Xep-363 and xep-359 support

6

OK, in reference to the german instruction to configure an ejabbered instance at https://www.kuketz-blog.de/ejabberd-installation-und-betrieb-eines-xmpp-servers/ I managed at least the subdomain topic:

  1. I added the subdomains upload pubsub echo proxy and conference to my DNS-config of my domain at my hoster. Don’t know if that’s actually needed.

  2. Stopped my apache2 because otherwise certbot won’t be able to connect to port 80 and so can’t get any updated cert.

  3. Expand your letsencrypt cert by
    sudo certbot certonly -d mydomain.net -d conference.mydomain.net -d upload.mydomain.net -d pubsub.mydomain.net -d proxy.mydomain.net -d echo.mydomain.net -d conference.mydomain.net --standalone
    Don’t forget to restart apache2 after that of course!

  4. As you don’t want to change privs of your certs in /etc/letsencrypt and you shouldn’t be loading your ejabberd as root because of security, we have to copy our certs into an ejabberd-controlled directory. That means that we have to repeat this after every renewal of the letsencrypt certs :disappointed:

sudo mkdir /etc/ejabberd/certs
sudo cp /etc/letsencrypt/live/mydomain.net/fullchain.pem /etc/ejabberd/certs/mydomain.net.pem
sudo cp /etc/letsencrypt/live/mydomain.net/privkey.pem /etc/ejabberd/certs/mydomain.net.key
sudo chown ejabberd:ejabberd /etc/ejabberd/certs/
sudo chown ejabberd:ejabberd /etc/ejabberd/certs/*
sudo chmod 600 /etc/ejabberd/certs/*
sudo openssl dhparam -out /etc/ejabberd/dh4096.pem 4096
  1. In /etc/ejabberd/ejabbered.yml we edit
hosts:
    - "mydomain.net"
  1. and remove domains not needed like e.g. hostname, hostname.local or maybe your tor onion adress.
    Uncomment the old self-certified cert and put in your new copied cert files.
certfiles:
  ## - "/etc/ejabberd/ejabberd.pem"
  ## - "/etc/letsencrypt/live/*/*.pem"
  - "/etc/ejabberd/certs/mydomain.net.pem"
  - "/etc/ejabberd/certs/mydomain.net.key"
  1. You might also activate the Diffie-Hellman-Key for some TLS-CIphers
define_macro:
  'TLS_CIPHERS': "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECD\
HE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-S\
HA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SH\
A384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
  'TLS_OPTIONS':
  - "no_sslv3"
  - "no_tlsv1"
  - "no_tlsv1_1"
  - "cipher_server_preference"
  - "no_compression"
    ## 'DH_FILE': "/path/to/dhparams.pem"
  'DH_FILE': "/etc/ejabberd/dh4096.pem"
  1. and uncomment
c2s_dhfile: 'DH_FILE'                                                           
s2s_dhfile: 'DH_FILE'

That should suffice to remove error messages about missing certs form your /var/log/ejabberd/error.log

Unfortunately I still receive the same error in my clients and file transmission doesn’t work. There’s no error message in the ejabberd-logs regarding this :confused:
So I’ll have to keep on looking.

Found the failure!
I had to force tls in the listen-section of ejabberd.yml

listen:
- port: 5222
  ip: "::"
  module: ejabberd_c2s
  max_stanza_size: 262144
  shaper: c2s_shaper
  access: c2s
  starttls_required: true ## <--- Here ...
  protocol_options: 'TLS_OPTIONS'
- port: 5223
  ip: "::"
  module: ejabberd_c2s
  max_stanza_size: 262144
  shaper: c2s_shaper
  access: c2s
  tls: true ## <--- ... here ...
  protocol_options: 'TLS_OPTIONS'
[...]
- port: 5443
  ip: "::"
  module: ejabberd_http
  request_handlers:
    "/api": mod_http_api
    "/bosh": mod_bosh
    "/upload": mod_http_upload
    "/ws": ejabberd_http_ws
    ## captcha: true
    ## register: true
  tls: true ## <--- ... and THIS! makes uploads work finally.
  ciphers: 'TLS_CIPHERS'
  protocol_options: 'TLS_OPTIONS'
  web_admin: true

Now file uploads work like a charm :purple_heart: