I'm trying to get Ejabberd to work with letsencrypt certificates on centos7.
I keep getting errors about the certificates not being signed by a known CA.
I have created the certificates by certbot, and I joined the privkey and fullchain files to single file.
All c2s connections work fine, but s2s connections don't.
When starting Ejabberd I see the following relevant log entries:
[warning] <0.606.0>#ejabberd_pkix:check_ca_dir:386 CA directory /etc/ssl/certs doesn't contain hashed certificate files; configuring 'ca_path' option might help
[warning] <0.606.0>#ejabberd_pkix:mk_cert_state:240 certificate from /opt/ejabberd/conf/xxxx.pem is invalid: certificate is signed by unknown CA
Connections to for example draugr.de generate the following entries:
[info] <0.793.0>#ejabberd_s2s_in:handle_auth_failure:206 (tls|<0.792.0>) Failed inbound s2s EXTERNAL authentication draugr.de -> XXXXX.net (::FFFF:89.163.212.45): unable to get local issuer certificate
I hope someone can help me out, thanks!
[EDIT 2020 may]
It looks like ejabberd now has automatic acme support (meaning it can request the certificate on its own from letsencrypt). So what you read below is obsolete.
As of 2018 november,
Merely installing letsencrypt using certbot is enough click here to see how. Ejabberd uses the provided certificates.
Note that you may need to register multiple subdomains for some strict jabber clients to work properly.
conference.yourjabberdomain.com
pubsub.yourjabberdomain.com
upload.yourjabberdomain.com
yourjabberdomain.com
or install a wildcard certificate from letsencrypt
sudo certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns -d *.yourjabberdomain.com
I think there is a rule in the ejabberd config file ejabberd.yml that allows this to happen
certfiles:
- "/etc/letsencrypt/live/*/*.pem"
I was able to solve it myself finally but i am out of office the next few days and can't get you the exact configuration to solve it.
But if I recall correctly I downloaded the CA bundle here https://curl.haxx.se/docs/caextract.html and there was some configuration parameter for ejabberd to use this CA bundle in stead of the default one.
Hope it helps you.
If it is working for c2s and not working for s2s then it looks like the s2s block in configuration file is not updated with certfile. I believe you have something like this for c2s:
port: 5222
ip: "::"
module: ejabberd_c2s
starttls: true
certfile: 'CERTFILE'
protocol_options: 'TLSOPTS'
Similarly your s2s block should have:
port: 5269
ip: "::"
module: ejabberd_s2s_in
starttls: true
certfile: 'CERTFILE'
protocol_options: 'TLSOPTS'
max_stanza_size: 131072
shaper: s2s_shaper
Related
I am working on a django project which I was able to access from an external network. But this has recently stopped working. I have tried troubleshooting the problem but I can't seem to figure out the issue.
Below are the steps I followed:
Public IP: 86.40.54.24
Private IP: 192.168.1.18
OS: Ubuntu 20.04
Router: EIR Network default router. Allows the required changes to forward requests
add routing rule in the router
Allow connections from any IP on port 80 to 192.168.1.18 on port 12987
setup rules in ufw to allow connections
ufw allow proto tcp from any to 192.168.1.18 port 12987
settings.py file
ALLOWED_HOSTS ["*"]
run django development server
python3 manage.py runserver 0.0.0.0:12987
Note:
An approach (similar to above) had worked for me and I was able to access my website from an external IP. But it suddenly stopped working. I have not been able to identify the problem.
I have kept the restrictions to bare minimum to be able to get this working once again. I will harden the server after the issue is identified and fixed.
When I use the recommended rdesktop to connect to Windows EC2 host I see from Archlinux:
$ rdesktop 54.254.180.73
ATTENTION! The server uses and invalid security certificate which can not be trusted for
the following identified reasons(s);
1. Certificate issuer is not trusted by this system.
Issuer: CN=EC2AMAZ-I5MV8JK
Review the following certificate info before you trust it to be added as an exception.
If you do not trust the certificate the connection atempt will be aborted:
Subject: CN=EC2AMAZ-I5MV8JK
Issuer: CN=EC2AMAZ-I5MV8JK
Valid From: Thu Mar 5 16:06:01 2020
To: Fri Sep 4 16:06:01 2020
Certificate fingerprints:
sha1: 98f1e92f9b9a3b57f4b2a23177f1bbe1a9afeb2c
sha256: 8e9f1a2e5497c972b56b8300f6e2ec3f59c8903103984cb5456a237c9a7b2d45
Do you trust this certificate (yes/no)? yes
Failed to initialize NLA, do you have correct Kerberos TGT initialized ?
Failed to connect, CredSSP required by server (check if server has disabled old TLS versions, if yes use -V option).
I'm not sure where to go from here. Especially when rdesktop doesn't appear maintained.
Any tips to connect to a Windows host?
Instead of rdesktop, the FreeRDP: A Remote Desktop Protocol Implementation seems to better accommodate this CredSSP required by server issue.
xfreerdp /u:"Administrator" /v:ec2-3-1-49-118.ap-southeast-1.compute.amazonaws.com
I deployed a web app built with Laravel on Amazon's ElasticBeanStalk, after setup, I tried accessing the page but I got HTTP 408 error. I setup the loadbalancer to listen on port 80 and 443, and also there is a certificate attached to port 443.
I accessed the log for and found this mod_ssl does not seem to be enabled, I have tried searching for solutions but I am yet to get anything similar.
Any help will do. Thanks
As far as enabling mod_ssl goes, you'll have to download the module and load it as it doesn't come preinstalled on Amazon Linux. I add mod24_ssl in a config file under .ebextensions:
packages:
yum:
mod24_ssl: []
This should install mod_ssl.so under /etc/httpd/modules/, and IIRC there should be an existing file /etc/httpd/conf.modules.d/00-ssl.conf that will run LoadModule ssl_module modules/mod_ssl.so
Not sure if mod_ssl is the root cause of your issue, but this will load mod_ssl at least. I actually had different issues with HTTP 408s before (not from production traffic, but apparently from unused connections the load balancer keeps open) and it resolved itself by updating the Apache server based on advice from here https://forums.aws.amazon.com/thread.jspa?messageID=307846
I'm trying to generate a certificate in my local (MacBook) environment which I can package in my Docker image and deploy into my AWS environment via Kubernetes.
I've scoured sources online for a solution to this but I'm unable to find the details I need.
From my macbook:
sudo certbot certonly -a standalone -d my.domain
Gives me this error:
Failed authorization procedure. my.domain (http-01): urn:acme:error:unauthorized ::
The client lacks sufficient authorization :: Invalid response from
http://my.domain/.well-known/acme-challenge/T8jtGQswRuMgHKIhGvb-
QD73kytTZnHfH5mK5lEZUJc: "{"timestamp":"2018-04-22T22:33:40.845+0000","status":404,
"error":"Not Found","message":"No message available","path":"/.well-kno"
Clearly, I need a way to prove that I own my own domain. How can I do this locally?
In order to verify ownership of the domain from your macbook you have these two options as stated in the certbot docs:
Use a DNS plugin - https://certbot.eff.org/docs/using.html#dns-plugins
Use the manual method - https://certbot.eff.org/docs/using.html#manual
While the standalone option does not require web server software it does require that it is run on the target web server - it is therefore not what you need to do and will result in the failure reported in your question.
Scenario
I have AWS setup for a unifi controller, I've been to access it with https://myserverip:8443, I bypass "This connection is note sucured" and use the controller normally
Now, I need to install and SSL certificate to get the hotspot payment system going.
I have a FQDN with GoDaddy so I created a subdomain unifi.mydomain.com, that points to the elastic IP, I log on with https://unifi.mydomain.com:8443
I bought the SSL certificate from GoDaddy, added the subdomain to that certificate.
I log on my AWS with SSH, generate my csr with the following command
cd /usr/lib/unifi
sudo java -jar lib/ace.jar new_cert unifi.mydomain.dom “My Company Name” City State CC*
Then I do
cd var/lib/unifi
more unifi_certificate.csr.pem
Once I get that I copy and paste it on GoDaddy, download the cert files, go back to AWS copy the files with filezilla to /usr/lib/unifi
Then I run the following command
sudo java -jar lib/ace.jar import_cert unifi_mydomain_com.crt bundlecert.crt
They import correctly, restart unifi service and reboot EC2
When I got to any of the above address I get the following
This site can’t provide a secure connection ERR_SSL_PROTOCOL_ERROR
I've tried different browsers, incognito mode, vpn, etc, I believe it's just a matter of SSL or my server
Check your system.properties which sits in /var/lib/unifi/ open the file with vim or your text editor of choice.
Have a look at your HTTPS options, the important ones are the ciphers and protocols.
The Protocols you need are TLSv1 and potentially SSLv2Hello there should be no other SSL protocols in there.
The Ciphers you ideally want are TLS, so for example TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA
If you are having issues throw them all in, CAUTION! only use this in a demo /test environment.
unifi.https.ciphers=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA
Remember once you have edited the system.properties you need to restart the controller.
sudo service unifi restart
Lots of help on the Unifi page
UniFi - SSL Certificate Error
UniFi - Explaining the config.properties File
UniFi - system.properties File Explanation