A few days ago I wrote an article about ejabberd 16 installation and basic configuration on CentOS 6.7, and I missed one part where I should wrote the configuration of SSL certificates. You’ll need that to encrypt your chat sessions.
This article has three parts:
- Part 1: Prepare SSL Certificate
- Part 2: Adjust Configuration
- Part 3: Reload Configuration
The goal is to get the installed ejabberd, preferably installed by following my ejabberd installation howto, to provide secure, encrypted, chat sessions.
Let’s just do it.
Part 1: Prepare SSL Certificate
In this article we will be using Self-Signed SSL Certificate.
First, you need to make sure that you have installed openssl:
openssl version
Next is to create a self-signed SSL certificate:
openssl req -new -x509 -newkey rsa:4096 -days 3650 -keyout privkey.pem -out server.pem
Please note that you need to answer the Common Name (CN) question with your configured domain on your ejabberd. One certificate for one domain only. Example, if your users XMPP/Jabber ID is username@textng.com then the Common Name should be textng.com
Continue making the certificate:
openssl rsa -in privkey.pem -out privkey.pem cat privkey.pem >> server.pem rm privkey.pem mv server.pem domain.pem ls -l domain.pem
Please note that at this point you’ll have a file called
domain.pem. That is the self-signed SSL certificate you have just created.
Rename the domain.pem file to something more informational, for example if your domain is textng.com then rename it to textngcom.pem.
Copy the file to ejabberd configuration directory. If you’re following my ejabberd installation howto then it should be copied to /usr/local/etc/ejabberd, on the same location with ejabberd.yml.
Rename domain.pem and copy to /usr/local/etc/ejabberd:
mv domain.pem textngcom.pem cp textngcom.pem /usr/local/etc/ejabberd ls -l /usr/local/etc/ejabberd
The self-signed SSL certificate has been prepared. You may add more certificates should you require to do so, for example if you have multiple domains managed by your ejabberd.
Part 2: Adjust Configuration
Open ejabberd.yml and look for LISTENING PORTS section:
vi /usr/local/etc/ejabberd/ejabberd.yml
Adjust certfile, starttls, starttls_required and protocol_options, remove the comment marks to enable it.
Example if you use textngcom.pem as the certificate:
certfile: "/usr/local/etc/ejabberd/textngcom.pem" starttls: true starttls_required: true protocol_options: - "no_sslv3" - "no_sslv2" - "no_tls1"
Please note that if you have multiple domains then just choose one certificate for now, preferably the certificate for your main domain. I explain how to override the
certfileper domain bases below.
Still editing ejabberd.yml, now look for S2S GLOBAL OPTIONS section.
Adjust s2s_use_starttls, s2s_certfile and s2s_protocol_options, remove the comment marks to enable it.
Example:
s2s_use_starttls: required s2s_certfile: "/usr/local/etc/ejabberd/textngcom.pem" s2s_protocol_options: - "no_sslv3" - "no_sslv2" - "no_tls1"
Last configuration, if you have multiple domains and you have prepared certificates for them then you need to add host_config options.
Add host_config options at the end of ejabberd.yml.
Example of adding host_config for domain textng.com and ngoprek.org:
host_config:
"textng.com":
domain_certfile: "/usr/local/etc/ejabberd/textngcom.pem"
"ngoprek.org":
domain_certfile: "/usr/local/etc/ejabberd/ngoprekorg.pem"
Part 3: Reload Configuration
Make sure to reload your configuration:
ejabberdctl reload_config
Please note that you should not see anything when reloading the configuration using above command, if you do then there must be error somewhere on
ejabberd.yml, you need to check the config again and try to reload_config too.
Test your configuration. Use a nice, good-looking, well-performed, Free and Open Source XMPP/Jabber client software which has everything from secure chat, off-the-record chat, group chat, file transfer, recording feature, like: ChatSecure.
That’s all.
My notebook 