From 828024be1e818a6f3ebed9116f512f670a63c99b Mon Sep 17 00:00:00 2001
From: uvok cheetah
Date: Sun, 25 Jun 2023 16:29:46 +0200
Subject: Add ejabberd post

---
 _posts/2023-06-25-ejabberd-setup.md | 124 ++++++++++++++++++++++++++++++++++++
 1 file changed, 124 insertions(+)
 create mode 100644 _posts/2023-06-25-ejabberd-setup.md

diff --git a/_posts/2023-06-25-ejabberd-setup.md b/_posts/2023-06-25-ejabberd-setup.md
new file mode 100644
index 0000000..c1267fc
--- /dev/null
+++ b/_posts/2023-06-25-ejabberd-setup.md
@@ -0,0 +1,124 @@
+---
+layout: post
+title: Tech Adventures - Setting up ejabberd under Debian
+date: 2023-06-25 15:25 +0200
+categories: tech
+lang: en
+---
+
+Preliminary
+-----------
+
+**Important** This is *not* intended to be an installation guide. Just the
+description of my journey. If you're actually looking for sane information on
+how to setup ejabberd, you should maybe look somewhere else.  (See bottom of
+this post for a link to German instructions.)
+
+The journey begins
+------------------
+
+Recently, I had the urge to set up a messaging server.  Actually, I wanted to go
+with one of the [Matrix](https://matrix.org/) servers. But "to get started", I
+decided to set up [ejabberd](https://ejabberd.im) first.
+
+Why ejabberd? I tried to set up Prosody quite some time ago, probably before The
+Pandemic hit.  I don't remember it too fondly. I may have gotten better in the
+meantime.
+
+The process was done on a recently updated Debian Bookworm. I wanted to figure
+things out by myself as much as possible.
+
+- First off: Add the necessary DNS records. The
+  [Prosody Docs](https://prosody.im/doc/dns) were the first thing I found.
+  I skipped the TLS-only stuff.
+- `apt install ejabberd`
+- `ejabberdctl register <adminuser> <domain> <password>`
+  - Error message that the domain was not found? huh?
+  - `nano /etc/ejabberd/ejabberd.yml` and add my domain to
+    the `hosts` lists.
+  - Reload or restart the service
+  - Repeat the command. Success! Yay!
+- Take a look at the web interface: https://127.0.0.1:5280.
+  - Log in with the created user. It fails.
+  - Append the `@domain` part, as the user name alone won't do it.
+    It works. Yay.
+  - "Man, I wouldn't have thought this was gonna be so easy! Hah!".
+  - Little did I know...
+- Use [acme.sh](https://github.com/acmesh-official/acme.sh) to generate the
+  certificates. See the instructions in their readme.
+  - My setup was somewhat more complicated since I am already running a web
+    server on the machine running ejabberd. If I didn't run a web server there, I
+    could've used the built-in acme plugin in ejabberd. Shoot :( I ended up using
+    the automated DNS mode.
+  - I naively started with the domains uvok.de and xmpp.uvok.de. The latter wouldn't
+    even be used actively. It was just so I could distinguish the certificate files.
+- I started out installing the certificates in `/etc/ejabberd/certs/`.
+  However, I was getting warning messages on service startup
+  that the certificates were empty ("... Permission error?").
+  Upon pondering on this, I decided to put the certificates in
+  `/var/lib/ejabberd/certs/`. This is the "home" directory of
+  the ejabberd user. Access problems solved. (1)
+- Getting an warning message
+  `Invalid certificate in /var/lib/ejabberd/certs/fullchain.pem: at line 57: certificate is signed by unknown CA`
+  on server startup. This puzzled me a lot.
+  - Line 57 was the line where the actual server certificate started.
+    The lines above were the Let's Encrypt X1 root and the R3 intermediate.
+    See [their docs](https://letsencrypt.org/certificates/) for details.
+  - At this point, I also tried some `openssl verify` calls on the PEM file itself.
+    But I didn't know the correct options to use (`-CAfile`, `-CApath`, `-untrusted`???).
+- As an intermediate step, I tried setting the `ca_file` config value
+  in `ejabberd.yml`. The warning was gone. Yay.
+  - But then I realized I forgot to add some subdomains to the cert.
+    So I added them (reissue, reinstall, restart). Suddenly, the warning was back. :(
+  - For my setup, I added the `xmpp.<dom>`, `pubsub.<dom>`, `conference.<dom>` domains,
+    where `<dom>` is `uvok.de`.
+- **However**. I then realized that setting `ca_file` was properly not a good idea.
+  This would *probably* prevent me from contacting servers not using Let's Encrypt.
+  So I removed the setting.
+  - specifically, I explicitly set it to
+    `ca_file: '/etc/ssl/certs/ca-certificates.crt'`. I don't know yet if this is necessary.
+- Add an exception to the firewall. (`ufw allow XMPP`).
+- These warnings made me nervous. So I decided to check the actual TLS connection from my PC.
+  - I know I could do `openssl s_client -starttls xmpp (server)`. But this didn't return a certificate.
+  - From HTTPS, I know to send the `-servername`. But this option didn't help.
+  - Upon some searching, I found the correct magic incantation was
+  `openssl s_client -xmpphost uvok.de -starttls xmpp  -connect srv.uvok.de:5222`.
+  This was necessary due to the fact that uvok.de is a different machine than the XMPP server.
+- Finally, I created a user account. Again, on command line.
+  The Debian install has very sane and safe defaults. It disables registrations via XMPP
+  clients by default. Exactly what I want :).
+  Also, MUC ("Group Chats") creation is limited to server members.
+- Opened up Gajim, added the account. It worked. Yay!
+- Next up, I still have a stale account on jabber.org, so to check whether
+  server-to-server connections work, I added my old account as a contact. And this worked as well.
+
+(1) The final config section is
+
+    certfiles:
+      - /var/lib/ejabberd/certs/fullchain.pem
+      - /var/lib/ejabberd/certs/key.pem
+
+Current state of my server
+--------------------------
+
+- The warning
+  `Invalid certificate in /var/lib/ejabberd/certs/fullchain.pem: at line 57: certificate is signed by unknown CA`
+  still appears on server start. Shoot. But I don't know what to do about it.
+- vCards with Gajim don't seem to be working. I have no idea why.
+- I don't particularly care for file exchange / upload. For that, I would need to add another
+  subdomain and twiddle with the config, I guess.
+
+Final remark
+------------
+
+For a **German** guide on how to setup ejabberd, you may want to look
+at the [Kuketz Blog](https://www.kuketz-blog.de/ejabberd-installation-und-betrieb-eines-xmpp-servers/).
+I only found this blog post after I was mostly finished with my setup.
+
+<hr/>
+
+Thanks also for all the people who helped me during setup on Mastodon <3.
+I don't know if they want to be named / listed here, so I rather won't.
+
+<hr/>
+
-- 
cgit v1.2.3