Setting up XMPP

A little diversion. XMPP on hyperdata.it. I took lots of notes last time I set it up, hopefully won't take long.

First thing is to install ejabberd and set it up with certs & a handful of users. Then connect it to LDAP (already installed).

18:00

apt install ejabberd
...
root@hyperdata:~#  ejabberdctl start
ERROR: The ejabberd node 'ejabberd@localhost' is already running.

Ok...

nano /etc/ejabberd/ejabberd.yml
...
hosts:
  - localhost
  - hyperdata.it
...
ejabberdctl reload_config
ejabberdctl register admin hyperdata.it password
...
User admin@hyperdata.it successfully registered.

Apparently there should be an admin interface on https://hyperdata.it:5280/admin/ LetsEncrypt time.

service ejabberd stop
mv /etc/ejabberd/ejabberd.pem  /etc/ejabberd/ejabberd.pem.backup

//certbot certonly --webroot -w /etc/ejabberd -d hyperdata.it --force-renewal --rsa-key-size 4096
 certbot certonly -w /etc/ejabberd -d hyperdata.it
 ...
 says current cert is ok



ok, looks like I've set up DNS for `xmpp.hyperdata.it`

https://stackoverflow.com/questions/56335966/how-to-renew-lets-encrypt-certificate-in-ejabberd-configured-server

Hmm. not sure how to make certbot aware of xmpp.hyperdata.it except for adding

nano /etc/nginx/sites-available/xmpp.hyperdata.it.conf
...
server {
    server_name xmpp.hyperdata.it;

    location / {
        proxy_pass http://127.0.0.1:5280;
        proxy_set_header Host $host;
    }
    listen 80;
}
...
ln -s /etc/nginx/sites-available/xmpp.hyperdata.it.conf /etc/nginx/sites-enabled/xmpp.hyperdata.it.conf
systemctl restart nginx
certbot
...chose  xmpp.hyperdata.it
Successfully deployed certificate for xmpp.hyperdata.it

ufw disable

Hmm. Next...

cat /etc/letsencrypt/live/hyperdata.it/privkey.pem /etc/letsencrypt/live/xmpp.hyperdata.it/fullchain.pem > ejabberd.pem

https://hyperdata.it:5280/admin/

nano /etc/ejabberd/ejabberd.yml add xmpp.hyperdata.it ejabberdctl reload_config ejabberdctl register admin hyperdata.it password

admin

alice bob canary danbri maxf

danja dogbot mari

19:00 - reboot, dogwalk

20:00 - back. ejabberd came back fine

Currently https://xmpp.hyperdata.it/ is giving me a 502 Bad Gateway (through nginx).

None of the likely HTTP endpoints work. nginx logs...

TODO /home/www/danny.ayers.name/robots.txt and .ico

TODO archive.org for "GET /wordpress/wp-content/uploads/2015/11/dscn6185.jpg HTTP/1.1", host: "hyperdata.it"

Before I forget - ufw firewall open for whatever XMPP uses

https://stackoverflow.com/questions/3452161/which-ports-does-xmpp-use

ufw allow 5222
ufw allow 5269
ufw enable
ufw status

Eyeball config :

nano /etc/ejabberd/ejabberd.yml

onto : /var/log/ejabberd

both ejabberd.log and error.log say it's not seeing the certfile. Path or permissions?

Check my notes...

THISSSSSSS certbot --key-type ecdsa --cert-name xmpp.hyperdata.it

Hmm. That looks like it's ok already.

certfiles:
  - "/etc/ejabberd/ejabberd.pem"
#  - /etc/letsencrypt/live/localhost/fullchain.pem
#  - /etc/letsencrypt/live/localhost/privkey.pem
---
adding

- /etc/letsencrypt/live/hyperdata.it/fullchain.pem
- /etc/letsencrypt/live/hyperdata.it/privkey.pem
- /etc/letsencrypt/live/xmpp.hyperdata.it/fullchain.pem
- /etc/letsencrypt/live/xmpp.hyperdata.it/privkey.pem
---
ejabberdctl reload_config

Hmm. why is the first one in quotes?

https://docs.ejabberd.im/admin/configuration

ejabberdctl request-certificate all
Error: error
Error: "Challenge failed for domain conference.hyperdata.it: ACME server reported: 178.79.189.240: Invalid response from http://conference.hyperdata.it/.well-known/acme-challenge/Wy7YZJQD9wGdOLI9tyv2oKyTTktvnGtWVgIaEhd1qZg: 404 (error type: unauthorized)"

https://www.process-one.net/blog/ejabberd-xmpp-server-useful-configuration-steps/

suggests A records for :

conference
proxy
pubsub
upload

My DNS aready has :

conference 10800 IN CNAME hyperdata.it.

etc.

I saw mention of chat somewhere too - might as well add that too.

It's poking at the filesystem, so I guess I should make dirs & nginx config for those.

root@hyperdata:/home/www# tree xmpp
xmpp
├── chat
├── conference
├── proxy
├── pubsub
└── upload

https://foaf-retro.hyperdata.it/

server {
    listen 80;
    server_name chat.hyperdata.it;

    # Hide nginx version
    server_tokens off;

    location / {
        root /home/www/xmpp/chat;
        index index.html index.htm index.ttl;
        try_files $uri $uri/ =404;
    }
}

server {
    listen 80;
    server_name conference.hyperdata.it;

    # Hide nginx version
    server_tokens off;

    location / {
        root /home/www/xmpp/conference;
        index index.html index.htm index.ttl;
        try_files $uri $uri/ =404;
    }
}

server {
    listen 80;
    server_name proxy.hyperdata.it;

    # Hide nginx version
    server_tokens off;

    location / {
        root /home/www/xmpp/proxy;
        index index.html index.htm index.ttl;
        try_files $uri $uri/ =404;
    }
}
server {
    listen 80;
    server_name pubsub.hyperdata.it;

    # Hide nginx version
    server_tokens off;

    location / {
        root /home/www/xmpp/pubsub;
        index index.html index.htm index.ttl;
        try_files $uri $uri/ =404;
    }
}
server {
    listen 80;
    server_name upload.hyperdata.it;

    # Hide nginx version
    server_tokens off;

    location / {
        root /home/www/xmpp/upload;
        index index.html index.htm index.ttl;
        try_files $uri $uri/ =404;
    }
}

While I'm here :

server {
    listen 80;
    server_name kia.hyperdata.it;

    # Hide nginx version
    server_tokens off;

    location / {
        root /home/www/kia;
        index index.html index.htm index.ttl;
        try_files $uri $uri/ =404;
    }
}

...
ln -s /etc/nginx/sites-available/kia.hyperdata.it.conf /etc/nginx/sites-enabled/kia.hyperdata.it.conf
nginx -t
systemctl restart nginx
certbot

KIA done.

Back to :

ejabberdctl request-certificate all

Grrr! Tucked away in the docs it says you have to turn off TLS first :

listen:
  -
    module: ejabberd_http
    port: 5280
    tls: false
    request_handlers:
      /.well-known/acme-challenge: ejabberd_acme

nano /etc/ejabberd/ejabberd.yml
ejabberdctl reload_config
ejabberdctl request-certificate all

Error: "ACME server reported: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/failed-validation-limit/ (error type: rateLimited)"

certbot has a dry run option, does this?

Ok, enough for today.

21:37

my hosts

root@hyperdata:/etc/nginx/sites-available# ls ../sites-enabled/
danny.ayers.name.conf         fuseki.conf            ps.hyperdata.it.conf  strandz.it.conf
elfquake.org.conf             hyperdata.it.conf      ps.strandz.it.conf    xmpp.hyperdata.it.conf
foaf-retro.hyperdata.it.conf  kia.hyperdata.it.conf  solid.conf