eJabberd not connecting with desktop clients (solved)

Problem Description
I am unable to connect desktop clients to eJabberd - only JSXC is working. I can’t tell if this is firewall-related or SSL-related (see bottom.)

Steps to Reproduce

  1. I set domain name to subdomain.example.club in Settings → Configure
  2. I added an A record for subdomain.example.club which points to my Static IP address and waited for DNS propagation to complete
  3. I installed Coturn and Ejabberd, opting not to complete Let’s Encrypt as I do prefer to self-sign
  4. I was able to login as an admin, and as as a less privileged user with JSXC in a web-based environment. We were able to exchange messages. This was achieved through the domain name, not the IP address.
  5. I try to login as username@subdomain.example.club using clients such as dino-im and gajim, but they’re not able to get through.

Expected Results
I expected to be able to communicate with the server using a desktop client.

Actual results
I get an error with the following message:

Connection failed. Gajim was not able to reach the server. Make sure your XMPP address is correct.

Information

  • FreedomBox version: 22.15
  • Hardware: Raspberry Pi 4B (4GB)
  • How did you install FreedomBox?: apt install freedombox on a fresh install of Debian Bookworm
  • *Port forwarding: DMZ (however, during FBX setup I claimed I would use NAT tables. It still believes DMZ is off.)
  • *Firewall: This problem still occurs if I disable the firewall on my client system.
  • *Diagnostics: eJabberd passes all checks, though LetsEncrypt states it can not access URL https://subdomain.example.club
  • *LDAP: I forgot to add DEBIAN_FRONTEND=noninteractive during setup, and just accepted the defaults. Much of the questions were about LDAP. In case that affected anything… here is the LDAP config which FBX generated in /etc/ejabberd/ejabberd.yml:
ldap_servers:
- "localhost"
ldap_base: "ou=users,dc=thisbox"

I can confirm that the hosts: section of ejabberd.yml shows subdomain.example.club, as expected.

TL,DR
It felt like a port / firewall type of issue but I’m starting to think it’s SSL. My understanding of SSL needs improvement.
I know the certificate I’m using was generated on install, before I input my FQDN into the Freedombox Settings. I can also see that the only Common Name listed is the hostname of the Pi. Should I re-run some OpenSSL commands instead of tinkering with my router?

Did you try to ping subdomain.example.club from the machine on which you are running gajim? Just to make sure.

Do you mean that your routeur forwards everything to your freedombox?
I suppose you also have set the DNS records as suggested when you activated ejabberd.

In my case (Certificate issue after changing domain), Gajim 1.4.5 (Debian from backports) explicitly complains about the certificate in a window and shows a “view certificate” button, so I am not sure a certificate issue can result in the message you get.

You could run gajim with “-v” to get more details and ask about the error message on the developers support channel on XMPP: gajim(at)conference.gajim.org (since you can access with JSXC) to confirm what situation can trigger the error you see. I had useful answers on that channel before.

Did you try to ping subdomain.example.club from the machine on which you are running gajim? Just to make sure.

Looks good!

Do you mean that your routeur forwards everything to your freedombox?
I suppose you also have set the DNS records as suggested when you activated ejabberd.

Yup, all traffic is forwarded at this time.
That might be it! I could have missed a prompt or suggestion.
Was I supposed to set up SRV records for my registrar’s zone file?

You could run gajim with “-v” to get more details and ask about the error message on the developers support channel on XMPP: gajim(at)conference.gajim.org (since you can access with JSXC) to confirm what situation can trigger the error you see. I had useful answers on that channel before.

10-4! Thanks Avron!

Update: It started working after I added port forwarding for the router. Apparently my router just has a bad DMZ? Oh well.

The ejabberd page on my freedombox does not suggest that while the page for dovecot/postfix does, so I guess I was wrong, nothing to add for ejabberd.

I have to use the routeur provided by my ISP, it is a model only made for them and controlled by them (all big ISPs do so in my area), there is basically no documentation and I had unexpected behaviours several times.

There is a small ISP not doing that but, unlike the big ISPs, they provide nothing but internet access, so I would need to first find a decent replacement for the other things that my partner uses, like TV replay with an easy interface.