Ejabberd: Lets encrypt cirtificate not working

Created on 1 Oct 2019 · 4Comments · Source: processone/ejabberd

Environment

ejabberd version: 19.05
Erlang version: erl 21
OS: Linux (Ubuntu)
Installed from: source

Bug description

I have created lets encrypt cirtificate for my domain and I added in ejabberd.yml

certfiles:
       - "/opt/ejabberd/certs/privkey.pem"
        - "/opt/ejabberd/certs/fullchain.pem"**

but when is set encryption connection to always in psi+ xmpp client I got The server does not support TLS encryption. this error.

Logs

2019-10-01 08:02:04.598 [info] <0.1268.0>@ejabberd_listener:accept:245 (<0.1432.0>) Accepted connection ::ffff:10.10.1.58:51458 -> ::ffff:192.168.0.104:5232
2019-10-01 08:02:04.618 [info] <0.1432.0> (tcp|<0.1432.0>) Received XML on stream = <<"<?xml version=\"1.0\"?>\n<stream:stream xmlns:stream=\"http://etherx.jabber.org/streams\" version=\"1.0\" to=\"example\" xmlns=\"jabber:client\" xml:lang=\"en\" xmlns:xml=\"http://www.w3.org/XML/1998/namespace\">\n">>
2019-10-01 08:02:04.690 [info] <0.1432.0> (tcp|<0.1432.0>) Send XML on stream = <<"<?xml version='1.0'?><stream:stream id='4635024216202823454' version='1.0' xml:lang='en' xmlns:stream='http://etherx.jabber.org/streams' from='example' xmlns='jabber:client'>">>
2019-10-01 08:02:04.711 [info] <0.1432.0> (tcp|<0.1432.0>) Send XML on stream = <<"<stream:features><mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><mechanism>DIGEST-MD5</mechanism><mechanism>PLAIN</mechanism><mechanism>SCRAM-SHA-1</mechanism><mechanism>X-OAUTH2</mechanism></mechanisms><register xmlns='http://jabber.org/features/iq-register'/></stream:features>">>
2019-10-01 08:02:04.727 [info] <0.1432.0> (tcp|<0.1432.0>) Send XML on stream = <<"</stream:stream>">>

Question

Source

sujankumar4593

Most helpful comment

Probably related to https://github.com/processone/ejabberd/issues/2850#issuecomment-479948860 (I don't remember in which ejabberd version it was fixed).
If this doesn't help then private keys don't match indeed. Try without concatenation: just list all your files under certfiles section - ejabberd will sort this out automatically

zinid on 1 Oct 2019

👍2

All 4 comments

1) Disable debug mode, restart ejabberd and grep warning ejabberd.log. You'll find the explanation why your certificates are not loaded.
2) Make sure starttls is set to true in listen section for module ejabberd_c2s.
3) Consider upgrading to 19.09 and use ACME to obtain certificates automatically.

zinid on 1 Oct 2019

Thanks for quick reply. My config starttls line is commented now it's working with letsencrypt. but
I bought new ssl for my domain and these are the files
Example domains: test.example.com, mix.test.example.com, pubsub.test.example.com

AddTrustExternalCARoot.crt
My_CA_Bundle.ca-bundle
privkey.pem
SectigoRSADomainValidationSecureServerCA.crt
STAR_example_com.crt
USERTrustRSAAddTrustCA.crt

I tried to create a pem file using two methods

cat privkey.pem STAR_contus_us.crt My_CA_Bundle.ca-bundle > ejabberd.pem
and
cat privkey.pem STAR_contus_us.crt SectigoRSADomainValidationSecureServerCA.crt USERTrustRSAAddTrustCA.crt AddTrustExternalCARoot.crt > ejabberd.pem

but both not working any help?
Yml conf:

certfiles:
       - "/opt/ejabberd/certs/ejabberd.pem"

Logs
2019-10-01 08:49:43.598 [info] <0.103.0>@ejabberd_cluster_mnesia:wait_for_sync:123 Waiting for Mnesia synchronization to complete
2019-10-01 08:49:43.709 [error] <0.308.0>@ejabberd_pkix:log_errors:405 Failed to read PEM file /opt/ejabberd/certs/live/ejabberd.pem: at line 65: no matching private key found for this certificate
2019-10-01 08:49:43.709 [warning] <0.308.0>@ejabberd_pkix:log_warnings:397 Invalid certificate in /opt/ejabberd/certs/live/ejabberd.pem: at line 1: unused private key
2019-10-01 08:49:43.709 [critical] <0.308.0>@ejabberd_pkix:stop_ejabberd:356 ejabberd initialization was aborted due to invalid certificates configuration