The certificate will be used to encrypt server-to-server (s2s),Ĭlient-to-server (c2s), ejabberd_http and HTTP File Upload connections.Īlternatively a valid certificate issued by letsencrypt can be used, to do soĬreate a single. Securing the connectionĬreate a self signed SSL /]$ cd ejabberd]$ openssl req -x509 -sha256 -nodes -days 1826 -newkey rsa:2048 -keyout ejabberd.pem -out ejabberd]$ openssl dhparam -out dhparams.pem ejabberd]$ chmod 600 ejabberd.pem dhparams.pem & chown ejabberd:ejabberd ejabberd.pem dhparams.pemĤ096 might be overkill but better be on the safe side, SHA-2 is also used pem files are following the same naming scheme and that all Replace domain.tld with a valid domain name and admin with a valid userĪlso check that. The complete configuration file I use can be downloaded Now ejabberd should be installed, if everything went well it is time to createĪ jabber user and grant him admin ~]$ ejabberdctl register admin domain.tld ~]$ vi /usr/local/etc/ejabberd/ejabberd.yml
EJABBERD SSL CERTIFICATE INSTALL
configure -enable-user=ejabberd ejabberd-xxx]$ make & make install # where `ejabber` is the unpriviledged user that will run the ejabberd ejabberd-xxx]$. Install the required dependencies, compile and ~]$ tar -xvf ~]$ yum install gcc gcc-c++ expat-devel openssl-devel automake git libyaml ~]$ cd ejabberd-xxx Root) so the only viable option here is to compile from source. Should feel confortable with having an internet exposed service running as Installed this way I was not able to make it run as unpriviledged user (no one Installation and initial configurationĭownload and install erlang (release numbers here may not be up to ~]$ cd tmp]$ wget tmp]$ yum localinstall esl-erlang_17.1-1~centos~6_amd64.rpmĪlternatively add erlang-solutions repo ~]$ cd tmp]$ wget tmp]$ rpm -Uvh tmp]$ yum install esl-erlangĪs for ejabberd, ProcessOne also provides a few precompiled installers but when My blog also contains a bunch of other posts regarding ejabberd that are worth I strongly adviseĪny reader to read carefully what is written here and not just copy-and-paste Mantain an ejabberd server working efficiently and secure.
EJABBERD SSL CERTIFICATE HOW TO
contact: contact: The ACME Certificate Authority URL.I will be keeping this post up to date to keep track on how to configure and # It is not mandatory to provide an email address but it is highly suggested. # an authorization issue, such as a server-initiated certificate revocation. + - Blocked -705,7 +714,7 A contact mail that the ACME Certificate Authority can contact in case of # You can put here as many accounts as you want.
477,9 +486,9 The 'admin' ACL grants administrative privileges to XMPP accounts. # S2S whitelist or -280,9 +289,9 Preferred address families (which to try first) and connect timeout
# Stream -265,7 +274,7 Allowed values are: false, optional or required # use this instead of the "starttls" option:
#' LISTENING -152,7 +161,7 To enforce TLS encryption for client connections, # ca_file: "/etc/ssl/certs/ca-bundle.pem" # If your system provides only a single CA file (CentOS/FreeBSD): + - "/usr/local/etc/letsencrypt/live//*.pem" # route_subdomains: Delegate subdomains to other XMPP -102,12 +103,11 chains of certificates or certificate keys.