Tutorial on ejabberd, postfix, dovecot and or nginx with letsencrypt

Doemela · December 18, 2015, 8:53pm

I assume you have either Nginx or use Nginx as a Reverse Proxy for Apache

Nginx:
mkdir /usr/share/nginx/letsencrypt
mkdir /usr/share/nginx/letsencrypt/public_html

Directive for domain('s) u want cert 4
server {
server_name domain.tld;
…
location /.well-known/acme-challenge/ {
root /usr/share/nginx/letsencrypt/public_html;
…
}
They u can do ./letsencrypt-auto certonly --agree-tos --rsa-key-size 4096 --renew-by-default -m postmaster@domain.tld --webroot -w /usr/share/nginx/letsencrypt/public_htm/ -d domain.tld -d domain2.tld -d domain3.tld

U now got ur certs

Dovecot/Postfix:
ln -s /etc/letsencrypt/live/domain.tld/privkey.pem /etc/postfix/ssl.key
ln -s /etc/letsencrypt/live/domain.tld/fullchain.pem /etc/postfix/ssl.cert
edit both configs so they point to key and cert
doveadm reload && /etc/init.d/postfix restart

Ejabberd:
Note: /etc/ejabberd/ca.crt I made after dl it from https://letsencrypt.org/certificates/ made file and copy/paste it
cat /etc/letsencrypt/live/domain.tld/privkey.pem /etc/letsencrypt/live/domain.tld/fullchain.pem /etc/ejabberd/ca.crt >> /etc/ejabberd/ejabberd.pem
/sbin/ejabberdctl restart

This is also done when u renew certs I made script that renews cert for domains and mail/chat services every 60day with Cron

–
https://cyberguerrilla.info does not store IP addresses, we require https.
Cyberguerrilla Anonymous Nexus Autonomous tech collective uses mandatory encryption on every domain or sub-domain it host!

pU0Dz · December 30, 2015, 3:23pm

Hey,

I am working on getting ejabberd work with the certificate. Could you explicitly describe, how you obtained “ca.crt”, since I did not find it on the referenced web page.

Thanks in advance.

Doemela · December 31, 2015, 12:48pm

The CA you can dl from https://letsencrypt.org/certificates/ see the [txt] [pem] [der] behind the “Intermediate Certificates” make the ca.crt and copy/paste the cert out of [txt] or dl the [pem] and upload it to where u want.

Then do:
cat /etc/letsencrypt/live/domain.tld/privkey.pem /etc/letsencrypt/live/domain.tld/fullchain.pem /etc/ejabberd/ca.crt >> /etc/ejabberd/ejabberd.pem

Edit /etc/ejabberd/ejabberd.yml
[SNIP]
listen:

port: 5222
module: ejabberd_c2s
certfile: "/etc/ejabberd/ejabberd.pem"
starttls_required: true
protocol_options:
   - "no_sslv2"    
   - "no_sslv3"
ciphers: "HIGH:!3DES:!aNULL:!SSLv2:@STRENGTH"
max_stanza_size: 65536
shaper: c2s_shaper
access: c2s

port: 5269
module: ejabberd_s2s_in
[SNIP]
port: 5280
module: ejabberd_http
web_admin: true
http_bind: true
register: true
captcha: true
certfile: "/etc/ejabberd/ejabberd.pem"
tls: true
[SNIP]
s2s_use_starttls: required
s2s_certfile: "/etc/ejabberd/ejabberd.pem"
s2s_protocol_options:
“no_sslv2”
“no_sslv3”

s2s_ciphers: “HIGH:!3DES:!aNULL:!SSLv2:@STRENGTH”

[END EDIT] Save the conf and restart ejabberd

billium · April 15, 2016, 2:18pm

Thanks Doemela this was very helpful.
The only hard to understand part was the “make the ca.crt” part. I copied https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt into /etc/ejabberd/ca.crt, then followed the cat command as given by you. Then restarted the jabber service, then the clients had to accept the new certificate and it seems to work.

Is this what you meant? i.e. taking the text from the link and placing it in a filed called ca.crt.

The link is the X3 [txt]

randy · April 16, 2016, 12:40am

i use acme_tiny.py, so i do

cat secrets/domain.key work/chained.pem lets-encrypt-x1-cross-signed.pem > /etc/ejabberd/ejabberd.pem

and i am still stuck in the stone age, so my config is

  {5222, ejabberd_c2s, [
                        {access, c2s},
                        {shaper, c2s_shaper},
                        {max_stanza_size, 65536},
                        %%zlib,
                        starttls_required,
                        {certfile, "/etc/ejabberd/ejabberd.pem"}
                       ]},

and i get

=ERROR REPORT==== 2016-04-16 00:33:31 ===
** State machine <0.644.0> terminating 
** Last event in was {xmlstreamelement,
                         {xmlelement,"starttls",
                             [{"xmlns","urn:ietf:params:xml:ns:xmpp-tls"}],
                             []}}
** When State == wait_for_feature_request
**      Data  == {state,{socket_state,gen_tcp,#Port<0.3281>,<0.643.0>},
                        ejabberd_socket,"3241108122",s2s_shaper,true,false,
                        false,false,
                        [{certfile,"/etc/ejabberd/ejabberd.pem"}],
                        "xmpp.rg.net",false,undefined,
                        {dict,0,16,16,8,80,48,
                              {[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
                               []},
                              {{[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
                                []}}},
                        #Ref<0.0.0.12069>}
** Reason for termination = 
** {{badmatch,{error,"SSL_CTX_use_PrivateKey_file failed: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch"}},
    [{ejabberd_socket,starttls,3,[{file,"ejabberd_socket.erl"},{line,143}]},
     {ejabberd_s2s_in,wait_for_feature_request,2,
                      [{file,"ejabberd_s2s_in.erl"},{line,309}]},
     {p1_fsm,handle_msg,10,[{file,"p1_fsm.erl"},{line,544}]},
     {proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,239}]}]}

Doemela · April 16, 2016, 12:47pm

The ca.crt is not needed any more:
cat /etc/letsencrypt/live/domain.tld/privkey.pem /etc/letsencrypt/live/domain.tld/fullchain.pem >> /etc/ejabberd/ejabberd.pem

Doemela · April 16, 2016, 12:50pm

** {{badmatch,{error,“SSL_CTX_use_PrivateKey_file failed: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch”}},
Try it with this
cat /etc/letsencrypt/live/domain.tld/privkey.pem /etc/letsencrypt/live/domain.tld/fullchain.pem >> /etc/ejabberd/ejabberd.pem

Doemela · April 16, 2016, 12:54pm

Doemela:

The CA you can dl from Chain of Trust - Let's Encrypt see the [txt] [pem] [der] behind the "Intermediate Certificates" make the ca.crt and copy/paste the cert out of [txt] or dl the [pem] and upload it to where u want.

Then do:
cat /etc/letsencrypt/live/domain.tld/privkey.pem /etc/letsencrypt/live/domain.tld/fullchain.pem /etc/ejabberd/ca.crt >> /etc/ejabberd/ejabberd.pem

Edit /etc/ejabberd/ejabberd.yml
[SNIP]
listen:
port: 5222
module: ejabberd_c2s
certfile: "/etc/ejabberd/ejabberd.pem"
starttls_required: true
protocol_options:
   - "no_sslv2"    
   - "no_sslv3"
ciphers: "HIGH:!3DES:!aNULL:!SSLv2:@STRENGTH"
max_stanza_size: 65536
shaper: c2s_shaper
access: c2s
port: 5269
module: ejabberd_s2s_in
[SNIP]

port: 5280
module: ejabberd_http
web_admin: true
http_bind: true
register: true
captcha: true
certfile: "/etc/ejabberd/ejabberd.pem"
tls: true
[SNIP]
s2s_use_starttls: required
s2s_certfile: "/etc/ejabberd/ejabberd.pem"
s2s_protocol_options:

"no_sslv2"

"no_sslv3"

s2s_ciphers: "HIGH:!3DES:!aNULL:!SSLv2:@STRENGTH"

[END EDIT] Save the conf and restart ejabberd

This is enough for ejabberd:
cat /etc/letsencrypt/live/domain.tld/privkey.pem /etc/letsencrypt/live/domain.tld/fullchain.pem >> /etc/ejabberd/ejabberd.pem

randy · April 16, 2016, 8:54pm

for the record, with acme_tiny, what worked was

cat work/signed.crt secrets/domain.key work/chained.pem > /etc/ejabberd/ejabberd.pem

JuergenAuer · July 15, 2020, 11:22am

A post was merged into an existing topic: Ejjabberd + windows + letsencrypt certificate

Topic		Replies	Views
Lets Encrypt and reverse proxy Help	5	1412	May 3, 2018
How to migrate manually setup letsencrypt to either nginx or CNAME challenge? Server	2	2449	May 2, 2018
Using and Selecting LetsEncrypt Clients Help	7	1967	May 9, 2017
Coming from letsencrypt.sh and going to certbot Server	4	1975	October 21, 2016
Howto: easy cert generation and renewal with nginx Server	20	54465	November 22, 2018

Tutorial on ejabberd, postfix, dovecot and or nginx with letsencrypt

Edit /etc/ejabberd/ejabberd.yml [SNIP] listen:

Related topics

Edit /etc/ejabberd/ejabberd.yml
[SNIP]
listen: