A few days ago I wrote an article about ejabberd 16 installation and basic configuration on CentOS 6.7, and I missed one part where I should wrote the configuration of SSL certificates. You’ll need that to encrypt your chat sessions.
This article has three parts:
- Part 1: Prepare SSL Certificate
- Part 2: Adjust Configuration
- Part 3: Reload Configuration
The goal is to get the installed ejabberd, preferably installed by following my ejabberd installation howto, to provide secure, encrypted, chat sessions.
Let’s just do it.
Part 1: Prepare SSL Certificate
In this article we will be using Self-Signed SSL Certificate.
First, you need to make sure that you have installed openssl:
[code lang=”text”]
openssl version
[/code]
Next is to create a self-signed SSL certificate:
[code lang=”text”]
openssl req -new -x509 -newkey rsa:4096 -days 3650 -keyout privkey.pem -out server.pem
[/code]
Please note that you need to answer the Common Name (CN) question with your configured domain on your ejabberd. One certificate for one domain only. Example, if your users XMPP/Jabber ID is username@textng.com then the Common Name should be textng.com
Continue making the certificate:
[code lang=”text”]
openssl rsa -in privkey.pem -out privkey.pem
cat privkey.pem >> server.pem
rm privkey.pem
mv server.pem domain.pem
ls -l domain.pem
[/code]
Please note that at this point you’ll have a file called
domain.pem
. That is the self-signed SSL certificate you have just created.
Rename the domain.pem
file to something more informational, for example if your domain is textng.com then rename it to textngcom.pem
.
Copy the file to ejabberd configuration directory. If you’re following my ejabberd installation howto then it should be copied to /usr/local/etc/ejabberd
, on the same location with ejabberd.yml
.
Rename domain.pem
and copy to /usr/local/etc/ejabberd
:
[code lang=”text”]
mv domain.pem textngcom.pem
cp textngcom.pem /usr/local/etc/ejabberd
ls -l /usr/local/etc/ejabberd
[/code]
The self-signed SSL certificate has been prepared. You may add more certificates should you require to do so, for example if you have multiple domains managed by your ejabberd.
Part 2: Adjust Configuration
Open ejabberd.yml
and look for LISTENING PORTS section:
[code lang=”text”]
vi /usr/local/etc/ejabberd/ejabberd.yml
[/code]
Adjust certfile
, starttls
, starttls_required
and protocol_options
, remove the comment marks to enable it.
Example if you use textngcom.pem
as the certificate:
[code lang=”css”]
certfile: "/usr/local/etc/ejabberd/textngcom.pem"
starttls: true
starttls_required: true
protocol_options:
– "no_sslv3"
– "no_sslv2"
– "no_tls1"
[/code]
Please note that if you have multiple domains then just choose one certificate for now, preferably the certificate for your main domain. I explain how to override the
certfile
per domain bases below.
Still editing ejabberd.yml
, now look for S2S GLOBAL OPTIONS section.
Adjust s2s_use_starttls
, s2s_certfile
and s2s_protocol_options
, remove the comment marks to enable it.
Example:
[code lang=”css”]
s2s_use_starttls: required
s2s_certfile: "/usr/local/etc/ejabberd/textngcom.pem"
s2s_protocol_options:
– "no_sslv3"
– "no_sslv2"
– "no_tls1"
[/code]
Last configuration, if you have multiple domains and you have prepared certificates for them then you need to add host_config
options.
Add host_config
options at the end of ejabberd.yml
.
Example of adding host_config
for domain textng.com and ngoprek.org:
[code lang=”css”]
host_config:
"textng.com":
domain_certfile: "/usr/local/etc/ejabberd/textngcom.pem"
"ngoprek.org":
domain_certfile: "/usr/local/etc/ejabberd/ngoprekorg.pem"
[/code]
Part 3: Reload Configuration
Make sure to reload your configuration:
[code lang=”text”]
ejabberdctl reload_config
[/code]
Please note that you should not see anything when reloading the configuration using above command, if you do then there must be error somewhere on
ejabberd.yml
, you need to check the config again and try to reload_config too.
Test your configuration. Use a nice, good-looking, well-performed, Free and Open Source XMPP/Jabber client software which has everything from secure chat, off-the-record chat, group chat, file transfer, recording feature, like: ChatSecure.
That’s all.