diff options
-rw-r--r-- | _posts/2023-06-25-ejabberd-setup.md | 124 |
1 files changed, 124 insertions, 0 deletions
diff --git a/_posts/2023-06-25-ejabberd-setup.md b/_posts/2023-06-25-ejabberd-setup.md new file mode 100644 index 0000000..c1267fc --- /dev/null +++ b/_posts/2023-06-25-ejabberd-setup.md @@ -0,0 +1,124 @@ +--- +layout: post +title: Tech Adventures - Setting up ejabberd under Debian +date: 2023-06-25 15:25 +0200 +categories: tech +lang: en +--- + +Preliminary +----------- + +**Important** This is *not* intended to be an installation guide. Just the +description of my journey. If you're actually looking for sane information on +how to setup ejabberd, you should maybe look somewhere else. (See bottom of +this post for a link to German instructions.) + +The journey begins +------------------ + +Recently, I had the urge to set up a messaging server. Actually, I wanted to go +with one of the [Matrix](https://matrix.org/) servers. But "to get started", I +decided to set up [ejabberd](https://ejabberd.im) first. + +Why ejabberd? I tried to set up Prosody quite some time ago, probably before The +Pandemic hit. I don't remember it too fondly. I may have gotten better in the +meantime. + +The process was done on a recently updated Debian Bookworm. I wanted to figure +things out by myself as much as possible. + +- First off: Add the necessary DNS records. The + [Prosody Docs](https://prosody.im/doc/dns) were the first thing I found. + I skipped the TLS-only stuff. +- `apt install ejabberd` +- `ejabberdctl register <adminuser> <domain> <password>` + - Error message that the domain was not found? huh? + - `nano /etc/ejabberd/ejabberd.yml` and add my domain to + the `hosts` lists. + - Reload or restart the service + - Repeat the command. Success! Yay! +- Take a look at the web interface: https://127.0.0.1:5280. + - Log in with the created user. It fails. + - Append the `@domain` part, as the user name alone won't do it. + It works. Yay. + - "Man, I wouldn't have thought this was gonna be so easy! Hah!". + - Little did I know... +- Use [acme.sh](https://github.com/acmesh-official/acme.sh) to generate the + certificates. See the instructions in their readme. + - My setup was somewhat more complicated since I am already running a web + server on the machine running ejabberd. If I didn't run a web server there, I + could've used the built-in acme plugin in ejabberd. Shoot :( I ended up using + the automated DNS mode. + - I naively started with the domains uvok.de and xmpp.uvok.de. The latter wouldn't + even be used actively. It was just so I could distinguish the certificate files. +- I started out installing the certificates in `/etc/ejabberd/certs/`. + However, I was getting warning messages on service startup + that the certificates were empty ("... Permission error?"). + Upon pondering on this, I decided to put the certificates in + `/var/lib/ejabberd/certs/`. This is the "home" directory of + the ejabberd user. Access problems solved. (1) +- Getting an warning message + `Invalid certificate in /var/lib/ejabberd/certs/fullchain.pem: at line 57: certificate is signed by unknown CA` + on server startup. This puzzled me a lot. + - Line 57 was the line where the actual server certificate started. + The lines above were the Let's Encrypt X1 root and the R3 intermediate. + See [their docs](https://letsencrypt.org/certificates/) for details. + - At this point, I also tried some `openssl verify` calls on the PEM file itself. + But I didn't know the correct options to use (`-CAfile`, `-CApath`, `-untrusted`???). +- As an intermediate step, I tried setting the `ca_file` config value + in `ejabberd.yml`. The warning was gone. Yay. + - But then I realized I forgot to add some subdomains to the cert. + So I added them (reissue, reinstall, restart). Suddenly, the warning was back. :( + - For my setup, I added the `xmpp.<dom>`, `pubsub.<dom>`, `conference.<dom>` domains, + where `<dom>` is `uvok.de`. +- **However**. I then realized that setting `ca_file` was properly not a good idea. + This would *probably* prevent me from contacting servers not using Let's Encrypt. + So I removed the setting. + - specifically, I explicitly set it to + `ca_file: '/etc/ssl/certs/ca-certificates.crt'`. I don't know yet if this is necessary. +- Add an exception to the firewall. (`ufw allow XMPP`). +- These warnings made me nervous. So I decided to check the actual TLS connection from my PC. + - I know I could do `openssl s_client -starttls xmpp (server)`. But this didn't return a certificate. + - From HTTPS, I know to send the `-servername`. But this option didn't help. + - Upon some searching, I found the correct magic incantation was + `openssl s_client -xmpphost uvok.de -starttls xmpp -connect srv.uvok.de:5222`. + This was necessary due to the fact that uvok.de is a different machine than the XMPP server. +- Finally, I created a user account. Again, on command line. + The Debian install has very sane and safe defaults. It disables registrations via XMPP + clients by default. Exactly what I want :). + Also, MUC ("Group Chats") creation is limited to server members. +- Opened up Gajim, added the account. It worked. Yay! +- Next up, I still have a stale account on jabber.org, so to check whether + server-to-server connections work, I added my old account as a contact. And this worked as well. + +(1) The final config section is + + certfiles: + - /var/lib/ejabberd/certs/fullchain.pem + - /var/lib/ejabberd/certs/key.pem + +Current state of my server +-------------------------- + +- The warning + `Invalid certificate in /var/lib/ejabberd/certs/fullchain.pem: at line 57: certificate is signed by unknown CA` + still appears on server start. Shoot. But I don't know what to do about it. +- vCards with Gajim don't seem to be working. I have no idea why. +- I don't particularly care for file exchange / upload. For that, I would need to add another + subdomain and twiddle with the config, I guess. + +Final remark +------------ + +For a **German** guide on how to setup ejabberd, you may want to look +at the [Kuketz Blog](https://www.kuketz-blog.de/ejabberd-installation-und-betrieb-eines-xmpp-servers/). +I only found this blog post after I was mostly finished with my setup. + +<hr/> + +Thanks also for all the people who helped me during setup on Mastodon <3. +I don't know if they want to be named / listed here, so I rather won't. + +<hr/> + |