1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
|
---
layout: post
title: Tech Adventures - Setting up ejabberd under Debian
date: 2023-06-25 15:25 +0200
categories: tech
lang: en
---
Preliminary
-----------
**Important** This is *not* intended to be an installation guide. Just the
description of my journey. If you're actually looking for sane information on
how to setup ejabberd, you should maybe look somewhere else. (See bottom of
this post for a link to German instructions.)
The journey begins
------------------
Recently, I had the urge to set up a messaging server. Actually, I wanted to go
with one of the [Matrix](https://matrix.org/) servers. But "to get started", I
decided to set up [ejabberd](https://ejabberd.im) first.
Why ejabberd? I tried to set up Prosody quite some time ago, probably before The
Pandemic hit. I don't remember it too fondly. I may have gotten better in the
meantime.
The process was done on a recently updated Debian Bookworm. I wanted to figure
things out by myself as much as possible.
- First off: Add the necessary DNS records. The
[Prosody Docs](https://prosody.im/doc/dns) were the first thing I found.
I skipped the TLS-only stuff.
- `apt install ejabberd`
- `ejabberdctl register <adminuser> <domain> <password>`
- Error message that the domain was not found? huh?
- `nano /etc/ejabberd/ejabberd.yml` and add my domain to
the `hosts` lists.
- Reload or restart the service
- Repeat the command. Success! Yay!
- Take a look at the web interface: https://127.0.0.1:5280.
- Log in with the created user. It fails.
- Append the `@domain` part, as the user name alone won't do it.
It works. Yay.
- "Man, I wouldn't have thought this was gonna be so easy! Hah!".
- Little did I know...
- Use [acme.sh](https://github.com/acmesh-official/acme.sh) to generate the
certificates. See the instructions in their readme.
- My setup was somewhat more complicated since I am already running a web
server on the machine running ejabberd. If I didn't run a web server there, I
could've used the built-in acme plugin in ejabberd. Shoot :( I ended up using
the automated DNS mode.
- I naively started with the domains uvok.de and xmpp.uvok.de. The latter wouldn't
even be used actively. It was just so I could distinguish the certificate files.
- I started out installing the certificates in `/etc/ejabberd/certs/`.
However, I was getting warning messages on service startup
that the certificates were empty ("... Permission error?").
Upon pondering on this, I decided to put the certificates in
`/var/lib/ejabberd/certs/`. This is the "home" directory of
the ejabberd user. Access problems solved. (1)
- Getting an warning message
`Invalid certificate in /var/lib/ejabberd/certs/fullchain.pem: at line 57: certificate is signed by unknown CA`
on server startup. This puzzled me a lot.
- Line 57 was the line where the actual server certificate started.
The lines above were the Let's Encrypt X1 root and the R3 intermediate.
See [their docs](https://letsencrypt.org/certificates/) for details.
- At this point, I also tried some `openssl verify` calls on the PEM file itself.
But I didn't know the correct options to use (`-CAfile`, `-CApath`, `-untrusted`???).
- As an intermediate step, I tried setting the `ca_file` config value
in `ejabberd.yml`. The warning was gone. Yay.
- But then I realized I forgot to add some subdomains to the cert.
So I added them (reissue, reinstall, restart). Suddenly, the warning was back. :(
- For my setup, I added the `xmpp.<dom>`, `pubsub.<dom>`, `conference.<dom>` domains,
where `<dom>` is `uvok.de`.
- **However**. I then realized that setting `ca_file` was properly not a good idea.
This would *probably* prevent me from contacting servers not using Let's Encrypt.
So I removed the setting.
- specifically, I explicitly set it to
`ca_file: '/etc/ssl/certs/ca-certificates.crt'`. I don't know yet if this is necessary.
- Add an exception to the firewall. (`ufw allow XMPP`).
- These warnings made me nervous. So I decided to check the actual TLS connection from my PC.
- I know I could do `openssl s_client -starttls xmpp (server)`. But this didn't return a certificate.
- From HTTPS, I know to send the `-servername`. But this option didn't help.
- Upon some searching, I found the correct magic incantation was
`openssl s_client -xmpphost uvok.de -starttls xmpp -connect srv.uvok.de:5222`.
This was necessary due to the fact that uvok.de is a different machine than the XMPP server.
- Finally, I created a user account. Again, on command line.
The Debian install has very sane and safe defaults. It disables registrations via XMPP
clients by default. Exactly what I want :).
Also, MUC ("Group Chats") creation is limited to server members.
- Opened up Gajim, added the account. It worked. Yay!
- Next up, I still have a stale account on jabber.org, so to check whether
server-to-server connections work, I added my old account as a contact. And this worked as well.
(1) The final config section is
certfiles:
- /var/lib/ejabberd/certs/fullchain.pem
- /var/lib/ejabberd/certs/key.pem
Current state of my server
--------------------------
- The warning
`Invalid certificate in /var/lib/ejabberd/certs/fullchain.pem: at line 57: certificate is signed by unknown CA`
still appears on server start. Shoot. But I don't know what to do about it.
- vCards with Gajim don't seem to be working. I have no idea why.
- I don't particularly care for file exchange / upload. For that, I would need to add another
subdomain and twiddle with the config, I guess.
Final remark
------------
For a **German** guide on how to setup ejabberd, you may want to look
at the [Kuketz Blog](https://www.kuketz-blog.de/ejabberd-installation-und-betrieb-eines-xmpp-servers/).
I only found this blog post after I was mostly finished with my setup.
<hr/>
Thanks also for all the people who helped me during setup on Mastodon <3.
I don't know if they want to be named / listed here, so I rather won't.
<hr/>
|