ejabberd icon indicating copy to clipboard operation
ejabberd copied to clipboard

Published 20 hours ago verified publisher icon processone

Listeners should use global `certfiles`

Open licaon-kter opened this issue 4 years ago • 3 comments

I've setup certfiles

certfiles:
  - /usr/local/etc/ejabberd/certs/mydomain.tld.crt.pem
  - /usr/local/etc/ejabberd/certs/mydomain.tld.key.pem

...and XMPP works, multiple hosts and all that.

But now we have the A/V craze so I have to have a TURN server too.

And that works fine, 3478 at least, aka non-TLS.

So I need to setup turns then.

  -
    port: 5349
    use_turn: true
    turn_min_port: 60000
    turn_max_port: 65000
    turn_ip: MY.EXTE.RNAL.IP
    tls: true
    certfile: /usr/local/etc/ejabberd/certs/mydomain.tld.crt.pem
    module: ejabberd_stun

...but no? [error] <0.24037.0> CRASH REPORT Process <0.24037.0> with 0 neighbours exited with reason: <<"SSL_CTX_use_certificate_file failed: error:0909006C:PEM routines:get_name:no start line">> in p1_fsm:init_it/6 line 386

Oh, right, let me put the key too, another certfile line, yes, what? [error] <0.24045.0>@ejabberd_config:reload:116 Configuration reload aborted: Invalid value of option listen->11: Duplicated option: certfile

But then? How? I can't just concatenate the files, that would be silly...surely... hey it works... at least it starts.

Now the question in the subject, why do I need to specify a certfile here?

I'd guess that you don't know for what domain this TURN server is setup (reverse DNS via stun.turn SRV records, maybe?), then again the log makes it clear that some smart choices are already done in place: [info] <0.24025.0>@ejabberd_stun:prepare_turn_opts:127 You have several virtual hosts configured, but option 'auth_realm' is undefined and 'auth_type' is set to 'user', so the TURN relay might not be working properly. Using mydomain.tld as a fallback so no need to specify a certain cert here, you can use auth_realm and extract the proper cert from the global one, right?

/LE: Testing a bit more and indeed, as @weiss points out global ones are used IF one does not specify another here.

licaon-kter avatar May 08 '20 19:05 licaon-kter

https://github.com/processone/docs.ejabberd.im/pull/90 takes care of the lack of information that would have saved me a lot of time.

Now, that being clear, certfile still has a purpose then?

licaon-kter avatar May 08 '20 20:05 licaon-kter

The one problem I'm aware of is that while globally configured certificates do work initially for ejabberd_stun listeners, it falls apart once you renew the certificate(s). This is because ejabberd_stun hands over the certfile from ejabberd_pkix to the stun application on startup, but the stun application won't be notified of certfile changes on config-reload. (Maybe open a separate issue for this? And maybe SIP is affected as well?)

weiss avatar May 09 '20 12:05 weiss

Seems to be the case for ejabberd_sip as well.

edhelas avatar Nov 12 '22 16:11 edhelas