summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--_posts/2023-06-25-ejabberd-setup.md124
1 files changed, 124 insertions, 0 deletions
diff --git a/_posts/2023-06-25-ejabberd-setup.md b/_posts/2023-06-25-ejabberd-setup.md
new file mode 100644
index 0000000..c1267fc
--- /dev/null
+++ b/_posts/2023-06-25-ejabberd-setup.md
@@ -0,0 +1,124 @@
+---
+layout: post
+title: Tech Adventures - Setting up ejabberd under Debian
+date: 2023-06-25 15:25 +0200
+categories: tech
+lang: en
+---
+
+Preliminary
+-----------
+
+**Important** This is *not* intended to be an installation guide. Just the
+description of my journey. If you're actually looking for sane information on
+how to setup ejabberd, you should maybe look somewhere else. (See bottom of
+this post for a link to German instructions.)
+
+The journey begins
+------------------
+
+Recently, I had the urge to set up a messaging server. Actually, I wanted to go
+with one of the [Matrix](https://matrix.org/) servers. But "to get started", I
+decided to set up [ejabberd](https://ejabberd.im) first.
+
+Why ejabberd? I tried to set up Prosody quite some time ago, probably before The
+Pandemic hit. I don't remember it too fondly. I may have gotten better in the
+meantime.
+
+The process was done on a recently updated Debian Bookworm. I wanted to figure
+things out by myself as much as possible.
+
+- First off: Add the necessary DNS records. The
+ [Prosody Docs](https://prosody.im/doc/dns) were the first thing I found.
+ I skipped the TLS-only stuff.
+- `apt install ejabberd`
+- `ejabberdctl register <adminuser> <domain> <password>`
+ - Error message that the domain was not found? huh?
+ - `nano /etc/ejabberd/ejabberd.yml` and add my domain to
+ the `hosts` lists.
+ - Reload or restart the service
+ - Repeat the command. Success! Yay!
+- Take a look at the web interface: https://127.0.0.1:5280.
+ - Log in with the created user. It fails.
+ - Append the `@domain` part, as the user name alone won't do it.
+ It works. Yay.
+ - "Man, I wouldn't have thought this was gonna be so easy! Hah!".
+ - Little did I know...
+- Use [acme.sh](https://github.com/acmesh-official/acme.sh) to generate the
+ certificates. See the instructions in their readme.
+ - My setup was somewhat more complicated since I am already running a web
+ server on the machine running ejabberd. If I didn't run a web server there, I
+ could've used the built-in acme plugin in ejabberd. Shoot :( I ended up using
+ the automated DNS mode.
+ - I naively started with the domains uvok.de and xmpp.uvok.de. The latter wouldn't
+ even be used actively. It was just so I could distinguish the certificate files.
+- I started out installing the certificates in `/etc/ejabberd/certs/`.
+ However, I was getting warning messages on service startup
+ that the certificates were empty ("... Permission error?").
+ Upon pondering on this, I decided to put the certificates in
+ `/var/lib/ejabberd/certs/`. This is the "home" directory of
+ the ejabberd user. Access problems solved. (1)
+- Getting an warning message
+ `Invalid certificate in /var/lib/ejabberd/certs/fullchain.pem: at line 57: certificate is signed by unknown CA`
+ on server startup. This puzzled me a lot.
+ - Line 57 was the line where the actual server certificate started.
+ The lines above were the Let's Encrypt X1 root and the R3 intermediate.
+ See [their docs](https://letsencrypt.org/certificates/) for details.
+ - At this point, I also tried some `openssl verify` calls on the PEM file itself.
+ But I didn't know the correct options to use (`-CAfile`, `-CApath`, `-untrusted`???).
+- As an intermediate step, I tried setting the `ca_file` config value
+ in `ejabberd.yml`. The warning was gone. Yay.
+ - But then I realized I forgot to add some subdomains to the cert.
+ So I added them (reissue, reinstall, restart). Suddenly, the warning was back. :(
+ - For my setup, I added the `xmpp.<dom>`, `pubsub.<dom>`, `conference.<dom>` domains,
+ where `<dom>` is `uvok.de`.
+- **However**. I then realized that setting `ca_file` was properly not a good idea.
+ This would *probably* prevent me from contacting servers not using Let's Encrypt.
+ So I removed the setting.
+ - specifically, I explicitly set it to
+ `ca_file: '/etc/ssl/certs/ca-certificates.crt'`. I don't know yet if this is necessary.
+- Add an exception to the firewall. (`ufw allow XMPP`).
+- These warnings made me nervous. So I decided to check the actual TLS connection from my PC.
+ - I know I could do `openssl s_client -starttls xmpp (server)`. But this didn't return a certificate.
+ - From HTTPS, I know to send the `-servername`. But this option didn't help.
+ - Upon some searching, I found the correct magic incantation was
+ `openssl s_client -xmpphost uvok.de -starttls xmpp -connect srv.uvok.de:5222`.
+ This was necessary due to the fact that uvok.de is a different machine than the XMPP server.
+- Finally, I created a user account. Again, on command line.
+ The Debian install has very sane and safe defaults. It disables registrations via XMPP
+ clients by default. Exactly what I want :).
+ Also, MUC ("Group Chats") creation is limited to server members.
+- Opened up Gajim, added the account. It worked. Yay!
+- Next up, I still have a stale account on jabber.org, so to check whether
+ server-to-server connections work, I added my old account as a contact. And this worked as well.
+
+(1) The final config section is
+
+ certfiles:
+ - /var/lib/ejabberd/certs/fullchain.pem
+ - /var/lib/ejabberd/certs/key.pem
+
+Current state of my server
+--------------------------
+
+- The warning
+ `Invalid certificate in /var/lib/ejabberd/certs/fullchain.pem: at line 57: certificate is signed by unknown CA`
+ still appears on server start. Shoot. But I don't know what to do about it.
+- vCards with Gajim don't seem to be working. I have no idea why.
+- I don't particularly care for file exchange / upload. For that, I would need to add another
+ subdomain and twiddle with the config, I guess.
+
+Final remark
+------------
+
+For a **German** guide on how to setup ejabberd, you may want to look
+at the [Kuketz Blog](https://www.kuketz-blog.de/ejabberd-installation-und-betrieb-eines-xmpp-servers/).
+I only found this blog post after I was mostly finished with my setup.
+
+<hr/>
+
+Thanks also for all the people who helped me during setup on Mastodon <3.
+I don't know if they want to be named / listed here, so I rather won't.
+
+<hr/>
+