Wednesday, September 4, 2024

Ejabberd xmpp setup 

stephen@localhost:~$ sudo ejabberdctl status
The node ejabberd@localhost is started with status: started
ejabberd 23.01-1 is running in that node
stephen@localhost:~$ sudo ejabberdctl register admin localhost password
  • http://host:5280/admin ❌ no automatic https redirect. Firefox will just say connection reset.
  • https://host:5280/admin ✅

If you don't have the domain in the hosts section, andoroid app "conversations" will say: "The server is not responsible for this domain"

If you don't have the ssl certificate for the domain, andoroid app "conversations" will say "Domain not verifiable" 

Aug 22 09:41:30 localhost sh[3317724]: 2024-08-22 09:41:30.400875-06:00 [warning] Invalid certificate in /etc/ejabberd/ejabberd.pem: at line 29: self-signed certificate
Aug 22 09:41:30 localhost sh[3317724]: 2024-08-22 09:41:30.550154-06:00 [warning] No certificate found matching localhost
"Invalid certificate" is not a helpful mesage. It still gets used. "No certificate found matching " domain. Needs a certificate, selfsigned is ok for "conversations". https://letsencrypt.org/docs/certificates-for-localhost/ 


stephen@localhost:~$ openssl req -x509 -out localhost.crt -keyout localhost.key   -newkey rsa:2048 -nodes -sha256   -subj '/CN=localhost' -extensions EXT -config <( \
   printf "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:localhost\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth")

stephen@localhost:~$ cat localhost.crt localhost.key > localhost.net.pem

stephen@localhost:~$ sudo mv localhost.pem /etc/ejabberd/

stephen@localhost:~$ sudo chmod o-r /etc/ejabberd/localhost.pem

stephen@localhost:~$ sudo chown root:ejabberd /etc/ejabberd/localhost.pem

add cert to ssl section, or /etc/ejabberd/*.pem

"conversations" pops up a accept self signed certificate dialog👍.

Thunderbird won't accept self-signed certificate, and won't import it since it is not attached to a root certificate.

xabber: success

gajim: success, but I had to use a self signed certificate on c-###-###-###-###.**.**.comcast.net

TODO: let's encript certificate for c-###-###-###-###.**.**.comcast.net

/etc/ejabberd/ejabberd.yml Add a new port dedicated to /.well-known/acme-challenge with no tls. Don't want to expose /admin to the internet. 

listen:
  …
  -
    port: 5280
    ip: "::"
    module: ejabberd_http
    tls: true
    protocol_options: 'TLS_OPTIONS'
    request_handlers:
      /admin: ejabberd_web_admin
  -
    port: 5281
    ip: "::"
    module: ejabberd_http
    tls: false
    request_handlers:
      /.well-known/acme-challenge: ejabberd_acme
…

acme:
  ## Staging environment
  # ca_url: https://acme-staging-v02.api.letsencrypt.org/directory
  ## Production environment (the default):
  ca_url: https://acme-v02.api.letsencrypt.org/directory
  contact:
    - mailto:email@address.abc
  auto: false

On Router, Forward port 80 to host:5281

sudo ejabberdctl reload-config
stephen@localhost:~$ sudo ejabberdctl request-certificate c-###-###-###-###.**.**.comcast.net

Aug 31 23:37:05 localhost sh[3326311]: 2024-08-31 23:37:05.414392-06:00 [warning] (tls|<0.24978.0>) Failed to secure c2s connection: TLS failed: SSL_do_handshake failed: error:0A000418:SSL routines::tlsv1 alert un
known ca
Aug 31 23:39:27 localhost sh[3326311]: 2024-08-31 23:39:27.683334-06:00 [warning] Invalid certificate in /etc/ejabberd/ejabberd.pem: at line 29: self-signed certificate
Aug 31 23:39:27 localhost sh[3326311]: 2024-08-31 23:39:27.683609-06:00 [warning] Invalid certificate in /etc/ejabberd/localhost.pem: at line 1: self-signed certificate
Aug 31 23:39:27 localhost sh[3326311]: 2024-08-31 23:39:27.684003-06:00 [warning] Invalid certificate in /etc/ejabberd/c-###-###-###.###.**.**.comcast.net.pem: at line 1: self-signed certificate
Aug 31 23:39:27 localhost sh[3326311]: 2024-08-31 23:39:27.684169-06:00 [warning] Invalid certificate in /var/lib/ejabberd/acme/live/673de21aab62e1d7f7381bf91e228d9fef65d858: at line 33: certificate is signed by u
nknown CA
Aug 31 23:39:27 localhost sh[3326311]: 2024-08-31 23:39:27.687168-06:00 [warning] No certificate found matching pubsub.c-###-###-###.###.**.**.comcast.net
Aug 31 23:39:27 localhost sh[3326311]: 2024-08-31 23:39:27.687708-06:00 [warning] No certificate found matching pubsub.localhost
Aug 31 23:39:27 localhost sh[3326311]: 2024-08-31 23:39:27.688172-06:00 [warning] No certificate found matching conference.c-###-###-###.###.**.**.comcast.net
Aug 31 23:39:27 localhost sh[3326311]: 2024-08-31 23:39:27.688525-06:00 [warning] No certificate found matching conference.localhost
Aug 31 23:39:34 localhost sh[3326311]: 2024-08-31 23:39:34.685165-06:00 [info] Requesting new certificate for c-###-###-###.###.**.**.comcast.net from https://acme-v02.api.letsencrypt.org/directory
Aug 31 23:39:34 localhost sh[3326311]: 2024-08-31 23:39:34.688079-06:00 [warning] Description: "Server authenticity is not verified since certificate path validation is not enabled"
Aug 31 23:39:34 localhost sh[3326311]:      Reason: "The option {verify, verify_peer} and one of the options 'cacertfile' or 'cacerts' are required to enable this."
Aug 31 23:39:35 localhost sh[3326311]: 2024-08-31 23:39:35.762439-06:00 [info] (<0.24996.0>) Accepted connection [::ffff:23.178.112.106]:43071 -> [::ffff:hostip]:5281
Aug 31 23:39:36 localhost sh[3326311]: 2024-08-31 23:39:36.541308-06:00 [info] (<0.24997.0>) Accepted connection [::ffff:52.15.221.119]:61934 -> [::ffff:hostip]:5281
Aug 31 23:39:36 localhost sh[3326311]: 2024-08-31 23:39:36.672292-06:00 [info] (none) Accepted connection [::ffff:54.244.171.41]:59620 -> [::ffff:hostip]:5281
Aug 31 23:39:37 localhost sh[3326311]: 2024-08-31 23:39:37.345892-06:00 [info] (<0.24999.0>) Accepted connection [::ffff:13.60.206.97]:53738 -> [::ffff:hostip]:5281
Aug 31 23:39:38 localhost sh[3326311]: 2024-08-31 23:39:38.138653-06:00 [info] (<0.25000.0>) Accepted connection [::ffff:54.169.83.90]:13572 -> [::ffff:hostip]:5281
Aug 31 23:39:40 localhost sh[3326311]: 2024-08-31 23:39:40.476201-06:00 [warning] Invalid certificate in /etc/ejabberd/ejabberd.pem: at line 29: self-signed certificate
Aug 31 23:39:40 localhost sh[3326311]: 2024-08-31 23:39:40.476444-06:00 [warning] Invalid certificate in /etc/ejabberd/localhost.pem: at line 1: self-signed certificate
Aug 31 23:39:40 localhost sh[3326311]: 2024-08-31 23:39:40.476723-06:00 [warning] Invalid certificate in /etc/ejabberd/c-###-###-###.###.**.**.comcast.net.pem: at line 1: self-signed certificate
Aug 31 23:39:40 localhost sh[3326311]: 2024-08-31 23:39:40.477505-06:00 [warning] No certificate found matching pubsub.c-###-###-###.###.**.**.comcast.net
Aug 31 23:39:40 localhost sh[3326311]: 2024-08-31 23:39:40.477934-06:00 [warning] No certificate found matching pubsub.localhost
Aug 31 23:39:40 localhost sh[3326311]: 2024-08-31 23:39:40.478367-06:00 [warning] No certificate found matching conference.c-###-###-###.###.**.**.comcast.net
Aug 31 23:39:40 localhost sh[3326311]: 2024-08-31 23:39:40.478763-06:00 [warning] No certificate found matching conference.localhost
Aug 31 23:39:40 localhost sh[3326311]: 2024-08-31 23:39:40.479104-06:00 [info] Certificate for c-###-###-###.###.**.**.comcast.net has been received, stored and loaded successfully
Aug 31 23:39:44 localhost sh[3326311]: 2024-08-31 23:39:44.326185-06:00 [info] (<0.25001.0>) Accepted connection [::ffff:143.198.151.68]:46516 -> [::ffff:hostip]:5281
Aug 31 23:39:44 localhost sh[3326311]: 2024-08-31 23:39:44.451175-06:00 [info] (<0.25002.0>) Accepted connection [::ffff:143.198.151.68]:46520 -> [::ffff:hostip]:5281
Aug 31 23:39:45 localhost sh[3326311]: 2024-08-31 23:39:45.881766-06:00 [info] (<0.25003.0>) Accepted connection [::ffff:206.81.24.74]:34142 -> [::ffff:hostip]:5281
Aug 31 23:39:46 localhost sh[3326311]: 2024-08-31 23:39:46.187836-06:00 [info] (<0.25004.0>) Accepted connection [::ffff:206.81.24.74]:34146 -> [::ffff:hostip]:5281
Aug 31 23:39:46 localhost sh[3326311]: 2024-08-31 23:39:46.512463-06:00 [info] (<0.25005.0>) Accepted connection [::ffff:206.81.24.74]:34154 -> [::ffff:hostip]:5281
Aug 31 23:39:46 localhost sh[3326311]: 2024-08-31 23:39:46.833833-06:00 [info] (<0.25006.0>) Accepted connection [::ffff:206.81.24.74]:34166 -> [::ffff:hostip]:5281
Aug 31 23:39:47 localhost sh[3326311]: 2024-08-31 23:39:47.201514-06:00 [info] (<0.25007.0>) Accepted connection [::ffff:206.81.24.74]:34174 -> [::ffff:hostip]:5281
Aug 31 23:39:47 localhost sh[3326311]: 2024-08-31 23:39:47.516529-06:00 [info] (<0.25008.0>) Accepted connection [::ffff:206.81.24.74]:34176 -> [::ffff:hostip]:5281
Aug 31 23:39:47 localhost sh[3326311]: 2024-08-31 23:39:47.817953-06:00 [info] (<0.25009.0>) Accepted connection [::ffff:206.81.24.74]:34190 -> [::ffff:hostip]:5281
Aug 31 23:39:48 localhost sh[3326311]: 2024-08-31 23:39:48.132528-06:00 [info] (<0.25010.0>) Accepted connection [::ffff:206.81.24.74]:34198 -> [::ffff:hostip]:5281
Aug 31 23:39:48 localhost sh[3326311]: 2024-08-31 23:39:48.436677-06:00 [info] (<0.25011.0>) Accepted connection [::ffff:206.81.24.74]:34208 -> [::ffff:hostip]:5281
Aug 31 23:39:48 localhost sh[3326311]: 2024-08-31 23:39:48.755969-06:00 [info] (<0.25012.0>) Accepted connection [::ffff:206.81.24.74]:34216 -> [::ffff:hostip]:5281
Aug 31 23:39:49 localhost sh[3326311]: 2024-08-31 23:39:49.091475-06:00 [info] (<0.25013.0>) Accepted connection [::ffff:206.81.24.74]:34230 -> [::ffff:hostip]:5281
Aug 31 23:39:49 localhost sh[3326311]: 2024-08-31 23:39:49.401700-06:00 [info] (<0.25014.0>) Accepted connection [::ffff:206.81.24.74]:34232 -> [::ffff:hostip]:5281
Aug 31 23:39:49 localhost sh[3326311]: 2024-08-31 23:39:49.710954-06:00 [info] (<0.25015.0>) Accepted connection [::ffff:206.81.24.74]:34244 -> [::ffff:hostip]:5281
Aug 31 23:39:50 localhost sh[3326311]: 2024-08-31 23:39:50.025064-06:00 [info] (<0.25016.0>) Accepted connection [::ffff:206.81.24.74]:34260 -> [::ffff:hostip]:5281
Aug 31 23:39:50 localhost sh[3326311]: 2024-08-31 23:39:50.360697-06:00 [info] (<0.25017.0>) Accepted connection [::ffff:206.81.24.74]:34276 -> [::ffff:hostip]:5281
Aug 31 23:39:50 localhost sh[3326311]: 2024-08-31 23:39:50.780137-06:00 [info] (<0.25018.0>) Accepted connection [::ffff:206.81.24.74]:34286 -> [::ffff:hostip]:5281
Aug 31 23:39:51 localhost sh[3326311]: 2024-08-31 23:39:51.168709-06:00 [info] (<0.25019.0>) Accepted connection [::ffff:206.81.24.74]:34300 -> [::ffff:hostip]:5281
Aug 31 23:39:51 localhost sh[3326311]: 2024-08-31 23:39:51.486191-06:00 [info] (<0.25020.0>) Accepted connection [::ffff:206.81.24.74]:34302 -> [::ffff:hostip]:5281
Aug 31 23:39:51 localhost sh[3326311]: 2024-08-31 23:39:51.796425-06:00 [info] (<0.25021.0>) Accepted connection [::ffff:206.81.24.74]:34318 -> [::ffff:hostip]:5281
Aug 31 23:39:52 localhost sh[3326311]: 2024-08-31 23:39:52.122422-06:00 [info] (<0.25022.0>) Accepted connection [::ffff:206.81.24.74]:34334 -> [::ffff:hostip]:5281
Aug 31 23:39:53 localhost sh[3326311]: 2024-08-31 23:39:53.951668-06:00 [info] (<0.25023.0>) Accepted connection [::ffff:routerip]:31576 -> [::ffff:hostip]:5222
Aug 31 23:39:54 localhost sh[3326311]: 2024-08-31 23:39:54.696885-06:00 [info] (tls|<0.25023.0>) Accepted c2s PLAIN authentication for stephen@c-###-###-###.###.**.**.comcast.net by mnesia backend from ::ffff:routerip
Aug 31 23:39:54 localhost sh[3326311]: 2024-08-31 23:39:54.840532-06:00 [info] (tls|<0.25023.0>) Opened c2s session for stephen@c-###-###-###.###.**.**.comcast.net/75319872506902643567650
Aug 31 23:41:16 localhost sh[3326311]: 2024-08-31 23:41:16.255665-06:00 [info] (tls|<0.25023.0>) Closing c2s session for stephen@c-###-###-###.###.**.**.comcast.net/75319872506902643567650: Stream reset by peer
Aug 31 23:41:18 localhost sh[3326311]: 2024-08-31 23:41:18.206696-06:00 [info] (<0.25026.0>) Accepted connection [::ffff:routerip]:31612 -> [::ffff:hostip]:5222
Aug 31 23:41:18 localhost sh[3326311]: 2024-08-31 23:41:18.303128-06:00 [info] (tls|<0.25026.0>) Accepted c2s PLAIN authentication for stephen@c-###-###-###.###.**.**.comcast.net by mnesia backend from ::ffff:routerip
Aug 31 23:41:18 localhost sh[3326311]: 2024-08-31 23:41:18.309648-06:00 [info] (tls|<0.25026.0>) Opened c2s session for stephen@c-###-###-###.###.**.**.comcast.net/162245154133226236037682
Aug 31 23:41:55 localhost sh[3326311]: 2024-08-31 23:41:55.630604-06:00 [info] (<0.25033.0>) Accepted connection [::ffff:151.115.77.26]:44438 -> [::ffff:hostip]:5281
Aug 31 23:41:56 localhost sh[3326311]: 2024-08-31 23:41:56.463942-06:00 [info] (<0.25034.0>) Accepted connection [::ffff:51.158.161.239]:44440 -> [::ffff:hostip]:5281
Aug 31 23:42:42 localhost sh[3326311]: 2024-08-31 23:42:42.274265-06:00 [info] (<0.25037.0>) Accepted connection [::ffff:104.253.214.203]:24166 -> [::ffff:hostip]:5281
Aug 31 23:42:52 localhost sh[3326311]: 2024-08-31 23:42:52.775135-06:00 [info] (<0.25038.0>) Accepted connection [::ffff:104.252.186.64]:60132 -> [::ffff:hostip]:5281
Aug 31 23:42:59 localhost sh[3326311]: 2024-08-31 23:42:59.951648-06:00 [info] (<0.25039.0>) Accepted connection [::ffff:104.252.31.34]:46090 -> [::ffff:hostip]:5281
Aug 31 23:43:08 localhost sh[3326311]: 2024-08-31 23:43:08.766915-06:00 [info] (<0.25040.0>) Accepted connection [::ffff:104.252.186.177]:65320 -> [::ffff:hostip]:5281
Aug 31 23:43:19 localhost sh[3326311]: 2024-08-31 23:43:19.681211-06:00 [info] (<0.25041.0>) Accepted connection [::ffff:107.172.179.50]:34442 -> [::ffff:hostip]:5281
Aug 31 23:43:26 localhost sh[3326311]: 2024-08-31 23:43:26.041941-06:00 [info] (<0.25042.0>) Accepted connection [::ffff:routerip]:31679 -> [::ffff:hostip]:5281
Aug 31 23:44:18 localhost sh[3326311]: 2024-08-31 23:44:18.731472-06:00 [info] (<0.25044.0>) Accepted connection [::ffff:45.148.10.251]:45056 -> [::ffff:hostip]:5281
Sep 01 05:17:56 localhost sh[3326311]: 2024-09-01 05:17:56.509260-06:00 [info] (<0.25662.0>) Accepted connection [::ffff:routerip]:39432 -> [::ffff:hostip]:5222
Sep 01 05:17:56 localhost sh[3326311]: 2024-09-01 05:17:56.676637-06:00 [info] (tls|<0.25662.0>) Accepted c2s SCRAM-SHA-1 authentication for stephen@c-###-###-###.###.**.**.comcast.net by mnesia backend from ::ffff:routerip

close port 80 on router

Posted by at No comments:
Subscribe to: Posts (Atom)