User:MalakymR/Drafts/Prosody

Work notes for net-im/prosody

emerge --ask prosody #uses flat files by default so no need for sqlite, and libevent not required for small servers

nano /etc/jabber/prosody.cfg.lua

/etc/init.d/prosody start

rc-update add prosody default

SRV records (lookup test, mxtoolbox or alt)

nslookup -type=SRV _xmpp-client._tcp.yourdomain.tld #this is not the server.yourdomain.tld but should return server.yourdomain.tld

prosodyctl adduser username@domain.tld

Enter new password:

Retype new password:

Conversations - incompatible server (client likely requires ssl - not many options to configure client)

xmpp-irssi - failed (doesnt support SRV - need manually specify host, untested)

xabber - works - causes a lot of errors on server logs

May 21 13:06:27 yourhostname prosody[18824]: c2s237a2a0: Received[c2s]: 

May 21 13:06:27 yourhostname prosody[18824]: datamanager: Assuming empty vcard storage ('cannot open /var/spool/jabber/yourdomain%2etld/vcard/username.dat: No such file or directory') for user: username@yourdomain.tld

May 21 13:06:27 yourhostname prosody[18824]: c2s237a2a0: Received[c2s]: 

(to look at - messages eventually stop)

mkdir /var/spool/jabber/yourdomain%2etld/vcard/

chown -R jabber:jabber /var/spool/jabber/yourdomain%2etld/vcard/

doesnt seem to work (new messages every new account - 1500 * 3 lines)

mkdir /var/spool/jabber/yourdomain%2etld/offline/

chown -R jabber:jabber /var/spool/jabber/yourdomain%2etld/offline/ same does not clear username.list error

prosodyctl adduser username2 (confirmed working)

-LetsEncrypt/certbot for ssl c2s then s2s emerge --ask app-crypt/certbot (unmask ~amd64 for various packages) LE doesn't have a plugin to handle the certificates directly like it does with apache/nginx (yet... if someone writes one?)

1) standalone+http hosts its own webserver under 443(or 80) for machines without a webserver (likely if your server is used for prosody only) 2) manual+dns to automate this you would need to have access to your dns records on a nameserver which isn't often the case (ie. usually with your domain registrar) automation is not assumed so a hook is needed to push the TXT record before resuming 3) webroot(http) if you already have a webserver running this will simply use a folder in your current root to general the request - usually .well-known/acme-challenge/your-generated-key

-your firewall/port redirection needs to be set for your public ip
 * 1) 1 Standalone + HTTP(80)

(since we only have 5 requests every 7 days - we should ideally setup the automated config to pick the options first)

yourhostname ~ # certbot certonly --standalone --preferred-challenges http Saving debug log to /var/log/letsencrypt/letsencrypt.log Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel):youremail@address.tld Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org

--- Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree in order to register with the ACME server at https://acme-v01.api.letsencrypt.org/directory --- (A)gree/(C)ancel: A

--- Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about EFF and our work to encrypt the web, protect its users and defend digital rights. --- (Y)es/(N)o: N Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel):yourhostname.yourdomainname.tld Obtaining a new certificate Performing the following challenges: http-01 challenge for yourhostname.yourdomainname.tld Waiting for verification...

Exception happened during processing of request from (' ', 16436) Traceback (most recent call last): File "/usr/lib64/python3.4/socketserver.py", line 305, in _handle_request_noblock self.process_request(request, client_address) File "/usr/lib64/python3.4/socketserver.py", line 331, in process_request self.finish_request(request, client_address) File "/usr/lib64/python3.4/socketserver.py", line 344, in finish_request self.RequestHandlerClass(request, client_address, self) File "/usr/lib64/python3.4/site-packages/acme/standalone.py", line 96, in __init__ socketserver.BaseRequestHandler.__init__(self, *args, **kwargs) File "/usr/lib64/python3.4/socketserver.py", line 673, in __init__ self.handle File "/usr/lib64/python3.4/site-packages/acme/standalone.py", line 105, in handle BaseHTTPServer.BaseHTTPRequestHandler.handle(self) File "/usr/lib64/python3.4/http/server.py", line 401, in handle self.handle_one_request File "/usr/lib64/python3.4/http/server.py", line 371, in handle_one_request self.raw_requestline = self.rfile.readline(65537) File "/usr/lib64/python3.4/socket.py", line 378, in readinto return self._sock.recv_into(b) ConnectionResetError: [Errno 104] Connection reset by peer

Cleaning up challenges

IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at  /etc/letsencrypt/live/yourhostname.yourdomainname.tld/fullchain.pem. Your cert will expire on 2017-08-19. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To  non-interactively renew *all* of your certificates, run "certbot   renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a  secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so  making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt:  https://letsencrypt.org/donate Donating to EFF:                   https://eff.org/donate-le

cd /etc/letsencrypt/live/yourhostname.yourdomainname.tld/ ls -lha (symlinks to /etc/letsencrypt/archive/yourhostname.yourdomainname.tld/ )

--allow prosody to access these certs chgrp -R ssl-cert /etc/letsencrypt chmod -R g=rX /etc/letsencrypt
 * add jabber user to ssl-cert group(that we create)

"The official Let's Encrypt client includes the certificate and intermediate in the fullchain.pem file, so you should configure Prosody to use this as certificate." https://freevps.us/printthread.php?tid=18608

other work around https://balaskas.gr/blog/2016/03/22/lets-encrypt-on-prosody-enable-forward-secrecy/

VirtualHost "balaskas.gr"

ssl = { key = "/etc/letsencrypt/live/balaskas.gr/privkey.pem"; certificate = "/etc/letsencrypt/live/balaskas.gr/fullchain.pem"; cafile = "/etc/pki/tls/certs/ca-bundle.crt";

# enable strong encryption ciphers="EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4"; dhparam = "/etc/pki/tls/dh-2048.pem"; }

READ: https://prosody.im/doc/certificates The certbot (formerly "official") Let's Encrypt client includes the certificate and intermediate in the fullchain.pem file, so you should configure Prosody to use this as certificate.

ssl = { certificate = "/etc/letsencrypt/live/example.com/fullchain.pem"; -- Note: Only readable by root by default key = "/etc/letsencrypt/live/example.com/privkey.pem"; }

sudo chmod 600 /path/to/certificate.key sudo chown jabber:jabber /path/to/certificate.key sudo -u jabber cat /path/to/certificate.key # Should succeed sudo -u nobody cat /path/to/certificate.key # Should fail

TODO

-LetsEncrypt (generally required for S2S) cert for non-root applications - https://community.letsencrypt.org/t/how-to-use-certs-in-non-root-services/2690

-S2S (separate SRV record required)

nslookup -type=SRV _xmpp-server._tcp.yourdomain.tld

-SOCKS5 bytestream (conversations doesn't seem to support this)

-Client software (web based, irssi-xmpp, conversations, pidgin - SRV support check)

-sqlite/mysql etc (flat files by default)

-libevent (not really required for smaller servers)

-in-band registration and admin notifications

-service as non-root user(should be jabber:jabber, just need to confirm)

-allow s2s with servers that wont encrypt (gmail, openfire) https://modules.prosody.im/mod_s2s_never_encrypt_blacklist.html