Tech Adventures - Setting up ejabberd under Debian
Preliminary
Important This is not intended to be an installation guide. Just the description of my journey. If you’re actually looking for sane information on how to setup ejabberd, you should maybe look somewhere else. (See bottom of this post for a link to German instructions.)
The journey begins
Recently, I had the urge to set up a messaging server. Actually, I wanted to go with one of the Matrix servers. But “to get started”, I decided to set up ejabberd first.
Why ejabberd? I tried to set up Prosody quite some time ago, probably before The Pandemic hit. I don’t remember it too fondly. I may have gotten better in the meantime.
The process was done on a recently updated Debian Bookworm. I wanted to figure things out by myself as much as possible.
- First off: Add the necessary DNS records. The Prosody Docs were the first thing I found. I skipped the TLS-only stuff.
apt install ejabberdejabberdctl register <adminuser> <domain> <password>- Error message that the domain was not found? huh?
nano /etc/ejabberd/ejabberd.ymland add my domain to thehostslists.- Reload or restart the service
- Repeat the command. Success! Yay!
- Take a look at the web interface: https://127.0.0.1:5280.
- Log in with the created user. It fails.
- Append the
@domainpart, as the user name alone won’t do it. It works. Yay. - “Man, I wouldn’t have thought this was gonna be so easy! Hah!”.
- Little did I know…
- Use acme.sh to generate the
certificates. See the instructions in their readme.
- My setup was somewhat more complicated since I am already running a web server on the machine running ejabberd. If I didn’t run a web server there, I could’ve used the built-in acme plugin in ejabberd. Shoot :( I ended up using the automated DNS mode.
- I naively started with the domains uvok.de and xmpp.uvok.de. The latter wouldn’t even be used actively. It was just so I could distinguish the certificate files.
- I started out installing the certificates in
/etc/ejabberd/certs/. However, I was getting warning messages on service startup that the certificates were empty (“… Permission error?”). Upon pondering on this, I decided to put the certificates in/var/lib/ejabberd/certs/. This is the “home” directory of the ejabberd user. Access problems solved. (1) - Getting an warning message
Invalid certificate in /var/lib/ejabberd/certs/fullchain.pem: at line 57: certificate is signed by unknown CAon server startup. This puzzled me a lot.- Line 57 was the line where the actual server certificate started. The lines above were the Let’s Encrypt X1 root and the R3 intermediate. See their docs for details.
- At this point, I also tried some
openssl verifycalls on the PEM file itself. But I didn’t know the correct options to use (-CAfile,-CApath,-untrusted???).
- As an intermediate step, I tried setting the
ca_fileconfig value inejabberd.yml. The warning was gone. Yay.- But then I realized I forgot to add some subdomains to the cert. So I added them (reissue, reinstall, restart). Suddenly, the warning was back. :(
- For my setup, I added the
xmpp.<dom>,pubsub.<dom>,conference.<dom>domains, where<dom>isuvok.de.
- However. I then realized that setting
ca_filewas properly not a good idea. This would probably prevent me from contacting servers not using Let’s Encrypt. So I removed the setting.- specifically, I explicitly set it to
ca_file: '/etc/ssl/certs/ca-certificates.crt'. I don’t know yet if this is necessary.
- specifically, I explicitly set it to
- Add an exception to the firewall. (
ufw allow XMPP). - These warnings made me nervous. So I decided to check the actual TLS connection from my PC.
- I know I could do
openssl s_client -starttls xmpp (server). But this didn’t return a certificate. - From HTTPS, I know to send the
-servername. But this option didn’t help. - Upon some searching, I found the correct magic incantation was
openssl s_client -xmpphost uvok.de -starttls xmpp -connect srv.uvok.de:5222. This was necessary due to the fact that uvok.de is a different machine than the XMPP server.
- I know I could do
- Finally, I created a user account. Again, on command line. The Debian install has very sane and safe defaults. It disables registrations via XMPP clients by default. Exactly what I want :). Also, MUC (“Group Chats”) creation is limited to server members.
- Opened up Gajim, added the account. It worked. Yay!
- Next up, I still have a stale account on jabber.org, so to check whether server-to-server connections work, I added my old account as a contact. And this worked as well.
(1) The final config section is
certfiles:
- /var/lib/ejabberd/certs/fullchain.pem
- /var/lib/ejabberd/certs/key.pem
Current state of my server
- The warning
Invalid certificate in /var/lib/ejabberd/certs/fullchain.pem: at line 57: certificate is signed by unknown CAstill appears on server start. Shoot. But I don’t know what to do about it. - vCards with Gajim don’t seem to be working. I have no idea why.
- I don’t particularly care for file exchange / upload. For that, I would need to add another subdomain and twiddle with the config, I guess.
Final remark
For a German guide on how to setup ejabberd, you may want to look at the Kuketz Blog. I only found this blog post after I was mostly finished with my setup.
Thanks also for all the people who helped me during setup on Mastodon <3. I don’t know if they want to be named / listed here, so I rather won’t.
Kommentare / Comments
Kommentare werden von mir selbst auf einem anderen Server über Isso gehostet.
Comments are hosted by myself on another server, powered by Isso.