).
      ## Embedded images are quite often from non-SSL sites and may cause a
      ## partial content warning, so this is recommended.
      #proxy_markdown_images: true

      ## Proxy Open Graph thumbnails (default=false).
      ## Open Graph thumbnails may or may not be encrypted and loaded from
      ## servers outside the network. Recommended.
      #proxy_opengraph_thumbnails: true

      ## Proxy remote pod's images (default=false).
      ## Profile pictures and photos from other pods usually are encrypted,
      ## so enabling this is only useful if you want to avoid HTTP requests to
      ## third-party servers. This will create a lot of traffic on your camo
      ## instance. You have been warned.
      #proxy_remote_pod_images: true

      ## Root of your Camo installation
      #root: "https://example.com/camo/"

      ## Shared key of your Camo installation
      #key: "example123example456example!"

  ## General settings
  settings: ## Section

    ## Pod name (default="diaspora*")
    ## The pod name displayed in various locations, including the header.
    #pod_name: "diaspora*"

    ## Allow registrations (default=true)
    ## Set this to false to prevent people from signing up to your pod
    ## without an invitation. Note that this needs to be set to true
    ## (or commented out) to enable the first registration (you).
    #enable_registrations: true

    ## Auto-follow on sign-up (default=true)
    ## Users will automatically follow a specified account on creation.
    ## Set this to false if you don't want your users to automatically
    ## follow an account upon creation.
    #autofollow_on_join: true

    ## Auto-follow account (default='hq@pod.diaspora.software')
    ## The diaspora* HQ account keeps users up to date with news about Diaspora.
    ## If you set another auto-follow account (for example your podmin account),
    ## please consider resharing diaspora* HQ's posts for your pod's users!
    #autofollow_on_join_user: 'hq@pod.diaspora.software'

    ## Welcome Message settings
    welcome_message: ##Section

      ## Welcome Message on registration (default=false)
      ## Send a message to new users after registration
      ## to tell them about your pod and how things
      ## are handled on it.
      #enabled: false

      ## Welcome Message subject (default='Welcome Message')
      ## The subject of the conversation that is started
      ## by your welcome message.
      #subject: "Welcome Message"

      ## Welcome Message text (default='Hello %{username}, welcome to diaspora.')
      ## The content of your welcome message.
      ## The placeholder "%{username}" will be replaced by the username
      ## of the new user.
      #text: "Hello %{username}, welcome to diaspora."

    ## Invitation settings
    invitations: ## Section

      ## Enable invitations (default=true)
      ## Set this to false if you don't want users to be able to send invites.
      #open: true

      ## Number of invitations per invite link (default=25)
      ## Every user will see such a link if you have enabled
      ## invitations on your pod.
      #count: 25

    ## Paypal donations (disabled by default)
    ## You can set details for a Paypal button here to allow donations
    ## towards running the pod.
    ## First, enable the function, then set the currency in which you
    ## wish to receive donations, and **either** a hosted button id
    ## **or** an encrypted key for an unhosted button.
    paypal_donations: ## Section
      #enable: false

      ## Currency used (USD, EUR...)
      #currency: USD

      ## hosted Paypal button id
      #paypal_hosted_button_id: "change_me"
      ## OR encrypted key of unhosted button
      #paypal_unhosted_button_encrypted: "-----BEGIN PKCS7-----"

    ## Liberapay.com is a free platform which allow donations like patreon
    ## Set your username to include your liberapay button
    # liberapay_username: "change_me"

    ## Bitcoin donations
    ## You can provide a bitcoin address here to allow your users to provide
    ## donations towards the running of their pod.
    #bitcoin_address: "change_me"

    ## Community spotlight (disabled by default)
    ## The community spotlight shows new users public posts from people you
    ## think are interesting in Diaspora's community. To add an account
    ## to the community spotlight add the 'spotlight' role to it.
    community_spotlight: ## Section

      #enable: true

      ## E-mail address to which users can make suggestions about who
      ## should be in the community spotlight (optional).
      #suggest_email: 'admin@example.org'

    ## CURL debug (default=false)
    ## Turn on extra verbose output when sending stuff. Note: you
    ## don't need to touch this unless explicitly told to.
    #typhoeus_verbose: false

    ## Maximum number of parallel HTTP requests made to other pods (default=20)
    ## Be careful, raising this setting will heavily increase the memory usage
    ## of your Sidekiq workers.
    #typhoeus_concurrency: 20

    ## Maximum number of parallel user data export jobs (default=1)
    ## Be careful, exports of big/old profiles can use a lot of memory, running
    ## many of them in parallel can be a problem for small servers.
    #export_concurrency: 1

    ## Captcha settings
    captcha: ## Section

      ## Enable captcha (default=true)
      ## Set this to false if you don't want to use captcha for signup process.
      #enable: true

      ## Captcha image size (default='120x20')
      #image_size: '120x20'

      ## Length of captcha text (default=5)(max=12)
      #captcha_length: 5

      ## Captcha image style (default='simply_green')
      ## Available options for captcha image styles are: 'simply_blue',
      ## 'simply_red' 'simply_green', 'charcoal_grey', 'embossed_silver',
      ## 'all_black', 'distorted_black', 'almost_invisible', 'random'.
      #image_style: 'simply_green'

      ## Captcha image distortion (default='low')
      ## Sets the level of image distortion used in the captcha.
      ## Available options are: 'low', 'medium', 'high', 'random'.
      #distortion: 'low'

    ## Terms of Service
    ## Show a default or customized terms of service for users.
    ## You can create a custom Terms of Service by placing a template
    ## as app/views/terms/terms.haml or app/views/terms/terms.erb
    ## The default terms of service that can be extended is
    ## at app/views/terms/default.haml
    ## NOTE! The default terms have not been checked over by a lawyer and
    ## thus are unlikely to provide full legal protection for all situations
    ## for a podmin using them. They are also not specific to all countries
    ## and jurisdictions. If you are unsure, please check with a lawyer.
    ## We provide these for podmins as some basic rules that podmins
    ## can communicate to users easily via the diaspora* server software.
    ## Uncomment to enable this feature.
    terms: ## Section

      ## First enable it by uncommenting below.
      #enable: true

      ## Important! If you enable the terms, you should always
      ## set a location under which laws any disputes are governed
      ## under. For example, country or state/country, depending
      ## on the country in question.
      ## If this is not set, the whole paragraph about governing
      ## laws *is not shown* in the terms page.
      #jurisdiction: ""

      ## Age limit for signups.
      ## Set a number to activate this setting. This age limit is shown
      ## in the default ToS document.
      #minimum_age: false

    ## Maintenance
    ## Various pod maintenance related settings are controlled from here.
    maintenance: ## Section

      ## Removing old inactive users can be done automatically by background
      ## processing. The amount of inactivity is set by `after_days`. A warning
      ## email will be sent to the user and after an additional `warn_days`, the
      ## account will be automatically closed.
      ## This maintenance is not enabled by default.
      remove_old_users: ## Section

        #enable: true
        #after_days: 730
        #warn_days: 30

        ## Limit queuing for removal per day.
        #limit_removals_to_per_day: 100

    ## Source code URL
    ## URL to the source code your pod is currently running.
    ## If not set your pod will provide a downloadable archive.
    #source_url: 'https://example.org/username/diaspora'

    ## Changelog URL
    ## URL to the changelog of the diaspora-version your pod is currently running.
    ## If not set an auto-generated url to github is used.
    #changelog_url: "https://github.com/diaspora/diaspora/blob/master/Changelog.md"

    ## Default color theme
    ## You can change which color theme is displayed when a user is not signed in
    ## or has not selected any color theme from the available ones. You simply have
    ## to enter the name of the theme's folder in "app/assets/stylesheets/color_themes/".
    ## ("original" for the theme in "app/assets/stylesheets/color_themes/original/", for
    ## example).
    #default_color_theme: "original"

    ## Default meta tags
    ## You can change here the default meta tags content included on the pages of your pod.
    ## Title will be used for the opengraph og:site_name property while description will be used
    ## for description and og:description.
    default_metas:
      #title: 'diaspora* social network'
      #description: 'diaspora* is the online social world where you are in control.'

    ## CSP (Content Security Policy) header
    ## CSP allows limiting origins from where resources are allowed to be loaded. This
    ## improves security, since it helps to detect and mitigate cross-site scripting
    ## and data injection attacks. The default policy of diaspora* allows all third
    ## party domains from services that are included in diaspora*, like OEmbed
    ## scripts, so you can safely activate it by setting `report_only` to false. If
    ## you customized diaspora* (edited templates or added own JS), additional work
    ## may be required. You can test the policy with the `report_uri`. Our default CSP
    ## does not work with Google analytics or Piwik, because they inject JS code that
    ## is blocked by CSP.
    csp:

      ## Report-Only header (default=true)
      ## By default diaspora* adds only a "Content-Security-Policy-Report-Only" header. If you set
      ## this to false, the "Content-Security-Policy" header is added instead.
      #report_only: false

      ## CSP report URI (default=)
      ## You can set an URI here, where the user agent reports violations as JSON document via a POST request.
      #report_uri: "/csp_violation_reports"

  ## Posting from Diaspora to external services (all are disabled by default).
  services: ## Section

    ## OAuth credentials for Twitter
    twitter: ## Section

      #enable: true
      #key: 'abcdef'
      #secret: 'change_me'

    ## OAuth credentials for Tumblr
    tumblr: ## Section

      #enable: true
      #key: 'abcdef'
      #secret: 'change_me'

    ## OAuth credentials for Wordpress
    wordpress: ## Section

      #enable: true
      #client_id: 'abcdef'
      #secret: 'change_me'

  ## Allow your pod to send emails for notifications, password recovery
  ## and other purposes (disabled by default).
  mail: ## Section

    ## First you need to enable it.
    #enable: true

    ## Sender address used in mail sent by Diaspora.
    #sender_address: 'no-reply@example.org'

    ## This selects which mailer should be used. Use 'smtp' for a smtp
    ## connection or 'sendmail' to use the sendmail binary.
    #method: 'smtp'

    ## Ignore if method isn't 'smtp'.
    smtp: ## Section

      ## Host and port of the smtp server handling outgoing mail.
      ## This should match the common name of the certificate sent by
      ## the SMTP server, if it sends one. (default port=587)
      #host: 'smtp.example.org'
      #port: 587

      ## Authentication required to send mail (default='plain').
      ## Use one of 'plain', 'login' or 'cram_md5'. Use 'none'
      ## if server does not support authentication.
      #authentication: 'plain'

      ## Credentials to log in to the SMTP server.
      ## May be necessary if authentication is not 'none'.
      #username: 'change_me'
      #password: 'change_me'

      ## Automatically enable TLS (default=true).
      ## Leave this commented out if authentication is set to 'none'.
      #starttls_auto: true

      ## The domain for the HELO command, if needed.
      #domain: 'smtp.example.org'

      ## OpenSSL verify mode used when connecting to a SMTP server with TLS.
      ## Set this to 'none' if you have a self-signed certificate. Possible
      ## values: 'none', 'peer'.
      #openssl_verify_mode: 'none'

    ## Ignore if method isn't 'sendmail'
    sendmail: ## Section

      ## The path to the sendmail binary (default='/usr/sbin/sendmail')
      #location: '/usr/sbin/sendmail'

      ## Use exim and sendmail (default=false)
      #exim_fix: false

  ## Administrator settings
  admins: ## Section

    ## Set the admin account.
    ## This doesn't make the user an admin but is used when a generic
    ## admin contact is needed, much like the postmaster role in mail
    ## systems. Set only the username, NOT the full ID.
    #account: "podmaster"

    ## E-mail address to contact the administrator.
    #podmin_email: 'podmin@example.org'

  ## Settings related to relays
  relay: ## Section

    ## Relays are applications that exist to push public posts around to
    ## pods which want to subscribe to them but would not otherwise
    ## receive them due to not having direct contact with the remote pods.
    ##
    ## See more regarding relays: https://wiki.diasporafoundation.org/Relay_servers_for_public_posts

    outbound: ## Section
      ## Enable this setting to send out public posts from this pod to a relay
      #send: false
      ## Change default remote relay url used for sending out here
      #url: 'https://relay.iliketoast.net/receive/public'

    inbound: ## Section
      ## Enable this to receive public posts from relays
      #subscribe: false

      ## Scope is either 'all' or 'tags' (default).
      ## - 'all', means this pod wants to receive all public posts from a relay
      ## - 'tags', means this pod wants only posts tagged with certain tags
      #scope: tags

      ## If scope is 'tags', should we include tags that users on this pod follow?
      ## These are added in addition to 'pod_tags', if set.
      #include_user_tags: false

      ## If scope is 'tags', a comma separated list of tags here can be set.
      ## For example "linux,diaspora", to receive posts related to these tags
      #pod_tags:

## Here you can override settings defined above if you need
## to have them different in different environments.
production: ## Section
  environment: ## Section
    #redis: 'redis://production.example.org:6379'

development: ## Section
  environment: ## Section
    #redis: 'redis://production.example.org:6379'

***** END DOCUMENT COPY *****

This should be correct for CentOS, so I don’t know why it isn’t working. Can you check if the file exists?

Hello,

Here is the terminal output:

***** BEGIN TERMINAL OUTPUT ***

[diaspora@diaspora-pod001 diaspora]$ ls -al /etc/pki/tls/certs
total 4
drwxr-xr-x. 2 root root 75 Nov 8 11:03 .
drwxr-xr-x. 5 root root 104 Nov 8 09:56 …
lrwxrwxrwx. 1 root root 49 Aug 11 16:38 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx. 1 root root 55 Aug 11 16:38 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
-rw-r–r--. 1 root root 4054 Nov 8 11:04 localhost.crt
[diaspora@diaspora-pod001 diaspora]$ ls -al /etc/pki/ca-trust/extracted/pem/
total 376
drwxr-xr-x. 2 root root 101 Nov 8 10:04 .
drwxr-xr-x. 6 root root 70 Nov 8 09:56 …
-r–r--r–. 1 root root 163655 Nov 8 10:04 email-ca-bundle.pem
-r–r--r–. 1 root root 0 Nov 8 10:04 objsign-ca-bundle.pem
-rw-r–r--. 1 root root 898 Aug 11 16:36 README
-r–r--r–. 1 root root 216090 Nov 8 10:04 tls-ca-bundle.pem
[diaspora@diaspora-pod001 diaspora]$

***** END TERMINAL OUTPUT *****

I also ‘cat /etc/pki/tls/certs/ca-bundle.crt’ and it does have several certs in it.

Oh, it looks like your

  configuration: ## Section

line has two spaces in front of it, this shouldn’t be there. Just keep the indentation the same as in the example.