Tutorial on ejabberd, postfix, dovecot and or nginx with letsencrypt


#1

I assume you have either Nginx or use Nginx as a Reverse Proxy for Apache

Nginx:
mkdir /usr/share/nginx/letsencrypt
mkdir /usr/share/nginx/letsencrypt/public_html

Directive for domain('s) u want cert 4
server {
server_name domain.tld;

location /.well-known/acme-challenge/ {
root /usr/share/nginx/letsencrypt/public_html;

}
They u can do ./letsencrypt-auto certonly --agree-tos --rsa-key-size 4096 --renew-by-default -m postmaster@domain.tld --webroot -w /usr/share/nginx/letsencrypt/public_htm/ -d domain.tld -d domain2.tld -d domain3.tld

U now got ur certs

Dovecot/Postfix:
ln -s /etc/letsencrypt/live/domain.tld/privkey.pem /etc/postfix/ssl.key
ln -s /etc/letsencrypt/live/domain.tld/fullchain.pem /etc/postfix/ssl.cert
edit both configs so they point to key and cert
doveadm reload && /etc/init.d/postfix restart

Ejabberd:
Note: /etc/ejabberd/ca.crt I made after dl it from https://letsencrypt.org/certificates/ made file and copy/paste it
cat /etc/letsencrypt/live/domain.tld/privkey.pem /etc/letsencrypt/live/domain.tld/fullchain.pem /etc/ejabberd/ca.crt >> /etc/ejabberd/ejabberd.pem
/sbin/ejabberdctl restart

This is also done when u renew certs I made script that renews cert for domains and mail/chat services every 60day with Cron


https://cyberguerrilla.info does not store IP addresses, we require https.
Cyberguerrilla Anonymous Nexus Autonomous tech collective uses mandatory encryption on every domain or sub-domain it host!


How to meet Gmail's new (2016) email tls requirement - red lock
#2

Hey,

I am working on getting ejabberd work with the certificate. Could you explicitly describe, how you obtained “ca.crt”, since I did not find it on the referenced web page.

Thanks in advance.


#3

The CA you can dl from https://letsencrypt.org/certificates/ see the [txt] [pem] [der] behind the “Intermediate Certificates” make the ca.crt and copy/paste the cert out of [txt] or dl the [pem] and upload it to where u want.

Then do:
cat /etc/letsencrypt/live/domain.tld/privkey.pem /etc/letsencrypt/live/domain.tld/fullchain.pem /etc/ejabberd/ca.crt >> /etc/ejabberd/ejabberd.pem

Edit /etc/ejabberd/ejabberd.yml
[SNIP]
listen:

port: 5222
module: ejabberd_c2s
certfile: "/etc/ejabberd/ejabberd.pem"
starttls_required: true
protocol_options:
   - "no_sslv2"    
   - "no_sslv3"
ciphers: "HIGH:!3DES:!aNULL:!SSLv2:@STRENGTH"
max_stanza_size: 65536
shaper: c2s_shaper
access: c2s
  • port: 5269
    module: ejabberd_s2s_in
    [SNIP]
  • port: 5280
    module: ejabberd_http
    web_admin: true
    http_bind: true
    register: true
    captcha: true
    certfile: "/etc/ejabberd/ejabberd.pem"
    tls: true
    [SNIP]
    s2s_use_starttls: required
    s2s_certfile: "/etc/ejabberd/ejabberd.pem"
    s2s_protocol_options:
  • “no_sslv2”
  • “no_sslv3”

s2s_ciphers: “HIGH:!3DES:!aNULL:!SSLv2:@STRENGTH

[END EDIT] Save the conf and restart ejabberd


#4

Thanks Doemela this was very helpful.
The only hard to understand part was the “make the ca.crt” part. I copied https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt into /etc/ejabberd/ca.crt, then followed the cat command as given by you. Then restarted the jabber service, then the clients had to accept the new certificate and it seems to work.

Is this what you meant? i.e. taking the text from the link and placing it in a filed called ca.crt.

The link is the X3 [txt]


#5

i use acme_tiny.py, so i do

cat secrets/domain.key work/chained.pem lets-encrypt-x1-cross-signed.pem > /etc/ejabberd/ejabberd.pem

and i am still stuck in the stone age, so my config is

  {5222, ejabberd_c2s, [
                        {access, c2s},
                        {shaper, c2s_shaper},
                        {max_stanza_size, 65536},
                        %%zlib,
                        starttls_required,
                        {certfile, "/etc/ejabberd/ejabberd.pem"}
                       ]},

and i get

=ERROR REPORT==== 2016-04-16 00:33:31 ===
** State machine <0.644.0> terminating 
** Last event in was {xmlstreamelement,
                         {xmlelement,"starttls",
                             [{"xmlns","urn:ietf:params:xml:ns:xmpp-tls"}],
                             []}}
** When State == wait_for_feature_request
**      Data  == {state,{socket_state,gen_tcp,#Port<0.3281>,<0.643.0>},
                        ejabberd_socket,"3241108122",s2s_shaper,true,false,
                        false,false,
                        [{certfile,"/etc/ejabberd/ejabberd.pem"}],
                        "xmpp.rg.net",false,undefined,
                        {dict,0,16,16,8,80,48,
                              {[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
                               []},
                              {{[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
                                []}}},
                        #Ref<0.0.0.12069>}
** Reason for termination = 
** {{badmatch,{error,"SSL_CTX_use_PrivateKey_file failed: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch"}},
    [{ejabberd_socket,starttls,3,[{file,"ejabberd_socket.erl"},{line,143}]},
     {ejabberd_s2s_in,wait_for_feature_request,2,
                      [{file,"ejabberd_s2s_in.erl"},{line,309}]},
     {p1_fsm,handle_msg,10,[{file,"p1_fsm.erl"},{line,544}]},
     {proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,239}]}]}

#6

The ca.crt is not needed any more:
cat /etc/letsencrypt/live/domain.tld/privkey.pem /etc/letsencrypt/live/domain.tld/fullchain.pem >> /etc/ejabberd/ejabberd.pem


#7

** {{badmatch,{error,“SSL_CTX_use_PrivateKey_file failed: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch”}},
Try it with this
cat /etc/letsencrypt/live/domain.tld/privkey.pem /etc/letsencrypt/live/domain.tld/fullchain.pem >> /etc/ejabberd/ejabberd.pem


#8

This is enough for ejabberd:
cat /etc/letsencrypt/live/domain.tld/privkey.pem /etc/letsencrypt/live/domain.tld/fullchain.pem >> /etc/ejabberd/ejabberd.pem


#9

for the record, with acme_tiny, what worked was

cat work/signed.crt secrets/domain.key work/chained.pem > /etc/ejabberd/ejabberd.pem