Tutorial on ejabberd, postfix, dovecot and or nginx with letsencrypt


I assume you have either Nginx or use Nginx as a Reverse Proxy for Apache

mkdir /usr/share/nginx/letsencrypt
mkdir /usr/share/nginx/letsencrypt/public_html

Directive for domain('s) u want cert 4
server {
server_name domain.tld;

location /.well-known/acme-challenge/ {
root /usr/share/nginx/letsencrypt/public_html;

They u can do ./letsencrypt-auto certonly --agree-tos --rsa-key-size 4096 --renew-by-default -m postmaster@domain.tld --webroot -w /usr/share/nginx/letsencrypt/public_htm/ -d domain.tld -d domain2.tld -d domain3.tld

U now got ur certs

ln -s /etc/letsencrypt/live/domain.tld/privkey.pem /etc/postfix/ssl.key
ln -s /etc/letsencrypt/live/domain.tld/fullchain.pem /etc/postfix/ssl.cert
edit both configs so they point to key and cert
doveadm reload && /etc/init.d/postfix restart

Note: /etc/ejabberd/ca.crt I made after dl it from https://letsencrypt.org/certificates/ made file and copy/paste it
cat /etc/letsencrypt/live/domain.tld/privkey.pem /etc/letsencrypt/live/domain.tld/fullchain.pem /etc/ejabberd/ca.crt >> /etc/ejabberd/ejabberd.pem
/sbin/ejabberdctl restart

This is also done when u renew certs I made script that renews cert for domains and mail/chat services every 60day with Cron

https://cyberguerrilla.info does not store IP addresses, we require https.
Cyberguerrilla Anonymous Nexus Autonomous tech collective uses mandatory encryption on every domain or sub-domain it host!

How to meet Gmail's new (2016) email tls requirement - red lock


I am working on getting ejabberd work with the certificate. Could you explicitly describe, how you obtained “ca.crt”, since I did not find it on the referenced web page.

Thanks in advance.


The CA you can dl from https://letsencrypt.org/certificates/ see the [txt] [pem] [der] behind the “Intermediate Certificates” make the ca.crt and copy/paste the cert out of [txt] or dl the [pem] and upload it to where u want.

Then do:
cat /etc/letsencrypt/live/domain.tld/privkey.pem /etc/letsencrypt/live/domain.tld/fullchain.pem /etc/ejabberd/ca.crt >> /etc/ejabberd/ejabberd.pem

Edit /etc/ejabberd/ejabberd.yml

port: 5222
module: ejabberd_c2s
certfile: "/etc/ejabberd/ejabberd.pem"
starttls_required: true
   - "no_sslv2"    
   - "no_sslv3"
ciphers: "HIGH:!3DES:!aNULL:!SSLv2:@STRENGTH"
max_stanza_size: 65536
shaper: c2s_shaper
access: c2s
  • port: 5269
    module: ejabberd_s2s_in
  • port: 5280
    module: ejabberd_http
    web_admin: true
    http_bind: true
    register: true
    captcha: true
    certfile: "/etc/ejabberd/ejabberd.pem"
    tls: true
    s2s_use_starttls: required
    s2s_certfile: "/etc/ejabberd/ejabberd.pem"
  • “no_sslv2”
  • “no_sslv3”

s2s_ciphers: “HIGH:!3DES:!aNULL:!SSLv2:@STRENGTH

[END EDIT] Save the conf and restart ejabberd


Thanks Doemela this was very helpful.
The only hard to understand part was the “make the ca.crt” part. I copied https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt into /etc/ejabberd/ca.crt, then followed the cat command as given by you. Then restarted the jabber service, then the clients had to accept the new certificate and it seems to work.

Is this what you meant? i.e. taking the text from the link and placing it in a filed called ca.crt.

The link is the X3 [txt]


i use acme_tiny.py, so i do

cat secrets/domain.key work/chained.pem lets-encrypt-x1-cross-signed.pem > /etc/ejabberd/ejabberd.pem

and i am still stuck in the stone age, so my config is

  {5222, ejabberd_c2s, [
                        {access, c2s},
                        {shaper, c2s_shaper},
                        {max_stanza_size, 65536},
                        {certfile, "/etc/ejabberd/ejabberd.pem"}

and i get

=ERROR REPORT==== 2016-04-16 00:33:31 ===
** State machine <0.644.0> terminating 
** Last event in was {xmlstreamelement,
** When State == wait_for_feature_request
**      Data  == {state,{socket_state,gen_tcp,#Port<0.3281>,<0.643.0>},
** Reason for termination = 
** {{badmatch,{error,"SSL_CTX_use_PrivateKey_file failed: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch"}},


The ca.crt is not needed any more:
cat /etc/letsencrypt/live/domain.tld/privkey.pem /etc/letsencrypt/live/domain.tld/fullchain.pem >> /etc/ejabberd/ejabberd.pem


** {{badmatch,{error,“SSL_CTX_use_PrivateKey_file failed: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch”}},
Try it with this
cat /etc/letsencrypt/live/domain.tld/privkey.pem /etc/letsencrypt/live/domain.tld/fullchain.pem >> /etc/ejabberd/ejabberd.pem


This is enough for ejabberd:
cat /etc/letsencrypt/live/domain.tld/privkey.pem /etc/letsencrypt/live/domain.tld/fullchain.pem >> /etc/ejabberd/ejabberd.pem


for the record, with acme_tiny, what worked was

cat work/signed.crt secrets/domain.key work/chained.pem > /etc/ejabberd/ejabberd.pem